Educause Security Discussion mailing list archives
Re: Event Log Monitoring - Recommendations
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Thu, 25 Apr 2013 11:41:55 -0400
On Thu, Apr 25, 2013 at 11:19 AM, Greg Williams <gwillia5 () uccs edu> wrote:
Greg, for strictly log management I would recommend Splunk. We put our Splunk deployment in place last year. The goal wasn’t event correlation, it was log management so we weren’t really looking at a SIEM, such as QRadar, Nitro, ArcSight, etc.
I think most folks will find that their biggest immediate concern IS log management, not SIEM. I like Splunk but it's super expensive - so now I deploy ELSA anywhere someone asks me about log management. My personal documentation is a little dated (the exchange between web heads and nodes has changed, so I'll do an update in the near future) but it's still pretty useful as a starting point: http://opensecgeek.blogspot.com/2013/01/enterprise-logging-with-elsa.html For folks wanting to add a log anomaly component (which is really just setting up rules to do automated monitoring/alerting), I love OSSEC. Of course, I also use OSSEC for file integrity monitoring so it's doubly useful for me: http://opensecgeek.blogspot.com/2013/03/hids-with-ossec-part-1-basic-install.html I also need to update that so I can discuss the file monitoring and custom rule components, so that document is a little sparse on details. Now that the SPC is over and I'm coming to the end of some SANS stuff, I'll have some time to square away the updates I've been meaning to make. Note that I am very much a build-rather-than-buy person - I think knowledgeable admins and analysts are more important than button-pushers and expensive products. Not that they don't have their place - I'd love a 50GB/day or 100GB/day Splunk licence and their SIEM module, I think they're *awesome* products, but when funding is problematic or there isn't sufficient support you NEED those smart people with latitude to solve problems in interesting ways. In my case it was pushing gigs of log files per day to an open source solution and still being able to search a billion indexed items in just a couple of seconds (while still maintaining a volume based or time based retention plan).
I put together a log management policy and matrix before I started looking at products. It helped narrow down the products before we started getting bids.
*Fantastic advice*. I'd definitely suggest the OP outlines exactly what they need before they start courting vendors. <Uber cool functions they'll never use> are still cool...but they'll still never use them. There's no point in letting those functions hijack the discussion about what they need. kmw -- Kevin Wilcox GAWN GCIH GPEN GCIA Network Infrastructure and Control Systems Appalachian State University Email: wilcoxkm () appstate edu Office: 828.262.6259
Current thread:
- Event Log Monitoring - Recommendations Greg Schmalhofer (Apr 25)
- Re: Event Log Monitoring - Recommendations Greg Williams (Apr 25)
- Re: Event Log Monitoring - Recommendations Matt Pasiewicz (Apr 25)
- Re: Event Log Monitoring - Recommendations Kevin Wilcox (Apr 25)
- Re: Event Log Monitoring - Recommendations William C. Moore (Apr 25)
- Re: Event Log Monitoring - Recommendations Matt Pasiewicz (Apr 25)
- Re: Event Log Monitoring - Recommendations David Gillett (Apr 25)
- Re: Event Log Monitoring - Recommendations Patrick Gorsuch (Apr 25)
- Re: Event Log Monitoring - Recommendations Matt Pasiewicz (Apr 25)
- Re: Event Log Monitoring - Recommendations Greg Williams (Apr 25)
- Re: Event Log Monitoring - Recommendations William C. Moore (Apr 25)
- Re: Event Log Monitoring - Recommendations Bradley, Stephen (Apr 25)
- Re: Event Log Monitoring - Recommendations Greg Williams (Apr 25)