{"id":6954,"date":"2026-04-01T12:49:22","date_gmt":"2026-04-01T10:49:22","guid":{"rendered":"https:\/\/logmanager.com\/?p=6954"},"modified":"2026-05-12T10:33:39","modified_gmt":"2026-05-12T08:33:39","slug":"kdy-logovani-nestaci-ale-siem-je-uz-moc","status":"publish","type":"post","link":"https:\/\/logmanager.com\/cs\/blog\/kdy-logovani-nestaci-ale-siem-je-uz-moc\/","title":{"rendered":"Kdy\u017e samotn\u00e9 logov\u00e1n\u00ed nesta\u010d\u00ed, ale SIEM je u\u017e moc"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Existuje situace, kter\u00fd se v organizac\u00edch znovu a znovu opakuje, bez ohledu na jejich velikost nebo obor. N\u011bco se stane, nemus\u00ed to b\u00fdt ani nic dramatick\u00e9ho. U\u017eivatel si p\u0159es noc zablokuje p\u0159\u00edstup, aplikace za\u010dne bez zjevn\u00e9ho d\u016fvodu zpomalovat nebo si n\u011bkdo v\u0161imne aktivity, kter\u00e1 zkr\u00e1tka vypad\u00e1 podez\u0159ele. Nen\u00ed to je\u0161t\u011b kritick\u00fd incident, ale je to dost na to, aby si administr\u00e1tor, bezpe\u010dnostn\u00ed expert nebo jin\u00fd specialita polo\u017eil ot\u00e1zku: co se vlastn\u011b d\u011bje?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">T\u00fdm tak ud\u011bl\u00e1 to, co ud\u011blat m\u00e1.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Otev\u0159e logy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A pr\u00e1v\u011b v ten moment se cel\u00fd proces za\u010dne zpomalovat.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d se vy\u0161et\u0159ov\u00e1n\u00ed incident\u016f v re\u00e1ln\u00e9m sv\u011bt\u011b zasek\u00e1v\u00e1<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">V praxi se v\u011bt\u0161ina \u0159e\u0161en\u00ed incident\u016f nezpomaluje proto, \u017ee by chyb\u011bla data. T\u011bch je obvykle dost a\u017e p\u0159\u00edli\u0161. Probl\u00e9m je v tom, \u017ee jsou rozeset\u00e1 v r\u016fzn\u00fdch syst\u00e9mech a ka\u017ed\u00fd z nich \u201emluv\u00ed jin\u00fdm jazykem\u201c.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Active Directory loguje jedn\u00edm zp\u016fsobem, VPN druh\u00fdm, firewally t\u0159et\u00edm a aplikace \u010dasto jen sypou textov\u00e9 z\u00e1znamy bez v\u011bt\u0161\u00ed struktury. N\u00e1zvy pol\u00ed se li\u0161\u00ed, \u010dasov\u00e1 raz\u00edtka nesed\u00ed, ud\u00e1losti se zaznamen\u00e1vaj\u00ed v r\u016fzn\u00e9 podob\u011b jako <a href=\"https:\/\/logmanager.com\/cs\/blog\/log-management\/co-je-syslog\/\" data-type=\"link\" data-id=\"https:\/\/logmanager.com\/cs\/blog\/log-management\/co-je-syslog\/\">syslog<\/a>, JSON, CEF, LEEF a dal\u0161\u00edch (viz \u010dl\u00e1nek o r\u016fzn\u00fdch <a href=\"https:\/\/logmanager.com\/cs\/blog\/log-management\/jak-na-logovani-typy-logu-zdroje-co-logovat\/\" data-type=\"link\" data-id=\"https:\/\/logmanager.com\/cs\/blog\/log-management\/jak-na-logovani-typy-logu-zdroje-co-logovat\/\">typech log\u016f<\/a>). To, co by m\u00e1 b\u00fdt jednoduch\u00e9 dohled\u00e1n\u00ed informace, p\u0159ipom\u00edn\u00e1 p\u0159ekladatelsk\u00e9 cvi\u010den\u00ed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Typick\u00fdm p\u0159\u00edkladem je oby\u010dejn\u00fd account lockout.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Administr\u00e1tor za\u010dne prozkoum\u00e1vat Active Directory a najde s\u00e9rii ne\u00fasp\u011b\u0161n\u00fdch p\u0159ihl\u00e1\u0161en\u00ed. Jen\u017ee \u010dasov\u00e9 \u00fadaje jsou nekonzistentn\u00ed, n\u011bco v lok\u00e1ln\u00edm \u010dase, n\u011bco v UTC. P\u0159esune se tedy do VPN log\u016f, kde se tent\u00fd\u017e u\u017eivatel objevuje pod jin\u00fdm n\u00e1zvem pole. Sna\u017e\u00ed se pospojovat souvislosti, ale u\u017e v t\u00e9to chv\u00edli sp\u00ed\u0161 odhaduje ne\u017e analyzuje.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Je to ta sam\u00e1 ud\u00e1lost? Pat\u0159\u00ed k n\u00ed tahle IP adresa? Navazuje to na to, co vid\u011bl p\u0159ed chv\u00edl\u00ed?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tak pokra\u010duje d\u00e1l, do firewall log\u016f, mo\u017en\u00e1 do aplika\u010dn\u00edch z\u00e1znam\u016f. Ka\u017ed\u00fd dal\u0161\u00ed krok p\u0159id\u00e1v\u00e1 v\u00edce dat, ale z\u00e1rove\u0148 v\u00edce nejistoty. A ne\u017e se v\u0161echno slad\u00ed natolik, aby bylo mo\u017en\u00e9 v\u016fbec za\u010d\u00edt odpov\u00eddat na p\u016fvodn\u00ed ot\u00e1zku, trv\u00e1 to p\u016fl hodiny nebo i v\u00edc.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A to mluv\u00edme o ide\u00e1ln\u00edm p\u0159\u00edpad\u011b, kdy jsou logy st\u00e1le po ruce.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">V mnoha prost\u0159ed\u00edch (firm\u00e1ch) toti\u017e star\u0161\u00ed data dostupn\u00e1 nejsou, proto\u017ee se po n\u011bkolika dnech odl\u00e9vaj\u00ed na cold storage, aby se u\u0161et\u0159ilo. Co\u017e je rozumn\u00e9, dokud vy\u0161et\u0159ov\u00e1n\u00ed nes\u00e1hne za tuto hranici. Najednou data nejsou fulltextov\u011b prohledateln\u00e1, mus\u00ed se obnovovat, stahovat, n\u011bkdy i p\u0159ev\u00e1d\u011bt do pou\u017eiteln\u00e9ho form\u00e1tu.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A vy\u0161et\u0159ov\u00e1n\u00ed incidentu drhne.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ne proto, \u017ee by t\u00fdm nev\u011bd\u011bl, co d\u011blat, ale proto, \u017ee syst\u00e9m nen\u00ed postaven\u00fd na okam\u017eitou pr\u00e1ci s daty.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A p\u0159itom samotn\u00e9 ot\u00e1zky v\u011bt\u0161inou nejsou nijak slo\u017eit\u00e9:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kdo se p\u0159ihl\u00e1sil?<\/li>\n\n\n\n<li>Odkud?<\/li>\n\n\n\n<li>Kdy to za\u010dalo?<\/li>\n\n\n\n<li>Co se zm\u011bnilo?<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Slo\u017eitost nele\u017e\u00ed v tom, na co se pt\u00e1t, ale v tom, dostat data do podoby, ve kter\u00e9 z nich lze rychle vy\u010d\u00edst odpov\u011bdi.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Velk\u00fd p\u0159\u00edslib versus ka\u017edodenn\u00ed realita SIEMu<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Po dostate\u010dn\u00e9m po\u010dtu podobn\u00fdch zku\u0161enost\u00ed se debata v organizaci obvykle posune. N\u011bkdo navrhne, \u017ee u\u017e nesta\u010d\u00ed jen \u201en\u011bkam ukl\u00e1dat logy\u201c a \u017ee je \u010das j\u00edt d\u00e1l.