PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Looking for some event and security log monitoring software

From: Chris Tizzano <CTizzano () bn com>
Date: Tue, 17 Jul 2012 11:12:24 -0400
You can look at WinRM to roll up events in a Windows environment with W2K8 servers acting as collectors, then feed this 
into any SIEM, such as splunk.

-Chris

-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Champ 
Clark III
Sent: Tuesday, July 10, 2012 10:22 PM
To: pauldotcom () pdc-mail pauldotcom com
Subject: Re: [Pauldotcom] Looking for some event and security log monitoring software

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/10/12 9:38 PM, anthony kasza wrote:

The time between polling is configurable. I too prefer agents as it
takes the resource burden away from a single machine and provides real
time log collection. Installing agents isn't always the best solution,
however. I've been told that Splunk agents (known as Universal
Forwarders) have a minimal resource footprint but I have never used
one.


Well,  I can see pretty much everyone is in agreement :)

All of the event -> syslog forwarding software i've used have been pretty light weight.  Even the Evt2sys (open source) 
version we've used takes almost no resources.  They all seem to be fairly configurable about "tuning" out "noise" 
(crap).

I too dislike polling for the same reasons you listed.  I've also _seen_ an attacker modify logs before they where 
"shipped" (pushed in this case) to a centralized system.  However, that was Linux boxes and a poorly thought out 
centralized logging architecture (not real time,  using log offsets..  bleh! ... complete horror story)....

Hence the reason I was wonder about WMI.  I was thinking that there might be some "trick" I wasn't aware of.

I'll take real time logging...

Thanks again for the responses.


- --
- - Champ Clark III (cclark () quadrantsec com)
  Quadrant Information Security (http://quadrantsec.com)
  Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
  GPG Key ID: 0381878A


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP/OM/AAoJENnmXt7Lmc3KRpgH/06I8mlqVe0jmcn7AUjr1mO2
8BE/D7WVn50Y5TBwcYrBomAgWdFMbWhnykuO5w7Yvq791BdEGG6C9DeWAmRdVkHz
7dJfqbbe8QYgf4C/2sh5zGEo6e97vLrMzXc6tlwex40qlk2Bb9WiED1+URl/JAAq
3tzb0ISqXbU5PkcUPRm4OwBRXUohQ8u//ht61u6THDzQBv2t8UnvxC7ddYdNWPoN
wBQp4KYSCarjkVdviBjDF1EW7B6qlAjoAFYUeDjRhixDXGMbN7aeup8GiLjG9lfN
aONTO8ua0gjiOxmwFaNW09TyZzUwu5wwv+gRRm2Nb9kwrjAk552uMrhNE3GWGho=
=pHnZ
-----END PGP SIGNATURE-----
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------------------------------------------------------------------
This electronic mail message contains information that (a) is or may be CONFIDENTIAL,
PROPRIETARY IN NATURE, OR OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended
only for the use of the addressee(s) named herein.  If you are not an intended recipient,
please send an email immediately to postmaster () bn com  and take the steps necessary to delete
the message completely from your computer system.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: