Administering OSSEC

["Eric C. Lukens" <eric.lukens () UNI EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

We are evaluating a log management and file integrity monitoring
solution for PCI Compliance.  Our QSAs are pushing their partner
services such as Tripwire, which we feel is cost prohibitive, or a
complete outsourcing of the log monitoring, which we feel is also cost
prohibitive.  When pressed, our QSAs admit they've used OSSEC at several
other sites as well and that it is fully capable of meeting the PCI
requirements for logging and integrity monitoring.  We are aware that
we'll have to designate people to watch the logs 365 days a year.

We have a few questions:

1) Has anyone purchased support for OSSEC, like from Trend Micro? If so,
do you feel the added "perks" and the support were worth the cost?

2) Roughly how many man-hours of work did it take to get the alerts in
OSSEC "tuned" properly in your network?

3) Roughly how many man-hours does it take to look through the logs each
day?

Thanks for any comments and concerns you might share,
Eric

- --
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt67UMACgkQN+w4PqsMNp05qACdHdrROqEfR7UhBgw9i6YDuFaP
6t8An03dlz/t65UO7uqIJGBZo2wykbtD
=YebA
-----END PGP SIGNATURE-----