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A t\u00e9m\u011b\u0159 nevyhnuteln\u011b p\u0159ijde na p\u0159et\u0159es SIEM.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Na pap\u00ed\u0159e to d\u00e1v\u00e1 smysl. SIEM slibuje p\u0159esn\u011b to, co chyb\u00ed: centralizaci, korelaci, alerting, \u0161ir\u0161\u00ed viditelnost nap\u0159\u00ed\u010d syst\u00e9my. P\u016fsob\u00ed jako logick\u00fd dal\u0161\u00ed krok. \u0158e\u0161en\u00ed, kter\u00e9 kone\u010dn\u011b vnese \u0159\u00e1d do chaosu.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A sv\u00fdm zp\u016fsobem to spln\u00ed. Logy se na\u010d\u00edtaj\u00ed, vzniknou dashboardy, nastav\u00ed alerty. Syst\u00e9m funguje.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Jen\u017ee to, co n\u00e1sleduje, \u010dasto nen\u00ed ta o\u010dek\u00e1van\u00e1 transforma\u010dn\u00ed zm\u011bna. Proto\u017ee SIEM nep\u0159in\u00e1\u0161\u00ed jen nov\u00e9 schopnosti, ale vy\u017eaduje i ur\u010ditou p\u0159ipravenost\/vysp\u011blost organizace.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">P\u0159edpokl\u00e1d\u00e1, \u017ee logy jsou u\u017e strukturovan\u00e9. \u017de n\u00e1zvy pol\u00ed jsou konzistentn\u00ed. \u017de u\u017eivatel\u00e9 rozum\u00ed tomu, co je v jejich prost\u0159ed\u00ed norm\u00e1ln\u00ed chov\u00e1n\u00ed. A \u017ee um\u00ed definovat, ladit a udr\u017eovat korela\u010dn\u00ed logiku.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">V praxi ale mnoho organizac\u00ed na t\u00e9to \u00farovni vysp\u011blosti teprve pracuje. A tak nam\u00edsto o\u010dek\u00e1van\u00e9 p\u0159ehlednosti a zjednodu\u0161en\u00ed p\u0159ich\u00e1z\u00ed komplexita v jin\u00e9 podob\u011b.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Alerty chod\u00ed, ale je jich moc nebo jsou obt\u00ed\u017en\u011b interpretovateln\u00e9. Korela\u010dn\u00ed pravidla vy\u017eaduj\u00ed v\u00edc pr\u00e1ce, ne\u017e se \u010dekalo. Data se chovaj\u00ed nekonzistentn\u011b, proto\u017ee nekonzistentn\u00ed jsou u\u017e vstupn\u00ed logy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Postupn\u011b se z SIEMu st\u00e1v\u00e1 m\u00e9n\u011b \u201e\u0159e\u0161en\u00ed\u201c a v\u00edce \u201eprojekt\u201c. Tedy n\u011bco, co vy\u017eaduje neust\u00e1l\u00e9 lad\u011bn\u00ed, vysv\u011btlov\u00e1n\u00ed a \u00fapravy. Ne, \u017ee by nefungoval. Jen od organizace po\u017eaduje v\u00edc, ne\u017e je v danou chv\u00edli schopn\u00e1 d\u00e1t.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A d\u0159\u00edve nebo pozd\u011bji n\u011bkdo ten pocit shrne velmi jednodu\u0161e: \u201cSIEM je sice u\u017eite\u010dn\u00fd, ale na to, co te\u010f opravdu pot\u0159ebujeme, zbyte\u010dn\u011b slo\u017eit\u00fd.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Praktick\u00fd kompromis mezi b\u011b\u017en\u00fdm logov\u00e1n\u00edm a SIEMem<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">V\u011bt\u0161ina t\u00fdm\u016f ne\u017eije na jednom z extr\u00e9m\u016f sb\u00edr\u00e1n\u00ed log\u016f \/ SIEM. Nejsou ve f\u00e1zi, kdy by jim sta\u010dilo jen logy n\u011bkam ukl\u00e1dat. Ale z\u00e1rove\u0148 nejsou pln\u011b p\u0159ipraven\u00e9 na n\u00e1roky plnohodnotn\u00e9ho SIEMu.