Enterprise SysLog Manager (ESM)  
  ...compliance and security event management  

Sample Enterprise Syslog Manager Report

Sample Enterprise Syslog Manager Screen Shots

Extraction Tool for Microsoft Servers

Business Problem:

Compliance Reports are being required by SOX, HIPAA, GLBA and PCI regulations. These reports show who logged-in and when, who logged out and when. They also reveal all changes made to databases, files and configurations. These daily audit reports are an essential part of a solid Information Security Program.

Organizations have “over-taxed” I/T Staffs. They need better security and availability management tools in order to protect the Confidentiality, Integrity and Availability (CIA) of information services. To help meet all of these critical objectives, xDefenders has developed the Enterprise SysLog Manager



ESM Description:

This system is a Centralized, Enterprise-Wide, Event Reporting and Alerting System, with 24x7 remote management and monitoring, optional. The Enterprise SysLog Manager will accept security events and system logs from distributed Fortinet, DefenderWall, Cisco and Microsoft systems, as well as other systems that generate syslog messages as defined by RFC3164. This information is integrated into a single database, with a Web GUI and a powerful correlation/escalation engine for effective management by exception.


Main Features:

  • Daily, Automatic Compliance Reports

  • Daily Severity Report by Network, by Host

  • Hardened Linux, MYSQL, HP appliance

  • Heterogeneous support for syslog data

  • "Bacon" Correlation and Escalation Engine

  • Daily Severity Report by Network, by Host

  • Policy-based with Threshold Settings

  • Web Administrative Interface

  • "Learning Mode"

  • Managed Services from xDefenders

  • 24x7x365 management and monitoring, option



Feature Details:

1.) Automatically determine baselines and thresholds

This mode allows ESM to automatically learn and determine the baselines for the syslog events on a per-host/priority, a per-host/application, a network-wide application basis and host basis. These thresholds will later be used to determine whether either on a given host or network-wide, more events than usual have been reported in a 5 minute interval.

The baseline data is based on the past 3 days. These days must not contain more than one non-workday to get an accurate picture, for example; Sun+Mon+Tue, or Thu+Fri+Sat. The administrator will have the capability to adjust these thresholds manually.

2.) Notify administrator about significant syslog events

The "Bacon" process runs every 5 minutes to determine both, the current amount of syslog events and the amount of events for the previous 5 minute interval. It requires a set of thresholds to be available for a given host (or a default fallback threshold). Only events with a priority "Warning" or higher are being counted.

The priorities are defined in RFC3164 as follows:
  • Emergency: system is unusable

  • Alert: action must be taken immediately

  • Critical: critical conditions

  • Error: error conditions

  • Warning: warning conditions

  • Notice: normal but significant condition

  • Informational: informational messages

  • Debug: debug-level messages

Correlation and Escalation using "Bacon"

Every 5 minutes, "Bacon" looks for NEW or ESCALATING conditions and alerts the client via email or text message. If the 24x7 service is purchased, the xDefenders Security Operations Center (SOC) in Rochester, NY receives the alert and a Trouble Ticket is created and available via the Client Portal. This service includes administrative support and monitoring with custom escalation/notification procedures. The customer is kept current and protected against new and emerging threats and situations. Escalation Plans and Incident Response Teams are created.

2.a) New events

If a given application has more than "threshold" events network-wide, ESM will alarm the administrator via email. The email will contain the application in question, the threshold, and the current level of activity.

If a given host has more than "threshold" events network-wide, ESM will alarm the administrator via email. The email will contain the host in question, the threshold, and the current level of activity.

If a given host has more than "threshold" events of a given priority, ESM will alarm the administrator via email. The email will contain the name of the host, the priority in question, the threshold, and the current level of activity.

If a given host has more than "threshold" events of a given application, ESM will alarm the administrator via email. The email will contain the name of the host, the application in question, the threshold, and the current level of activity.

2.b) Increased events

If a given application has more 100% increase of events network-wide, ESM will alarm the administrator via email. The email will contain the application in question along with the previous and the current level of activity.

If a given host has more 100% increase of events network-wide, ESM will alarm the administrator via email. The email will contain the host in question along with the previous and the current level of activity.

If a given host has more than 100% increase of events of a given priority as compared to the previous 5 minute interval, ESM will alarm the administrator via email. The email will contain the name of the host, the priority in question along with the previous and the current level of activity.

If a given host has more than 100% increase of events of a given application as compared to the previous 5 minute interval, ESM will alarm the administrator via email. The email will contain the name of the host, the application in question along with the previous and the current level of activity.



System Support:

Installation, testing, basic operational training, documentation and hardware warranty, maintenance are included in the purchase price. xDefenders maintains the operating system, application and remote back-ups for you. Standard support is Monday - Friday from 9-5 pm EST.


Managed Services from xDefenders includes:
  • Pre-configured HP DL140 with hardened Linux and MYSQL

  • On-Line Documentation, Web Interface

  • Databases updated, timely, automatically

  • Secure SSH connection from xDefenders Security Operations Center

  • OS and Applications patched, enhanced, remotely

  • Weekly local and remote backups

  • Medium, 1RU appliance has Xeon CPU, 1 GB ram, CD, dual 80 GB disks

  • Hardware maintenance is next day overnight, box or disk replacement

  • Turnkey Installation and basic fine-tuning of rules included

  • One Year Warranty from date of install



Compliance Reports
  1. User Logon/Logoff

  2. Logon Failure

  3. Audit Log Access

  4. Object Access

  5. System Events

  6. Unsuccessful User Account Validation

  7. Successful User Account Validation



For more information call (585) 385-2770 or email jthon@xdefenders.com.

 Go To Top
| Home | Contact Us |

Copyright © 2007, All rights reserved.
xDefenders, inc., 1100 Pittsford-Victor Road, Pittsford, NY 14534, U.S.A. (585) 385-2770.

Site by nothing but net solutions