Re: Event Log Monitoring - Recommendations

["Bradley, Stephen" <bradlesw () MIAMIOH EDU>]

We were fortunate enough to be able to afford a 100GB/day license for
Splunk.  Anyone who wants an account can access it (we maintain the local
users file, no LDAP).

Our server people put up Syslog-NG with Elsa but network and security
equipment use Splunk. You can always send everything to a Syslog server to
do a rough filter and then forward the results to Splunk and it reduces the
size of the required license.


On Thu, Apr 25, 2013 at 1:24 PM, William C. Moore <wcmoore () valdosta edu>wrote:

>  From a security perspective I couldn’t agree more with sharing log
> information especially when the sensitive and confidential data are
> sanitized (within reason).  I take very little to no issue providing
> Systems and Network personnel read-only access and my primary requirement
> is that no one from these areas be able to modify or remove any logs.
> Since we use syslog-ng quite a bit for UNIX log management the up side is
> the Network and Windows admins have a better reason to learn grep and awk.
> ****
>
> ** **
>
> ** **
>
> Bill****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> William C. Moore II, CISSP, MEd, MLIS****
>
> Chief Information Security Officer****
>
> Valdosta State University****
>
> Valdosta, GA 31698****
>
> Phone:(229)333-5974****
>
> Fax:  (229)245-4349****
>
> ** **
>
> ** **
>
> ** **
>
> **************************************************************************
> *
>
> The information transmitted is intended only for the person addressed.****
>
> Any unauthorized review, distribution or other use of or the taking of****
>
> any action in reliance upon this information is prohibited. If you****
>
> received this message in error, please contact the sender and delete or***
> *
>
> destroy this message and any copies.****
>
> **************************************************************************
> *
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Greg Williams
> *Sent:* Thursday, April 25, 2013 12:47
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Event Log Monitoring - Recommendations****
>
> ** **
>
> I allow all of IT to use Splunk, minus some sensitive data.  There are
> definitely huge benefits to giving them access.  They use it in some
> amazing ways especially looking at logs to make sure new technology they
> implement will be sized appropriately.  For example, looking at historical
> ldap connections per second and making sure a load balancer will handle all
> the requests.  They found out it would have reached peak capacity just a
> few seconds within the past year and could see exactly when it hit those
> peak times.****
>
> ** **
>
> ** **
>
> Greg Williams
> IT Security Principal
> University of Colorado at Colorado Springs
> Website: http://www.uccs.edu/itsecure
> greg.williams () uccs edu****
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *Matt Pasiewicz
> *Sent:* Thursday, April 25, 2013 10:27 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Event Log Monitoring - Recommendations****
>
> ** **
>
> For any of you that have rich search interfaces, are you exposing slices
> of the data to your devops crews?  You've got a wealth of information
> there.  When I was in the private sector, our goals for systems like these
> encompassed more than security ... depending on what log information you
> capture, they can provide great insight into defects and performance tuning
> (which can reduce costs).  My current thinking is that by enlarging the
> circle of participation, you get lots of intangible benefits ... developers
> are encouraged to make logs more meaningful (reducing the signal-to-noise
> ratio) and the the team as a whole realizes economies of scale across silos
> of security, development, operations, etc.  It creates the conditions for
> many reciprocal benefits.  ****
>
> ** **
>
> Thoughts?****
>
> ** **
>
> On Thu, Apr 25, 2013 at 9:53 AM, William C. Moore <wcmoore () valdosta edu>
> wrote:****
>
> Allow me to throw another name into the mix for comment.  I have been
> checking on Q1Labs also but I am also interested in Logrhythm as a viable
> SIEM.  We too used Splunk for several years but we found that it was not
> providing the reports and trending data we require.  I have yet to go
> through an on-campus demo so if anyone has a recommendation I too am very
> interested in their experience.****
>
>  ****
>
>  ****
>
> Bill****
>
>  ****
>
>  ****
>
>  ****
>
>  ****
>
> William C. Moore II, CISSP, MEd, MLIS****
>
> Chief Information Security Officer****
>
> Valdosta State University****
>
> Valdosta, GA 31698****
>
> Phone:(229)333-5974****
>
> Fax:  (229)245-4349****
>
>  ****
>
>  ****
>
>  ****
>
> **************************************************************************
> *
>
> The information transmitted is intended only for the person addressed.****
>
> Any unauthorized review, distribution or other use of or the taking of****
>
> any action in reliance upon this information is prohibited. If you****
>
> received this message in error, please contact the sender and delete or***
> *
>
> destroy this message and any copies.****
>
> **************************************************************************
> *
>
>  ****
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Greg Williams
> *Sent:* Thursday, April 25, 2013 11:20
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Event Log Monitoring - Recommendations****
>
>  ****
>
> Greg, for strictly log management I would recommend Splunk.   We put our
> Splunk deployment in place last year.  The goal wasn’t event correlation,
> it was log management so we weren’t really looking at a SIEM, such as
> QRadar, Nitro, ArcSight, etc.****
>
>  ****
>
> I put together a log management policy and matrix before I started looking
> at products.  It helped narrow down the products before we started getting
> bids.  I can email it to you if you are interested.  ****
>
>  ****
>
> Greg Williams
> IT Security Principal
> University of Colorado at Colorado Springs
> Website: http://www.uccs.edu/itsecure
> greg.williams () uccs edu****
>
>  ****
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
> Behalf Of *Greg Schmalhofer
> *Sent:* Thursday, April 25, 2013 9:11 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Event Log Monitoring - Recommendations****
>
>  ****
>
> We do not currently have any product for event log and/or system log
> monitoring, reporting, and alerting, but are about to begin the process of
> reviewing various products to see what might be the best fit for our
> environment, needs, and budget(small). We are a mix of Windows (AD), HP
> Unix, and Linux servers with Exchange and Oracle. Please let me know if you
> are able to recommend any product or solution for monitoring logs and
> providing various reporting and alerting. At the recent Educause Security
> Professionals Conference several individuals had recommended QRadar. Any
> thoughts or feedback on these products and/or any others would be greatly
> appreciated.****
>
>  ****
>
> -          QRadar (Q1Labs)****
>
> -          What’s Up Log Management Suite (IPswitch)****
>
> -          GFI Events Manager (GFI)****
>
> -          Event Log Analyzer (ManageEngine)****
>
> -          StealthWatch (Lancope)****
>
> -          Others****
>
>  ****
>
> Thanks for any and all feedback!****
>
>  ****
>
> Thanks,****
>
> Greg ****
>
>  ****
>
> *Greg Schmalhofer*****
>
> Information Security Coordinator****
>
> Millersville University****
>
>  ****
>
> ** **



-- 
Stephen W. Bradley CISSP GCFA GCIH GWAPT SSCP
Senior Security Engineer
Miami University
IT Services
bradlesw () miamioh edu
513-529-1809