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Funguj\u00ed n\u011bkde mezi t\u00edm. \u0158e\u0161\u00ed re\u00e1ln\u00e9 ot\u00e1zky, kter\u00e9 pot\u0159ebuj\u00ed re\u00e1ln\u00e9 odpov\u011bdi, bez luxusu perfektn\u011b p\u0159ipraven\u00fdch dat a arm\u00e1dy specializovan\u00fdch analytik\u016f.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A pr\u00e1v\u011b tento prostor b\u00fdv\u00e1 dlouhodob\u011b p\u0159ehl\u00ed\u017een\u00fd.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Nen\u00ed definovan\u00fd ambic\u00ed \u201edetekovat v\u0161echno automaticky\u201c. Je definovan\u00fd prakti\u010dnost\u00ed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C\u00edlem nen\u00ed m\u00edt nejkomplexn\u011bj\u0161\u00ed bezpe\u010dnostn\u00ed platformu na trhu. C\u00edlem je rozum\u011bt tomu, co se d\u011bje, bez zbyte\u010dn\u00fdch komplikac\u00ed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tedy m\u00edt mo\u017enost sledovat jednu ud\u00e1lost nap\u0159\u00ed\u010d syst\u00e9my. Korelovat aktivity tak, aby to d\u00e1valo smysl. P\u0159esunout se od pozorov\u00e1n\u00ed k akci, ani\u017e v\u011bt\u0161inu \u010dasu zabere samotn\u00e1 p\u0159\u00edprava dat.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Kdy\u017e se lid\u00e9 pak setkaj\u00ed s \u201emezivrstvou\u201c v podob\u011b pokro\u010dil\u00e9ho log managementu, kter\u00e1 p\u0159esn\u011b do tohoto prostoru zapad\u00e1, reakce b\u00fdv\u00e1 \u010dasto okam\u017eit\u00e1.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ne proto, \u017ee by p\u0159inesla n\u011bco \u00fapln\u011b revolu\u010dn\u00edho. Ale proto\u017ee odstran\u00ed n\u011bco velmi dob\u0159e zn\u00e1m\u00e9ho, komplikovanost.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A to m\u011bn\u00ed v\u00edc ne\u017e jen u\u017eivatelskou p\u0159\u00edv\u011btivost. M\u011bn\u00ed to i zapojen\u00ed lid\u00ed. Jakmile m\u016f\u017ee se syst\u00e9mem pracovat v\u00edce \u010dlen\u016f t\u00fdmu, p\u0159est\u00e1v\u00e1 b\u00fdt anal\u00fdza log\u016f specializovanou discipl\u00ednou n\u011bkolika expert\u016f a st\u00e1v\u00e1 se sou\u010d\u00e1st\u00ed b\u011b\u017en\u00e9ho provozu.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Kdy\u017e jsou logy skute\u010dn\u011b pou\u017eiteln\u00e9<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Rozd\u00edl je nejviditeln\u011bj\u0161\u00ed pr\u00e1v\u011b v situac\u00edch, kter\u00e9 d\u0159\u00edve zp\u016fsobovaly zdr\u017een\u00ed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Vra\u0165me se k p\u0159\u00edkladu account lockoutu.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">M\u00edsto p\u0159ep\u00edn\u00e1n\u00ed mezi n\u011bkolika syst\u00e9my jsou logy u\u017e centralizovan\u00e9 v \u0159e\u0161en\u00ed, kter\u00e9 m\u00e1 jak log management funkce, tak i to nejd\u016fle\u017eit\u011bj\u0161\u00ed ze SIEM. M\u00edsto h\u00e1d\u00e1n\u00ed n\u00e1zv\u016f pol\u00ed jsou data normalizovan\u00e1, \u201eusername\u201c znamen\u00e1 v\u0161ude tot\u00e9\u017e. Ud\u00e1losti na sebe \u010dasov\u011b navazuj\u00ed. Ne\u00fasp\u011b\u0161n\u00e1 p\u0159ihl\u00e1\u0161en\u00ed z r\u016fzn\u00fdch zdroj\u016f se zobrazuj\u00ed pohromad\u011b jako jeden srozumiteln\u00fd p\u0159\u00edb\u011bh, ne jako izolovan\u00e9 fragmenty.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Vy\u0161et\u0159ov\u00e1n\u00ed se m\u016f\u017ee okam\u017eit\u011b posunout d\u00e1l.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Je vid\u011bt zdrojov\u00e1 IP adresa. Ta je obohacen\u00e1 o kontext, pat\u0159\u00ed do konkr\u00e9tn\u00edho segmentu, mo\u017en\u00e1 i ke zn\u00e1m\u00e9mu za\u0159\u00edzen\u00ed nebo vlastn\u00edkovi. M\u00edsto ot\u00e1zky \u201ekam se pod\u00edvat te\u010f?\u201c je u\u017e cesta jasn\u011b dan\u00e1.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u010cas, kter\u00fd je pot\u0159eba investigaci v\u011bnovat se p\u0159esune tam, kde m\u00e1 b\u00fdt. V\u00fdsledkem je m\u00e9n\u011b \u010dasu str\u00e1ven\u00e9ho skl\u00e1d\u00e1n\u00edm dat a v\u00edce \u010dasu na skute\u010dn\u00e9 porozum\u011bn\u00ed incidentu.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Stejn\u00e9 je to u v\u00fdkonnostn\u00edch probl\u00e9m\u016f. N\u00e1hl\u00fd n\u00e1r\u016fst aplika\u010dn\u00edch request\u016f u\u017e nevede k manu\u00e1ln\u00edmu skl\u00e1d\u00e1n\u00ed log\u016f z n\u011bkolika m\u00edst. Ud\u00e1losti jsou mnohem jednodu\u0161eji \u010diteln\u00e9, odkud po\u017eadavky p\u0159ich\u00e1zej\u00ed, jak se chovaj\u00ed, zda maj\u00ed n\u011bco spole\u010dn\u00e9ho (pattern).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Nam\u00edsto rekonstrukce incidentu z \u00fatr\u017ek\u016f ho t\u00fdm prost\u011b \u010dte tak, jak se odehr\u00e1v\u00e1.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Jeden \u00fa\u010dastn\u00edk odborn\u00e9 diskuse to shrnul velmi trefn\u011b: \u201eVy\u0161et\u0159ujete podle symptom\u016f, ne podle produkt\u016f.\u201c<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Za\u010d\u00edn\u00e1te t\u00edm, co vid\u00edte. Ne t\u00edm, kde si mysl\u00edte, \u017ee by to mohlo b\u00fdt schovan\u00e9.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">M\u00e1te-li takov\u00fd n\u00e1stroj, za\u010dne se projevovat i jeden m\u00e9n\u011b viditeln\u00fd d\u016fsledek. Jakmile jsou logy strukturovan\u00e9, snadno dostupn\u00e9 a na jednom m\u00edst\u011b, anal\u00fdza p\u0159est\u00e1v\u00e1 b\u00fdt z\u00e1visl\u00e1 na n\u011bkolika m\u00e1lo lidech, kte\u0159\u00ed se vyznaj\u00ed v cel\u00e9 t\u00e9 komplexit\u011b. St\u00e1v\u00e1 se z n\u00ed n\u011bco, co m\u016f\u017ee sd\u00edlet cel\u00fd t\u00fdm, spole\u010dn\u011b o tom diskutovat a d\u00e1l na tom stav\u011bt.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A ob\u010das se stane i n\u011bco ne\u010dekan\u00e9ho. Po chv\u00edli pr\u00e1ce na sc\u00e9n\u00e1\u0159\u00edch, kter\u00e9 by d\u0159\u00edv p\u016fsobily zdlouhav\u011b a \u00fanavn\u011b, si n\u011bkdo uv\u011bdom\u00ed, \u017ee ten proces u\u017e vlastn\u011b nen\u00ed frustruj\u00edc\u00ed. \u017de je docela dob\u0159e zvl\u00e1dnuteln\u00fd.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">P\u0159ipraven\u00e9 logy d\u00e1vaj\u00ed SIEMu ekonomick\u00fd smysl<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">S rostouc\u00edm rozsahem prost\u0159ed\u00ed se objevuje je\u0161t\u011b jedna d\u016fle\u017eit\u00e1 rovina.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">V mnoha SIEM implementac\u00edch je v\u00fdchoz\u00ed strategie jednoduch\u00e1: pos\u00edlat do syst\u00e9mu v\u0161echno. Ka\u017ed\u00fd log. Ka\u017edou ud\u00e1lost. Ka\u017ed\u00fd datov\u00fd z\u00e1znam.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Na prvn\u00ed pohled to p\u016fsob\u00ed jako optim\u00e1ln\u00ed p\u0159\u00edstup, maxim\u00e1ln\u00ed viditelnost, nic neunikne.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Jen\u017ee v praxi to vytv\u00e1\u0159\u00ed vlastn\u00ed probl\u00e9my:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>p\u0159\u00edli\u0161 mnoho dat,<\/li>\n\n\n\n<li>p\u0159\u00edli\u0161 mnoho \u0161umu,<\/li>\n\n\n\n<li>a n\u00e1klady, kter\u00e9 rostou rychleji ne\u017e re\u00e1ln\u00e1 hodnota.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Analytici tr\u00e1v\u00ed \u010das filtrov\u00e1n\u00edm nerelevantn\u00edch sign\u00e1l\u016f, lad\u011bn\u00edm false positives a hled\u00e1n\u00edm smyslu v zahlcuj\u00edc\u00edm objemu vstup\u016f.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Probl\u00e9m p\u0159itom \u010dasto nen\u00ed samotn\u00fd SIEM. Probl\u00e9m je to, co se do n\u011bj pos\u00edl\u00e1.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pokud se logy p\u0159ed SIEMem p\u0159edzpracuj\u00ed, tedy odfiltruj\u00ed, normalizuj\u00ed a obohat\u00ed v log management \u0159e\u0161en\u00ed, m\u011bn\u00ed se cel\u00e1 dynamika. Irelevantn\u00ed data miz\u00ed, u\u017eite\u010dn\u00fd kontext p\u0159ib\u00fdv\u00e1 a to, co z\u016fstane, lze efektivn\u011b analyzovat.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Organizace tak neplat\u00ed za ukl\u00e1d\u00e1n\u00ed v\u0161eho, ale investuj\u00ed do toho, co m\u00e1 smysl.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pr\u00e1v\u011b \u0159e\u0161en\u00ed mezi \u010dist\u00fdm logov\u00e1n\u00edm a SIEM, toto um\u00ed doru\u010dit. Nenahrazuje SIEM ani s n\u00edm nesout\u011b\u017e\u00ed. P\u0159ipravuje p\u016fdu tak, aby ve chv\u00edli, kdy se SIEM nasad\u00ed, fungoval tak, jak m\u00e1. Data jsou \u010dist\u0161\u00ed, vzorce p\u0159ehledn\u011bj\u0161\u00ed a syst\u00e9m se st\u00e1v\u00e1 n\u011b\u010d\u00edm, na co se m\u016f\u017ee t\u00fdm spolehnout. Ne n\u011b\u010d\u00edm, co je pot\u0159eba neust\u00e1le ladit.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">P\u0159ipravenost na SIEM tedy nen\u00ed o rozpo\u010dtu ani o z\u00e1m\u011bru. Je o tom, jestli m\u00e1te spr\u00e1vn\u00e9 z\u00e1klady. Tedy data, kter\u00e1 d\u00e1vaj\u00ed smysl, procesy, kter\u00e9 funguj\u00ed, a n\u00e1stroje, kter\u00e9 lidem pom\u00e1haj\u00ed analyzovat d\u011bn\u00ed v IT prost\u0159ed\u00ed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Rozhoduje prakti\u010dnost<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">T\u00fdmy obvykle necht\u011bj\u00ed dal\u0161\u00ed syst\u00e9m, kter\u00fd bude vy\u017eadovat neust\u00e1lou p\u00e9\u010di. Dal\u0161\u00ed m\u00edsto, kde se data zaseknou, dal\u0161\u00ed n\u00e1stroj, kter\u00fd vy\u0159e\u0161\u00ed jeden probl\u00e9m a vytvo\u0159\u00ed t\u0159i nov\u00e9.