System and method for managing events

US 20060161816A1
Filed: 12/22/2005
Published: 07/20/2006
Est. Priority Date: 12/22/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for managing log events in a network, comprising:

receiving a plurality of log messages in SYSLOG format from log sources across the network;

detecting log events from the plurality of log messages;

normalizing detected log events to generate normalized log events; and

analyzing the normalized log events.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods to manage logs from log sources distributed across one or more networks using a log event management system, herein called a Thunder console. The Thunder console is a log aggregator that allows networks to deploy servers which collect, normalize, and analyze a large number of log events. These logs can be stored for a specific period of time. Alerts can be generated to communicate information regarding the log events.

206 Citations

18 Claims

1. A method for managing log events in a network, comprising:
- receiving a plurality of log messages in SYSLOG format from log sources across the network;
  
  detecting log events from the plurality of log messages;
  
  normalizing detected log events to generate normalized log events; and
  
  analyzing the normalized log events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - communicating an alert when a deviation occurs.
  - 3. The method of claim 1, wherein analyzing includes correlating the normalized log events with intrusion events and vulnerability information.
  - 4. The method of claim 1, wherein normalizing includes using statistical profiling.
  - 5. The method of claim 1, further comprising receiving at an agent bundled log messages;
    - and detecting log events from the bundled log messages.
  - 6. The method of claim 1, wherein the log sources include at least three sources from the group:
    - firewalls, intrusion prevention systems, operating systems, network devices, applications, intrusion detection systems, honeypots, virus detection systems and network monitors.
  - 7. The method of claim 1, wherein normalizing includes determining whether a log event is unique.
  - 8. The method of claim 1, wherein detecting includes extracting source and destination IP addresses.
  - 9. The method of claim 1, wherein normalizing includes computing a normal load for each log source.

10. A system for managing log events in a network, comprising:
- a plurality of log sources distributed across the network; and
  
  a centralized log aggregation system for receiving a plurality of log messages in SYSLOG format from the plurality of log sources, wherein the centralized log aggregation system detects log events from the plurality of log messages, normalizes detected log events to generate normalized log events, and analyzes the normalized log events.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the centralized log aggregation system communicates an alert when a deviation occurs.
  - 12. The system of claim 10, wherein the centralized log aggregation system correlates the normalized log events with intrusion events and vulnerability information.
  - 13. The system of claim 10, wherein the centralized log aggregation system uses statistical profiling to normalized log events.
  - 14. The system of claim 10, further comprising:
    - a first agent for receiving, processing and forwarding bundled log messages from a log source or a second agent to the centralized log aggregation system.
  - 15. The system of claim 10, wherein the plurality of log sources include at least three sources from the group:
    - firewalls, intrusion prevention systems, operating systems, network devices, applications, intrusion detection systems, honeypots, virus detection systems and network monitors.
  - 16. The system of claim 10, wherein the centralized log aggregation system determines whether a log event is unique when normalizing.
  - 17. The system of claim 10, wherein the centralized log aggregation system extracts source and destination IP addresses when detecting.
  - 18. The system of claim 10, wherein the centralized log aggregation system computer a normal load for each log source when normalizing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Inventors
Maurice Deraison, Renaud Marie, Hayton, Matthew Todd, Gula, Ronald Joseph

Application Number

US11/313,710
Publication Number

US 20060161816A1
Time in Patent Office

Days
Field of Search
US Class Current

714/39
CPC Class Codes

H04L 41/0213   Standardised network manage...

H04L 41/065   involving logical or physic...

H04L 41/22   comprising specially adapte...

H04L 63/1425   Traffic logging, e.g. anoma...

System and method for managing events

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

206 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing events

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links