A large portion of log data generated by our customers is web server logs. These logs contain important information about each request including the URL, IP address, server information, user agent, response code, and more. Web server logs are often used to monitor production issues and performance, but also contain extremely valuable data about your production security and potential threats.
We at Coralogix decided to bridge the gap between IT and the old school SIEM tools to the fast pace DevOps organization which needs to have its data flexible, real-time, and combined between all sources: Apps, Infrastructure, Network, and Security.
Coralogix first security feature is a super simple way for you to get your web server logs enriched with the world’s most updated IP reputation lists.
All you have to do is go to the settings menu, and under “Enrich”, in the “Security Enrichment” section, define the IP fields you like to track for security threats.
If you don’t have your IP fields set or your data isn’t JSON formatted, you can use Coralogix’s Rules Engine to extract the IP addresses which lay in your log records using the “Extract” rule which gives you the option to use Regex and extract a single value without having to parse your entire log record.
Once the definition is done, Coralogix will compare any IP in your logs to a constantly updated list of Blacklisted IPs and enrich your log in real time (in case it is suspected) with the following fields:
The following dashboard example provides information about discovered threats that is based on the enriched fields:
Threat discovery is currently opened for a limited number of users, want to join the group? Shoot us an email at firstname.lastname@example.org or chat with us!