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ot\u00e1zka je proto nasnad\u011b: \u201cDok\u00e1\u017ee log management v\u011bci skute\u010dn\u011b zjednodu\u0161it?\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ten nejsiln\u011bj\u0161\u00ed argument le\u017e\u00ed v problematice dostupnosti dat. Jak u\u017e jsme uvedli, je b\u011b\u017en\u00e9, \u017ee se star\u0161\u00ed logy p\u0159esouvaj\u00ed do tzv. cold storage. Ta je sice finan\u010dn\u011b m\u00e9n\u011b n\u00e1ro\u010dn\u00e1, ale data nejsou okam\u017eit\u011b dostupn\u00e1 a prohledateln\u00e1. \u0158e\u0161en\u00ed typu <a href=\"https:\/\/logmanager.com\/cs\/reseni\/log-management\/\" data-type=\"link\" data-id=\"https:\/\/logmanager.com\/cs\/reseni\/log-management\/\">Logmanager<\/a> tyto probl\u00e9my odstra\u0148uj\u00ed, data jsou p\u0159ipraven\u00e1 a fulltextov\u011b dohledateln\u00e1 t\u00fddny i m\u011bs\u00edce zp\u011btn\u011b. Vy\u0161et\u0159ov\u00e1n\u00ed incidentu se tedy v\u00fdrazn\u011b zjednodu\u0161uje, proto\u017ee specialist\u00e9 u\u017e nemus\u00ed \u0159e\u0161it, jestli budou data dostupn\u00e1, zda nebude pot\u0159eba je upravovat, nebo jak dlouho potrv\u00e1 se k nim dostat.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pokro\u010dily log management nav\u00edc v\u00fdrazn\u011b zvy\u0161uj\u00ed flexibilitu zpracov\u00e1n\u00ed dat. M\u00edsto spol\u00e9h\u00e1n\u00ed na p\u0159edem definovan\u00e9 pipeline nebo nutnosti ps\u00e1t vlastn\u00ed skripty mohou t\u00fdmy pracovat s daty pomoc\u00ed vizu\u00e1ln\u00edho rozhran\u00ed. Parsing, normalizace, obohacen\u00ed, v\u0161echny kroky, kter\u00e9 z raw log\u016f d\u011blaj\u00ed smyslupln\u00e1 data, lze navrhovat a upravovat vizu\u00e1ln\u011b, bez pot\u0159eby ps\u00e1t k\u00f3d.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To m\u00e1 z\u00e1sadn\u00ed dopad. Nejde jen o to, \u017ee se syst\u00e9m l\u00e9pe pou\u017e\u00edv\u00e1, ale i o to, \u017ee se sn\u00e1ze p\u0159izp\u016fsobuje. Kdy\u017e se objev\u00ed nov\u00fd zdroj log\u016f nebo se zm\u011bn\u00ed form\u00e1t toho st\u00e1vaj\u00edc\u00edho, nen\u00ed pot\u0159eba rozj\u00ed\u017ed\u011bt v\u00fdvojov\u00fd cyklus. \u00dapravu zvl\u00e1dnou p\u0159\u00edmo lid\u00e9, kte\u0159\u00ed dat\u016fm rozum\u00ed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Synergie dvou sv\u011bt\u016f<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sb\u00edrat logy dnes um\u00ed t\u00e9m\u011b\u0159 ka\u017ed\u00fd. Skute\u010dn\u00e1 v\u00fdzva je ale v tom, jestli je mo\u017en\u00e9 s daty efektivn\u011b pracovat ve chv\u00edli, kdy je opravdu pot\u0159ebujete. A to se v praxi ne v\u017edy da\u0159\u00ed vzhledem k jejich neide\u00e1ln\u00ed podob\u011b a z\u00e1rove\u0148 tlaku na rychlou reakci, kdy\u017e se n\u011bco stane.