ABSTRACT
Now that we have assembled the physical architecture, decided on what is to be collected, why it is to be collected, and identified some expectations, we’re ready to install a logical configuration. In this section we dive into the configuration aspect of log consolidation as well as the decisions that need to be made in component configuration. It is the log consolidation and correlation configuration that show the value of our implementation. (You do more than just replay back the data that you have collected in its raw form.)
Some examples of how we correlate the log data include the following:
Consolidation of like devices
. This approach provides a big picture of total events from one type of device across the enterprise; for example, all firewall rule denies from all external portals with a common source or destination IP address.
