There are four different types of log collection methods that we use.
The collection methods employ a log collection mechanism.
Push mechanism or
Syslog and Log File/FTP use the push mechanism while API and Database use pull mechanism.
Here, push-based log sources or devices emit a message either to the local disk or over the network to a log collector which is ready to receive this message. Some devices from the Supported Product List (SPL) that fall under push log collection mechanism are: Cisco ASA, Windows Snare agent, Windows NXlog agent, Palo Alto, TippingPoint, F5 Load Balancer, Fortigate UTM services, and more.
Here, the log collector pulls log messages from the source. This method is similar to the client-server model.
For example, Checkpoint offers the OPSEC C library which developers can use to write applications to pull Checkpoint firewall logs. Other products use databases like MSSQL, Oracle, MySQL, etc. to store data. Some devices store logs in a separate file path and the logs are collected by the collector.
Devices from the SPL that fall under pull log collection mechanism are: Sourcefire, Websense web gateway, SEP, SCSP, Sophos AV, Oracle iaudit, WinRM, etc.
Log Collection Methods
Syslog - The Syslog protocol allows a device to send event notification messages over IP networks to event message collectors. In other words, a device can be configured to generate a syslog message and forward it to specific syslog daemon. Syslog messages can be pushed to the collectors using either TCP or UDP. In most of the cases, messages are received on UDP port 514 which can be customized, if required.
Database - When log sources use databases like MSSQL, Oracle, and MySQL to store logs, the log sources are configured in the collector.xml file which uses a connection string to establish a connection to the database with a username and password. Based on the last position file, the collector queries the log source and pulls logs.
Log file/FTP - When log sources like Apache, Bluecoat, and Cisco Ironport are in place, logs are sent in batches to a specific file path in the LCP using FTP port 21 from where the collector picks up and processes the logs.
API - When log sources like WinRM and Checkpoint are used, logs are pulled from sensors by establishing a connection with the sensor via a specific port and authenticating the connection with a username and password.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe