Showing results for 
Search instead for 
Did you mean: 
Create Post

The Art and Alchemy of Event Log Correlation

Level 14

Those of you that are security practitioners know the necessity of incident awareness across various dimensions of the network. Threats are ready to strike any time, and having informative and meaningful data at hand would help to counter-attack and remediate risks.

Logs are the means to any actionable result. Any piece of critical activity on your network will trigger log messages: they may be syslog messages or SNMP traps, system logs, server logs, etc. From these silos of data from so many disparate devices and systems across the network, how could you gain visibility into specific threat events, and pinpoint the cause of these threats?

The heart of security information and event management (SIEM) is event correlation. This allows you to get coherent information in real time as and when there are peculiarities and suspicious activities on the enterprise network.

How Does Event Correlation Work?

SolarWinds has made this intricate activity extremely simple with a correlation technology so powerful that you don’t have to do anything – the correlation engine will monitor, detect, alert, react and report when encountered with anomalous system or user activity on the network. SolarWinds Log & Event Manager (LEM) is a full-function SIEM solution that offers an intelligent correlation engine to understand operational, security and policy-driven events.

  • Log Collection: LEM captures real-time event streams from network devices and utilizes agent technology to capture host-based events in real time. Here is a list of data sources from which LEM can receive log data for correlation and analysis.
  • Normalization: This is a key step before events are correlated. LEM parses the raw log data from agent nodes (workstations, servers, VMs, OS, etc.) and maps events from disparate sources to a consistent framework. This helps structure the data into identified categories and fields.
  • In-Memory Correlation: LEM correlates event logs in-memory thus avoiding performance bottlenecks associated with database insertion and query speeds.
  • Multiple-Event Correlation: LEM has comprehensive support for multiple-device, multiple-event correlation, including the unique ability to set independent thresholds of activity per event, or group of events.
  • Non-Linear Correlation: After mapping events in-memory, LEM applies a completely non-linear, multi-vector, correlation algorithm. This reduces the number of correlation rules and eliminates the need to build distinct rules for all possible combination of events.
  • Field-Level Comparison: LEM combines field-level data with user-defined groups and variables, making it possible to build rules that minimize false positives and focus your attention where and when it’s needed.
  • Environmental Awareness: LEM’s correlation rules factor in details about the organization, such as critical assets, applications, time of day or day of week, etc. to bring focus on the environmental parameters associated with the events and maximize the value of the data that’s being captured and analyzed.

LEM Real-time Event Log Correlation.png

So, What’s The Result of Event Correlation?

You have meaningful and actionable data that provides advanced incident awareness and threat visibility on your entire IT environment.

Using the correlated event data, you can:

  • Set up alerts to trigger when a specific security condition is encountered
  • Program active responses to counter threats, troubleshoot issues and react to policy violations
  • Perform event forensics and root cause analysis to identify suspicious behavior patterns and anomalies
  • Generate compliance reports for network and security audits

And more…

Correlation Rule Builder

SolarWinds LEM offers a simple-to-use correlation rule builder that allows you to build correlation rules using interactive drag-and-drop interface. Plus, there are nearly 700 correlation rules available out of the box for immediate use.

  LEM Correlation Rule Builder.png

SolarWinds Log & Event Manager makes event correlation simple yet powerful offering you a central SEIM solution to process and manage log data.

Level 9

This is a great start but A LOT more information and examples are needed for the purple Correlation Time box. I get how Events within work. That's easy. Response Window however needs more explaination. What is it and how does it work? I need to tune these values so that when we get a lot of triggers we don't get one action per correlation.

For example if I get a true response to the correlation 10 times in 10 seconds (aka 10 events within 10 seconds), how does the Response Window come in to play?


Much of this could also be built into SAM and NPM..specifically the various log files it can monitor and the correlation rules and actions...

While we won't use LEM here, it has parts that would make NPM and SAM so much more powerful and useful !!!

Level 12

nice information

Level 15

Helpful information.  Thanks!

About the Author
Vinod Mohan is a Senior Product Marketing Manager at DataCore Software. He has over a decade of experience in product, technology and solution marketing of IT software and services spanning application performance management, network, systems, virtualization, storage, IT security and IT service management (ITSM). In his current capacity at DataCore, Vinod focuses on communicating the value proposition of software-defined storage to IT teams helping them benefit from infrastructure cost savings, storage efficiency, performance acceleration, and ultimate flexibility for storing and managing data. Prior to DataCore, Vinod held product marketing positions at eG Innovations and SolarWinds, focusing on IT performance monitoring solutions. An avid technology enthusiast, he is a contributing author to many popular sites including APMdigest, VMblog, Cyber Defense Magazine, Citrix Blog, The Hacker News, NetworkDataPedia, IT Briefcase, IT Pro Portal, and more.