Security Event Management Center

Large numbers of application systems and network devices are deployed in an enterprise, including hosts, databases, other application systems, switches, and firewalls. Due to varying device log formats, poor intelligibility, and difficulties in storing massive logs, major security risks cannot be promptly detected from logs. Government agencies and industrial organizations provide guidance and use internal control laws and standards to impose higher requirements on the completeness, accuracy, and effectiveness of run logs and user logs.

Characteristic

Unified log management and quick matching capability

  • LogCenter supports multiple log collection modes, including Syslog, session, SFTP, FTP static file, FTP dynamic file. Users can collect, classify, filter, summarize, analyze, store, and monitor logs reported from the application systems or NEs to help the administrator manage mass logs and learn NE running status, trace network user behaviors, and quickly recognize and eliminate security risks.
  • LogCenter supports prompt notifications of critical logs. The administrator can customize keywords, log type, and log level thresholds. When logs match customized keywords, log type, or log level, LogCenter generates alarms in real time and notifies administrators through SMS messages or emails.

Professional NAT tracing and automatic association with user information to meet secure audit requirements

  • LogCenter collects and analyzes logs about sessions on NAT devices to obtain NAT information, including the IP address, destination port, NAT source IP address, and protocols. LogCenter uses the NAT information and the data source provided by the Authentication, Authorization, and Accounting (AAA) server to ensure secure audit and traffic investigation.

In-depth user online behavior analysis

  • LogCenter works with Huawei USG and ASG devices to analyze user online behaviors, including user traffic, online duration, keywords, web access trends, emails, applications, network threats, and outgoing files.

Rich security event analysis reports showing network security status

  • LogCenter collects security event logs about network security devices and systems, such as Huawei network UTM system, firewalls, intrusion protection system, and Anti-DDoS system, analyzes them, and generates reports to provide visibility into the network security status. LogCenter supports DDoS attack event, plug-in block, access control event, policy matching, IPS, URL filter, and email filter analysis.

log center bar chart


Million-level log processing per second, meeting requirements of nationwide network auditing

  • LogCenter meets the performance requirements of nationwide network auditing and collects and audits millions of system logs in a second, supporting high-performance log collection, storage, and audit functions for large and ultra large networks.

Network security posture awareness, helping quickly detect dynamic risks

  • By analyzing Huawei NGFW and sandbox devices’ detection logs, the LogCenter identifies threats on the network and displays network-wide security posture by means of the topology map, trend diagrams, and proportion diagrams. With LogCenter, the network administrator can rapidly locate high-risk points and APTs on the network and take measures to prevent attacks. The deployment of the LogCenter reduces O&M manpower and lowers the capability requirements for O&M personnel, decreasing O&M costs.
  • In addition, the LogCenter can display security posture based on geographical locations and key assets. It colors areas and assets to show their threat severities, supports real-time alarms, automatically reports security events, and works with the Agile Controller to block the spread of security risks in real time.

    logcenter-global

Deployment Scenario

LogCenter network can be deployed in centralized or distributed ways.

Distributed deployment: The Log Collector and the Log Analyzer are deployed separately on two servers.

log analyzer deployment1

− Log Collector: Receives, aggregates, formats, filters, counts, and stores logs and generates alarms.

− Log Analyzer: Manages policies, reports, devices, systems, and users.

− Log Console: Provides an interaction GUI for managing foreground and background using the web.

Centralized deployment: When performance requirements are low, LogCenter can also be deployed in a centralized way.

log analyzer 2

Specification

Performance
Maximum Size of Logs Processed per Day 500 GB
Maximum Number of Sessions Processed per Day 4.32 billion
Maximum Log Recording Speed (standalone mode) 250,000 EPS
Maximum Number of NEs Supported by the LogCenter 2,000
Recommended Server Model LogCenter All-In-One LogCenter Analyzer LogCenter Collector
Height 2U
Dimensions (H x W x D) mm 86.1 mm (2 U) x 447 mm x 748 mm
Weight (full configuration) 30 kg 27 kg 30 kg
Fixed Ports 4 x USB, 1 x VGA, 1 x Console, 1 x MGT, and 8 x GE
Memory 32 GB
Storage Space 2 x 300 GB SAS, 12 x 6-TB SATA 2 x 300 GB SAS, 6 x 2-TB SATA 2 x 300 GB SAS, 10 x 6-TB SATA
RAID RAID 1 & RAID 6
Redundant Power Modules Standard
AC Power Supply 100V to 240V; 50/60 Hz; 9A to 4.5A
DC Power Supply –48V to –60V; 26A
Maximum Power 750W AC/800W DC
Operating Environment

