Skip to main content

Overview

UTMStack’s Log Management system provides enterprise-grade log collection, correlation, and analysis capabilities. The platform processes logs from multiple sources in real-time, enabling security teams to identify threats and investigate incidents with unprecedented speed and accuracy.
Correlation happens before data ingestion, reducing workload and improving response times compared to traditional SIEM solutions.

Key Features

Real-Time Collection

Collect logs from diverse sources including agents, integrations, and SaaS platforms with automatic parsing and normalization.

Pre-Ingestion Correlation

Correlate log data before ingestion to reduce storage requirements and accelerate threat detection.

Advanced Search

Query and analyze logs with powerful search capabilities using the log analyzer interface.

Field Extraction

Automatically extract and index relevant fields for efficient searching and correlation.

Log Analyzer

The Log Analyzer module (/discover route) provides interactive log exploration capabilities:
  • Interactive Querying: Build and save custom queries for frequently used searches
  • Field Analysis: Drill down into specific log fields to identify patterns
  • Time-Based Filtering: Analyze logs across custom time ranges
  • Export Capabilities: Export log data for offline analysis or compliance reporting
Save frequently used queries in the Log Analyzer to quickly access common searches and share them with your team.

Data Sources

UTMStack supports log collection from:
  • Agents: Windows, Linux, and macOS endpoints (/data-sources)
  • Network Devices: Firewalls, routers, switches via syslog
  • Cloud Platforms: AWS, Azure, GCP, and other cloud services
  • Security Tools: EDR, antivirus, IDS/IPS systems
  • Applications: Web servers, databases, custom applications

Storage Management

UTMStack differentiates between hot and cold log storage:
  • Hot Storage: Immediately accessible logs for active analysis
  • Cold Storage: Archived logs that can be restored when needed
For 50 data sources generating 120 GB of monthly data, UTMStack requires 4 Cores, 16 GB RAM, and 150 GB disk space for one month of hot log storage.

Log Parsing

The platform includes built-in parsers for common log formats and allows custom parsing rules:
  • Access the Data Parsing module at /data-parsing
  • Create custom parsing rules for proprietary log formats
  • Test and validate parsing logic before deployment
  • Monitor parsing performance and error rates

Best Practices

Optimize Log Collection
  1. Configure log sources to send only necessary severity levels
  2. Use pre-filtering on agents to reduce network traffic
  3. Schedule log rotation to maintain performance
  4. Regularly review and archive old data to cold storage

Integration with Other Features

Log Management integrates seamlessly with:
  • Threat Detection: Logs feed into correlation rules for alert generation
  • Alert Investigation: Access raw logs directly from alert details
  • Compliance: Generate compliance reports from historical log data
  • SOC AI: AI-powered analysis of log patterns and anomalies

Technical Implementation

Log data flows through UTMStack’s architecture: 
Log Source → Agent/Collector → Correlation Engine → Storage → Analysis Interface
References:
  • Log Analyzer Module: frontend/src/app/log-analyzer/
  • Log Analyzer Service: frontend/src/app/log-analyzer/shared/services/log-analyzer.service.ts
  • Data Management Route: frontend/src/app/app-routing.module.ts:28

Build docs developers (and LLMs) love

Get started for freeTalk to us