Educause Security Discussion mailing list archives
Re: Log Management
From: "King, Ronald A." <raking () NSU EDU>
Date: Fri, 5 Mar 2010 11:16:51 -0500
We use a Linux box with syslog-ng. A good portion of our network and security devices log to it. We use SNARE and Epilog to send from Windows servers. We use a series of scripts I put together for daily and on the fly reports and monitoring. We use swatch to trigger on certain high priority regex expressions and email the appropriate team(s). In our small environment, it works well, but can take a lot to manage and search for things that don't have scripts. We tested Splunk and liked it, but, it was limited to what we could use it for and how much data it would store/collect unless you paid for the full version. We recently but in a PO for a Nitro SIEM. So, it will be replaced soon. Ronald King Security Engineer Norfolk State University http://security.nsu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hammond, Stanley Sent: Friday, March 05, 2010 10:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Log Management I am looking to see what other institutions are using to manage their event/system log files. Currently I have Snare installed on our Windows servers and sending the events to a syslog server. That server originally had Prelude IDS installed and I was using Prewikka to view the logs as needed. The problem with Prelude IDS/Prewikka is that accessing the database is painfully slow unless you purchase the database module for fast access. The other option I tested was Splunk which I liked, but because it access Windows systems using WMI it looked like the some of the Windows virtual machines took a performance hit (according to our Technical Director). Right now, I query the logs on the syslog server using customized Perl scripts whenever an information request is made. We are making some changes to our environment and would like to get something setup that is a little better than using Perl scripts on the CLI. Stanley M. Hammond Information Security Specialist Cape Cod Community College Email: shammond () capecod edu
Current thread:
- Log Management Hammond, Stanley (Mar 05)
- <Possible follow-ups>
- Re: Log Management Bradley, Stephen W. Mr. (Mar 05)
- Re: Log Management Joe Vieira (Mar 05)
- Re: Log Management Pufahl, Jason (Mar 05)
- Re: Log Management Hart, Lee Anne (Mar 05)
- Re: Log Management Justin Azoff (Mar 05)
- Re: Log Management Hart, Lee Anne (Mar 05)
- Re: Log Management Wier, Timothy A. (Mar 05)
- Re: Log Management Christopher Jones (Mar 05)
- Re: Log Management King, Ronald A. (Mar 05)
- Re: Log Management Dexter Caldwell (Mar 05)
- Re: Log Management Ferris, Joe (Mar 10)