Modern business operations typically require many communication devices and technologies that include routers, firewalls, switches, file servers, ERP applications, etc. Generally, such devices and technologies report their health and status by writing log files. For example, computer processors are responsible for processing vast amounts of data for a variety of applications. To determine how a certain application may be processed by a computer processor, engineers typically design the application with a log file that records various functional outputs within the application. That is, certain functions within the application may output data to the log file so that the engineers may diagnose problems (e.g., software bugs) and/or observe general operational characteristics of the application.
By observing the general operational characteristics of an application, certain valuable information may also be ascertained. For example, log files generated by a file server may record logins. In this regard, certain logins may be unauthorized and their prevention desired. However, with the multitude of communication devices and their corresponding applications available, a bewildering array of log data may be generated within a communication network. Additionally, communication networks are often upgraded with additional systems that provide even more logs. Adding to the complexity of the situation, communication devices and applications of these communication networks vary in many ways and so do their corresponding log file formats.
Attempts have been made by network and enterprise administrators to extract or identify useful information from the large volume of log messages generated by the aforementioned communication devices and technologies via one or more types of Security Event Management (SEM) solutions. Some of these attempts involve processing logs against one or more rules in an attempt to identify “events” that may be further analyzed by administrators and troubleshooters. Events may be any occurrence (as identified by one or more log messages) that may be of interest to a network administrator for further analysis. Examples include one or more particular IP address attempting to access a particular network device, a large quantity of data leaving the network, etc. For instance, upon at least a portion of a log message matching a rule, one or more particular actions may take place (e.g., archiving of the log message, alerting an administrator of the occurrence of the event, etc.).