Educause Security Discussion mailing list archives
Re: Event Log Monitoring - Recommendations
From: "William C. Moore" <wcmoore () VALDOSTA EDU>
Date: Thu, 25 Apr 2013 17:24:35 +0000
From a security perspective I couldn't agree more with sharing log information especially when the sensitive and confidential data are sanitized (within reason). I take very little to no issue providing Systems and Network personnel read-only access and my primary requirement is that no one from these areas be able to modify or remove any logs. Since we use syslog-ng quite a bit for UNIX log management the up side is the Network and Windows admins have a better reason to learn grep and awk.
Bill William C. Moore II, CISSP, MEd, MLIS Chief Information Security Officer Valdosta State University Valdosta, GA 31698 Phone:(229)333-5974 Fax: (229)245-4349 *********************************************************************** The information transmitted is intended only for the person addressed. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this message in error, please contact the sender and delete or destroy this message and any copies. *********************************************************************** From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Williams Sent: Thursday, April 25, 2013 12:47 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Event Log Monitoring - Recommendations I allow all of IT to use Splunk, minus some sensitive data. There are definitely huge benefits to giving them access. They use it in some amazing ways especially looking at logs to make sure new technology they implement will be sized appropriately. For example, looking at historical ldap connections per second and making sure a load balancer will handle all the requests. They found out it would have reached peak capacity just a few seconds within the past year and could see exactly when it hit those peak times. Greg Williams IT Security Principal University of Colorado at Colorado Springs Website: http://www.uccs.edu/itsecure greg.williams () uccs edu<mailto:greg.williams () uccs edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matt Pasiewicz Sent: Thursday, April 25, 2013 10:27 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Event Log Monitoring - Recommendations For any of you that have rich search interfaces, are you exposing slices of the data to your devops crews? You've got a wealth of information there. When I was in the private sector, our goals for systems like these encompassed more than security ... depending on what log information you capture, they can provide great insight into defects and performance tuning (which can reduce costs). My current thinking is that by enlarging the circle of participation, you get lots of intangible benefits ... developers are encouraged to make logs more meaningful (reducing the signal-to-noise ratio) and the the team as a whole realizes economies of scale across silos of security, development, operations, etc. It creates the conditions for many reciprocal benefits. Thoughts? On Thu, Apr 25, 2013 at 9:53 AM, William C. Moore <wcmoore () valdosta edu<mailto:wcmoore () valdosta edu>> wrote: Allow me to throw another name into the mix for comment. I have been checking on Q1Labs also but I am also interested in Logrhythm as a viable SIEM. We too used Splunk for several years but we found that it was not providing the reports and trending data we require. I have yet to go through an on-campus demo so if anyone has a recommendation I too am very interested in their experience. Bill William C. Moore II, CISSP, MEd, MLIS Chief Information Security Officer Valdosta State University Valdosta, GA 31698 Phone:(229)333-5974<tel:%28229%29333-5974> Fax: (229)245-4349<tel:%28229%29245-4349> *********************************************************************** The information transmitted is intended only for the person addressed. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this message in error, please contact the sender and delete or destroy this message and any copies. *********************************************************************** From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Greg Williams Sent: Thursday, April 25, 2013 11:20 To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Event Log Monitoring - Recommendations Greg, for strictly log management I would recommend Splunk. We put our Splunk deployment in place last year. The goal wasn't event correlation, it was log management so we weren't really looking at a SIEM, such as QRadar, Nitro, ArcSight, etc. I put together a log management policy and matrix before I started looking at products. It helped narrow down the products before we started getting bids. I can email it to you if you are interested. Greg Williams IT Security Principal University of Colorado at Colorado Springs Website: http://www.uccs.edu/itsecure greg.williams () uccs edu<mailto:greg.williams () uccs edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Schmalhofer Sent: Thursday, April 25, 2013 9:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Event Log Monitoring - Recommendations We do not currently have any product for event log and/or system log monitoring, reporting, and alerting, but are about to begin the process of reviewing various products to see what might be the best fit for our environment, needs, and budget(small). We are a mix of Windows (AD), HP Unix, and Linux servers with Exchange and Oracle. Please let me know if you are able to recommend any product or solution for monitoring logs and providing various reporting and alerting. At the recent Educause Security Professionals Conference several individuals had recommended QRadar. Any thoughts or feedback on these products and/or any others would be greatly appreciated. - QRadar (Q1Labs) - What's Up Log Management Suite (IPswitch) - GFI Events Manager (GFI) - Event Log Analyzer (ManageEngine) - StealthWatch (Lancope) - Others Thanks for any and all feedback! Thanks, Greg Greg Schmalhofer Information Security Coordinator Millersville University
Current thread:
- Event Log Monitoring - Recommendations Greg Schmalhofer (Apr 25)
- Re: Event Log Monitoring - Recommendations Greg Williams (Apr 25)
- Re: Event Log Monitoring - Recommendations Matt Pasiewicz (Apr 25)
- Re: Event Log Monitoring - Recommendations Kevin Wilcox (Apr 25)
- Re: Event Log Monitoring - Recommendations William C. Moore (Apr 25)
- Re: Event Log Monitoring - Recommendations Matt Pasiewicz (Apr 25)
- Re: Event Log Monitoring - Recommendations David Gillett (Apr 25)
- Re: Event Log Monitoring - Recommendations Patrick Gorsuch (Apr 25)
- Re: Event Log Monitoring - Recommendations Matt Pasiewicz (Apr 25)
- Re: Event Log Monitoring - Recommendations Greg Williams (Apr 25)
- Re: Event Log Monitoring - Recommendations William C. Moore (Apr 25)
- Re: Event Log Monitoring - Recommendations Bradley, Stephen (Apr 25)
- Re: Event Log Monitoring - Recommendations Greg Williams (Apr 25)