7 days to save $200 for SANS Houston 2017


To attend this webcast, login to your SANS Account or create your Account.

Logs, Logs, Every Where / Nor Any Byte to Grok

  • Thursday, May 1st, 2014 at 1:00 PM EDT (17:00:00 UTC)
  • Phil Hagen
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


In the practice of Network Forensics, we frequently lack the ultimate evidence - a full packet capture. Instead, we must seek other Artifacts of Communication, which provide insight to system communications that have long since concluded. These artifacts often come from log events created along the path of communication - switches, routers, firewalls, intrusion detection systems, proxy servers, and a myriad other devices.

The skilled network forensicator will aggregate these different sources, then apply sound analytic processes to the consolidated evidence. Only then can we build a comprehensive understanding of those network communication events and establish the best possible sequence of events around the incident in question.

In this webcast, we will discuss one tool that can be very effective in practice: Logstash. Although Logstash is a free and open-source solution intended for system and network administrators to observe live data, it can also provide great value to the forensicator, who must integrate disparate data sources and formats. New developments around Logstash also make it an ideal tool for the system-based forensicator as well, since supertimeline data can be integrated as well.

Speaker Bio

Philip Hagen

Philip Hagen has been working in the information security field since 1998, running the full spectrum including deep technical tasks, management of an entire computer forensic services portfolio, and executive responsibilities.

Currently, Phil is a Strategist at Red Canary, where engages with current and future customers of Red Canary's managed threat detection service to ensure their use of the service is best aligned for success in the face of existing and future threats.

Phil started his security career while attending the US Air Force Academy, with research covering both the academic and practical sides of security. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil shifted to a government contractor, providing technical services for various IT and information security projects. These included systems that demanded 24x7x365 functionality. He later managed a team of 85 computer forensic professionals in the national security sector. He has provided forensic consulting services for law enforcement, government, and commercial clients prior to joining the Red Canary team. Phil is also a certified instructor for the SANS Institute, and is the course lead and co-author of FOR572, Advanced Network Forensics and Analysis.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.