Operating temperature: 5°C to 45°C (41°F to 113°F)

Operating humidity: 8% RH to 90% RH non-condensing

Non-operating Environment (storage environment)

Storage temperature: –40°C to +65°C (–40°F to 149°F)

Storage humidity: 5% RH to 95% RH non-condensing

Authentication CCC, RCM, CE, VCCI, FCC, IC, UL, and BIS
Function/Feature  
Dashboard

Dashboard layout customization, which can be saved for further use

Ranking of user IP application behaviors and users by Internet traffic volume, network threat classification and user ranking, attack defense event trend, traffic statistics based on protocol categories, application-layer threat event trend and ranking

Resource Management

Log source management, device group management, and discovery of specific IP network segments based on SNMP

Real-time collector status management, collector whitelist mode, and interworking between the collector and NEs

Log collection modes: syslog, security syslog, jdbc, heartbeat, dataflow, session, RADIUS, netflow, FTP dynamic/static file, and SFTP

Network Security Analysis

Access control event log analysis: attack event trend, top 50 attack events/attack sources

ActiveX and Applet content filtering log analysis: distribution of filtered packets, top 50 source/destination IP addresses of filtered packets

IPS attack behavior analysis: attack event trend by behavior, attack event trend by severity, top 50 attack source IP addresses, attack destination IP addresses, attack protocols, and attacked ports

Antivirus log analysis: virus infection trend, top 50 virus events, most infected destination IP addresses, and source IP addresses that send most infected files

URL filtering log analysis: top 50 source IP addresses with most web access times as well as most accessed websites and URLs

Email filtering log analysis: email connection and matching trend, top 50 IP addresses for email connections that are permitted, blocked, and alerted on

ACL rule and forwarding policy matching analysis: ACL rule trend, policy trend, top 50 most-hit interzone security policies

IM login and logout audit log analysis: firewall syslog analysis

Session Analysis

Million-level IPv4/IPv6 session log query

Query of NAT port range, user port pre-allocation, URL session, and IM session logs

Display of session trend and top 50 session source/destination IP addresses

Traffic Analysis

Real-time traffic trend based on physical ports’ IP application protocols, top 50 users or IP addresses by incoming and outgoing traffic, and region-based traffic ranking report

NGFW application traffic ranking and trend; top 50 users or IP addresses by Internet traffic volume

Online Behavior Analysis

Top 50 Internet access duration by user/IP address, Internet access trend

Top 50 keywords most matched by online behavior (application types include email, web page, and search engine)

User URL audit log analysis: top 50 websites by visit count or volume of uploaded content

Email filtering log analysis and application service type analysis: top 50 application service types

Top 50 users whose online behaviors match most threats, including virus and intrusion threats

Analysis of file sending logs: top 50 email, FTP, and HTTP-based file sending logs

SSL VPN Analysis Analysis and top 50 SSL VPN users by traffic volume, users by virtual gateway traffic volume, connections, online users, intranet resource access, and mobile terminal access types
Log Audit

Top 50 log types with specific NE types, NEs, or time ranges

Setting of log audit rules for NEs, so that audit events are generated for logs matching the log audit rules

Security Posture Awareness

Real-time display of enterprise and regional security posture, top 10 high-risk assets, 10 latest security events, and threat severities

Security trend of specific regions, including the threat map, threat severity trend, and trends of various events

Interworking with the Agile Controller for the execution of security policies; configuration of SMS and email notification for security events

Management and configuration of asset groups

 

Security Information and Event Management (SEIM)

Security Event Management Center is a comprehensive and unified system to implement log management and security audit. With superb performance, reliability, security, and scalability, it implements mass storage, unified management, and convenient operation and maintenance, meeting the needs of log management and security audit.

Competitive products include AlienVault Unified Security Management, CorreLog Server, EiQ Networks SecureVue, EventTracker Enterprise, HP ArcSight ESM v6.5c, LogRhythm, ManageEngine EventLog Analyzer, McAfee Enterprise Security Manager, NetIQ Sentinel, SolarWinds Log & Event Manager