Author
Dominic Chapman
Head of Product
Three things seem certain in life: Death, taxes, and more logs. While the first two merely march forward, infrastructure logs continuously grow each year, dutifully recording every network connection, API call, and system event. Source/destination IPs, ports, protocol, timestamps, and acceptance status — every field matters. If an attacker compromises a web server and attempts to pivot to a database subnet, historical logs can reveal months of their patient connection patterns. Even failed connections can point to potential exploits.
Yet it’s common for organizations to filter a majority of these logs, not only VPC Flow but Web application logs and cloud API activity. We don’t need to lecture you on the risks — it’s like a casino choosing which security cameras to turn off to save a few bucks.
What you really want is an affordable answer to modern log volumes. Pairing Axiom’s unified event data platform with Tarsal's intelligent log normalization transforms security logs from a costly burden into a strategic asset—they enable teams to store, standardize, and correlate cross-platform security data at cloud scale without compromise.
Axiom’s cloud-native design, optimized for every step of high-scale logging, makes it possible to keep petabytes of security logs on hand for months at a fraction of the price of legacy architectures. Moreover, the Axiom Console is a perfect complimentary workbench to thoroughly investigate notable events raised by a SIEM.
Tarsal harmonizes schemas for security
There’s another problem in security: The medley of schemas from a sprawling variety of security event sources. AWS GuardDuty uses its own JSON format with nested fields. Windows Event Logs use a different structure entirely. Firewall vendors each have their proprietary formats. Custom application security logs might use yet another.
This adds significant overhead to writing detection rules or correlation queries. An analyst might need to write the same logic multiple ways to account for different field names and structures. Just as engineering teams have made cross-telemetry correlation more approachable with standardization of schemas — most recently OpenTelemetry — security benefits from that same normalization.
This is where Tarsal steps in. Tarsal normalizes logs from every data source to make analysis easy. It also applies a set of standard fields across all log sources to make cross-log correlation simple.
Tarsal's approach tackles the problem for security data through systematic normalization. Instead of tying normalization to a specific SIEM platform (like Splunk's Common Information Model), Tarsal provides destination-agnostic normalization with several key aspects:
- Consistent field names across sources (e.g., standardizing on source_ip vs src_ip vs sourceAddress)
- Normalized timestamp formats
- Standardized severity levels
- Common categorization of event types
- Preserved raw data alongside normalized fields
This enables powerful cross-source correlation. For example, investigators could correlate for one incident:
- VPC Flow Logs showing connection attempts
- WAF logs showing HTTP request details
- Application logs showing authentication attempts
- GuardDuty findings related to the IP
Axiom + Tarsal = don’t miss a thing
The combination makes monitoring and analysis of 100% of your event history both technically feasible and economically viable.
- Tarsal’s no-code collectors handle event collection and normalization, making data immediately available to analyze and correlate.
- Axiom provides efficient long-term storage and fast querying of the normalized data, along with the ability to apply yet other schema and selectively forward events to other destinations from a single, complete source.
Together, Axiom and Tarsal create a powerful platform for security insights. One that doesn’t force teams to choose between retention and cost. One that drastically reduces the complexity of working with diverse data sources. One that you can try risk-free today.
Try it now
See Tarsal’s docs for how-to instructions.
Contact us at sales@axiom.co for a demo to see how Axiom and Tarsal can transform your security strategy.