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Mezivrstva mezi prost\u00fdm logov\u00e1n\u00edm a SIEM, kterou p\u0159edstavuje \u0159e\u0161en\u00ed Logmanager, tento probl\u00e9m smaz\u00e1v\u00e1. Um\u00ed prom\u011bnit rozt\u0159\u00ed\u0161t\u011bn\u00e9 logy z r\u016fzn\u00fdch syst\u00e9m\u016f v strukturovan\u00e1 a obohacen\u00e1 data, kter\u00e1 jsou rychle dohledateln\u00e1 a z\u00e1rove\u0148 p\u0159ipraven\u00e1 pro odesl\u00e1n\u00ed do dal\u0161\u00edch syst\u00e9m\u016f nebo prok\u00e1z\u00e1n\u00ed souladu s p\u0159edpisy (<a href=\"https:\/\/logmanager.com\/cs\/blog\/it-compliance\/it-compliance\/\" data-type=\"link\" data-id=\"https:\/\/logmanager.com\/cs\/blog\/it-compliance\/it-compliance\/\">compliance<\/a>).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lze je tak vyu\u017e\u00edvat p\u0159\u00edmo v r\u00e1mci Logmanageru pro vy\u0161et\u0159ov\u00e1n\u00ed, anal\u00fdzu i ka\u017edodenn\u00ed p\u0159ehled o d\u011bn\u00ed. Pro mnoho t\u00fdm\u016f je to pln\u011b dosta\u010duj\u00edc\u00ed, z\u00edskaj\u00ed odpov\u011bdi, kter\u00e9 pot\u0159ebuj\u00ed, bez nutnosti zav\u00e1d\u011bt dal\u0161\u00ed vrstvy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pokud ale organizace pou\u017e\u00edv\u00e1 SIEM nebo jeho nasazen\u00ed pl\u00e1nuje, stejn\u00e1 data lze poslat d\u00e1l. Ne v p\u016fvodn\u00ed, surov\u00e9 podob\u011b, ale u\u017e jako p\u0159ipraven\u00fd vstup, filtrovan\u00fd, normalizovan\u00fd, obohacen\u00fd. V\u00fdsledkem je vy\u0161\u0161\u00ed kvalita dat, ni\u017e\u0161\u00ed objem a smyslupln\u011bj\u0161\u00ed sign\u00e1ly.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To m\u011bn\u00ed nejen zp\u016fsob pr\u00e1ce, ale i ekonomiku cel\u00e9ho \u0159e\u0161en\u00ed. M\u00edsto toho, aby organizace platily za ingest v\u0161ech dat, pos\u00edlaj\u00ed jen to, co skute\u010dn\u011b pot\u0159ebuj\u00ed. A m\u00edsto lad\u011bn\u00ed pravidel nad hlu\u010dn\u00fdmi vstupy pracuj\u00ed s daty, kter\u00e1 d\u00e1vaj\u00ed smysl.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Logmanager tak nejen propojuje dva sv\u011bty, ale umo\u017e\u0148uje jejich synergii.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Skute\u010dnou v\u00fdzvou \u0159e\u0161en\u00ed incident\u016f nen\u00ed nedostatek dat. Je j\u00ed jejich pou\u017eitelnost. Rozd\u00edl mezi t\u00edm data m\u00edt a um\u011bt s nimi efektivn\u011b pracovat.<\/p>\n","protected":false},"author":4,"featured_media":6955,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[33],"tags":[],"class_list":["post-6954","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-log-management"],"acf":[],"_links":{"self":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/posts\/6954","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/comments?post=6954"}],"version-history":[{"count":3,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/posts\/6954\/revisions"}],"predecessor-version":[{"id":6961,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/posts\/6954\/revisions\/6961"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/media\/6955"}],"wp:attachment":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/media?parent=6954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/categories?post=6954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/tags?post=6954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}