Educause Security Discussion mailing list archives

Re: Log Management

From: "King, Ronald A." <raking () NSU EDU>
Date: Fri, 5 Mar 2010 11:16:51 -0500

We use a Linux box with syslog-ng.  A good portion of our network and security devices log to it.  We use SNARE and 
Epilog to send from Windows servers.  We use a series of scripts I put together for daily and on the fly reports and 
monitoring.  We use swatch to trigger on certain high priority regex expressions and email the appropriate team(s).  In 
our small environment, it works well, but can take a lot to manage and search for things that don't have scripts.

We tested Splunk and liked it, but, it was limited to what we could use it for and how much data it would store/collect 
unless you paid for the full version.

We recently but in a PO for a Nitro SIEM. So, it will be replaced soon.

Ronald King
Security Engineer
Norfolk State University
http://security.nsu.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hammond, 
Stanley
Sent: Friday, March 05, 2010 10:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Log Management

I am looking to see what other institutions are using to manage their
event/system log files.  

Currently I have Snare installed on our Windows servers and sending the
events to a syslog server.  That server originally had Prelude IDS
installed and I was using Prewikka to view the logs as needed.  The
problem with Prelude IDS/Prewikka is that accessing the database is
painfully slow unless you purchase the database module for fast access.
The other option I tested was Splunk which I liked, but because it
access Windows systems using WMI it looked like the some of the Windows
virtual machines took a performance hit (according to our Technical
Director).  Right now, I query the logs on the syslog server using
customized Perl scripts whenever an information request is made.  We are
making some changes to our environment and would like to get something
setup that is a little better than using Perl scripts on the CLI.  

Stanley M. Hammond
Information Security Specialist
Cape Cod Community College
Email: shammond () capecod edu

Current thread:

Log Management Hammond, Stanley (Mar 05)
- <Possible follow-ups>
- Re: Log Management Bradley, Stephen W. Mr. (Mar 05)
- Re: Log Management Joe Vieira (Mar 05)
- Re: Log Management Pufahl, Jason (Mar 05)
- Re: Log Management Hart, Lee Anne (Mar 05)
- Re: Log Management Justin Azoff (Mar 05)
- Re: Log Management Hart, Lee Anne (Mar 05)
- Re: Log Management Wier, Timothy A. (Mar 05)
- Re: Log Management Christopher Jones (Mar 05)
- Re: Log Management King, Ronald A. (Mar 05)
- Re: Log Management Dexter Caldwell (Mar 05)
- Re: Log Management Ferris, Joe (Mar 10)