Our goal is to deliver automation-driven cyber security solutions with software that’s easy to use, easy to customize, and easy to scale. It starts with ensuring Logsign SIEM runs smoothly while providing a service that scales to meet all ever-changing needs.
As the companies grow and their needs change, the technology has to scale to meet the demand for performance and reliability. Logsign SIEM is built on an enterprise-level operations and technology architecture that exceeds industry standards and future-proofs for all businesses. The following diagram gives an overview of the technical architecture. See the rest of the article for explanations of the parts.
A Redundant and Distributed Environment
Logsign SIEM is the first Hadoop-embedded SIEM solution. So that brings the advantages of having a scalable architecture as horizontal and vertical. The architecture can scale horizontally to handle much more EPS volume and vertically to manage the nodes as a role and service-based redundancy.
The architecture can be designed as an active-active cluster with high availability for enterprise-grade architectures. Thanks to its high-capacity data collector for distributed environments, you can deploy Logsign SIEM fast, hassle-free and straightforward in hybrid environments.
Extensive Integration Framework
Logsign SIEM has 400+ built-in data collection integrations for faster deployment. This integration library can collect all the data from all necessary event sources within a single day. If you want to integrate a new device, you can create a custom parser quickly and efficiently in rule-based, CEF, key-value, and JSON formats. Also, the Logsign product team provides new integrations without any additional cost.
With over 100 built-in response integrations, Logsign SIEM runs the automated and semi-automated response actions efficiently to secure the network. You can respond automatically on firewalls, DLP, NACs, EDR, AD, Endpoint protection devices, and 3rd party TI and take actions with a single click for investigation tools.
Integrated Threat Intelligence
Logsign Threat Intelligence service is embedded in Logsign SIEM and includes both public and branded TI feed integrations. With 45+ global and well-trusted TI feeds, Logsign SIEM enriches the data and provides insights to detect threats and attacks.
Furthermore, the Logsign TI service prioritizes data security, processing customer data in real-time without extracting it from on-premises servers. This ensures that your data remains protected, enhancing security while providing invaluable insights.
LEAF Mode for Distributed Environments
Logsign LEAF is a high-capacity data collector that collects all kinds of data and sends them to the central Logsign SIEM server. It is a solution for organizations that want to collect data from distributed locations.
Logsign LEAF data collector collects all the data with or without an agent, normalizes, classifies, and sends it safely to the central SIEM with a secure connection by tolerating the connection errors.
Core Services / System Components
Logsign-api:
It is the service that the Logsign user interface runs on. It serves as a bridge between the interface templates and the backend.
Zookeeper:
It is the service where all the configurations used in Logsign are kept. (Report, Alarm, User Information, Dashboard Conf, Profiles, Settings...)
Syslog-collector:
These are syslog services on Logsign. It collects logs coming from IPs that have been added to Logsign as a syslog source by listening to UDP port 514 and TCP Port 515 sends them to the parser.
Logsign-poller:
Logs do not always come to us. In some cases, we go to the source and retrieve the logs. This service allows the services of the sources from which we retrieve logs to work. Services connected to the poller service are:
Logsign-poller-oracle:
It works when an oracle database is added to the Logsign source list. It connects to the specified oracle source with the given conf. and retrieves the data and sends it to the parser.
Logsign-poller-mssql:
It works when an mssql database is added to the Logsign source list. It connects to the specified mssql source with the given conf. and retrieves the data and sends it to the parser.
Logsign-poller-wmi:
It works when a WMI (Windows Management Instrumentation) source is added to the Logsign source list. It connects to the specified WMI source with the given conf. and reads the data and sends it to the parser.
Logsign-poller-sftp:
It works when an sftp (SSH (Secure Shell) File Transfer Protocol) source is added to the Logsign source list. It connects to the specified sftp source with the given conf. using the SSH protocol and reads the data and sends it to the parser.
Logsign-poller-smb:
Fileshare-sambashare It works when an smb (Server Message Block (Linux = Samba)) source is added to the Logsign source list. It connects to the specified smb source with the given conf. and reads the data and sends it to the parser.
Logsign-persist:
After the data coming to Logsign goes through the parser mechanism, it is posted to this service. It is the service that writes the parsed version (human_readable) and the original version (raw (5651 for)) collected.EXTENSION (raw, json, parquet).day.month.year in the /opt/var/log.
Logsign-postprocess:
It controls the services and their queues to be used for operations (alarm, alarmflow, bucket, offline, data-export) after the data is prepared in every way and written to the necessary places. The services that work in connection with this are:
Logsign-bucket-worker:
It appears as a list in the alarm module on Logsign's interface. According to the conf of the created lists, it caches the data between certain periods and produces an alarm if the condition is met by this cached data
Logsign-offline-worker: A service that controls the Reindex and Export operations and the Schedule Report feature from a compressed archive.
Logsign-data-export-worker: A service that ensures the PDF and EXCEL export feature of reports and the export part of Schedule Report work on the Logsign interface.
Logsign-alarmflow-worker: A service that combines Bucket and Alarm to produce alarms based on cached data. It includes the 6th and 7th type of alarms.
Logsign-maintenance: A service that controls the management of the system in general. It controls the Cluster services, stats, redundancy, socket-watcher, and other related services.
Logsign-health-check: A service that runs the scripts of predetermined scenarios at specific intervals to provide information about the general condition of services in the Logsign system.
Logsign-security-automation-worker: A service that removes temporary blocking from blocked objects when the time comes.
Logsign-action-rule-worker: A service that applies movements on the action rules using response actions.
Logsign-integration-engine: A service that ensures communication between API and products found in response resources.