About Log Inspection
The log inspection protection module helps you identify important events that might be buried in your operating system and application logs. These events can be sent to a security information and event management (SIEM) system or centralized logging server for correlation, reporting, and archiving. All events are also securely collected in the Deep Security Manager. For more information about logging and forwarding events, see Configure log inspection event forwarding and storage.
For information on forwarding events to a syslog server or SIEM, see Forward Deep Security events to a Syslog or SIEM server.
The log inspection module lets you:
- Meet PCI DSS log monitoring requirements.
- Detect suspicious behavior.
- Collect events across heterogeneous environments containing different operating systems and diverse applications.
- View events such as error and informational events (disk full, service start, service shutdown, etc.).
- Create and maintain audit trails of administrator activity (administrator login or logout, account lockout, policy change, etc.).
To enable and configure log inspection, see Set up Log Inspection.
The log inspection feature in Deep Security enables real-time analysis of third party log files. The log inspection rules and decoders provide a framework to parse, analyze, rank and correlate events across a wide variety of systems. As with intrusion prevention and integrity monitoring, log inspection content is delivered in the form of rules included in a security update. These rules provide a high level means of selecting the applications and logs to be analyzed. To configure and examine log inspection rules, see Define a Log Inspection rule for use in policies.