About Log Inspection

For a list of operating systems where Log Inspection is supported, see Supported features by platform.

The Log Inspection protection module helps you identify important events that might be buried in your operating system and application logs. These events can be sent to a security information and event management (SIEM) system or centralized logging server for correlation, reporting, and archiving. All events are also securely collected in Workload Security. For more information about logging and forwarding events, see Configure Log Inspection event forwarding and storage.

The Log Inspection module lets you:

  • Meet PCI DSS log monitoring requirements.
  • Detect suspicious behavior.
  • Collect events across heterogeneous environments containing different operating systems and diverse applications.
  • View events such as error and informational events (disk full, service start, service shutdown, etc.).
  • Create and maintain audit trails of administrator activity (administrator login or logout, account lockout, policy change, etc.).

To enable and configure Log Inspection, see Set up Log Inspection.

The Log Inspection feature in Workload Security enables real-time analysis of third party log files. The Log Inspection rules and decoders provide a framework to parse, analyze, rank and correlate events across a wide variety of systems. As with intrusion prevention and integrity monitoring, Log Inspection content is delivered in the form of rules included in a security update. These rules provide a high level means of selecting the applications and logs to be analyzed. To configure and examine Log Inspection rules, see Define a Log Inspection rule for use in policies.