If we look into an overall log management activity, it comprises three phases:
- Generation of logs from sources
- Delivery of logs to central solution
- Co-relation and alerting based on rules
In each of these phases, there is some kind of time involved and thus at the final stage when the SOC gets an alert of some suspicious activity, some time would have already passed before the activity is actually being performed:
There are certain phases involved, which are explained as follows:
- N: This is the time when the user makes a certain request to the system
- N+1: This is the time when the system will log the request in the appropriate log file
- N+X: This is the time when the logs from the system will go to the central log monitoring solution
- N+X+Y: This is the time taken by the log monitoring solution to co-relate the logs and display an alert
