IDS mailing list archives
RE: GFI SELM Question
From: Brian Browne <brian.browne () edoxa com>
Date: Mon, 25 Apr 2005 14:40:35 -0400 (EDT)
I'm not sure how much you want it to scale, but I implemented SELM for a client recently that had bought a 20-server license and was using it to monitor 14 servers. We implemented it using SQL Server as the backend database as part of a Sarbanes-Oxley compliance effort. The client had initially enabled all of the pre-configured rules, so the "main" database quickly grew in size. This caused problems in the archival feature -- where events in the "main" database older than a specific number of days are moved to the "backup" database, from which it is eventually deleted. We never got a clear answer from GFI, but judging from the available debug information, it looked like there were issues with the amount of data being moved from one database to the other, the transaction log vs. commit frequency within the GFI code, and the SQL Server Recovery Model. We resolved the issue by starting over from scratch (i.e., new databases) and very selectively enabling and defining the rules. I recently checked in with the client, and they are happy with its performance at this point. From an operational perspective, it beats manually reviewing 14 individual security event logs. It is priced at a point that it would be worthwhile for some companies verus a more expensive solution. Of course, it ultimately depends on the requirements . . . Hope this helps. - Brian
-----Original Message----- From: Graxius [mailto:graxius () gmail com] Sent: Friday, April 22, 2005 4:58 PM To: focus-ids () securityfocus com Subject: GFI SELM Question Hello All, I am curious if anyone is using GFI's System Event Long Manager and if so how well has it scaled? Thanks! -------------------------------------------------------------------------- Stop hurting your network! The NeVO passive vulnerability sensor continuously finds vulnerabilities, applications and new hosts without the need for network scanning. It also finds compromised systems with application-based intrusion detection. Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Stop hurting your network! The NeVO passive vulnerability sensor continuously finds vulnerabilities, applications and new hosts without the need for network scanning. It also finds compromised systems with application-based intrusion detection. Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more. --------------------------------------------------------------------------
Current thread:
- GFI SELM Question Graxius (Apr 25)
- Message not available
- Re: GFI SELM Question jkowall (Apr 27)
- Message not available
- <Possible follow-ups>
- RE: GFI SELM Question Khan, Afzal (Apr 25)
- RE: GFI SELM Question Brian Browne (Apr 25)
- RE: GFI SELM Question Chris Petersen (Apr 27)