Re: Management of Logs Stored in Database Tables

[Frank Barton <bartonf () HUSSON EDU>]

Ghassan,
 We have done "A" in a number of cases - however, we use per-system
credentials that only have read access to the specific tables needed (and
in some cases field-specific) "Least Privilege"

Frank

On Wed, Feb 17, 2021 at 11:02 AM Ghassan Salem <gs37 () aub edu lb> wrote:

> Dear all:
>
> What are the best practices that you are adopting for shipping application
> logs residing in a database table to a log management system or SIEM
> solution. We would like to see how other universities did address this
> issue as they were building their logs management systems.
>
>
>
> Below are two methods we though off but are debatable:
>
> A-SQL query through jdbc connection from log Mgt solution to the database.
>
>                Risks: What if the Database user we are using in our JDBC
> connection got compromised. Insecure storage of database credentials.
>
> B-Extract the logs from DB to an os file and send them thorough a log
> shipper such are rsyslog or beat.
>
>                Risks: Data extraction Process stopped, Data Manipulated by
> Admin, delay in data transfer, data integrity while moving from Database to
> OS, Involvement of Admins in the process.
>
>
>
> Best,
>
> Ghassan Salem
>
>
>
> *Ghassan Salem*
>
> Senior Information Security Engineer
>
> IT Information Security Department
>
> [image: cid:image001.png@01D2DEDE.0F2ED880]
>
> *American University of Beirut*
>
> IT Information Security Department
> P.O.Box 11-0236
> Riad El-Solh, Beirut 1107 2020, Lebanon
>
> *T*: +961 (1) 350000 *Ext 2089*
> *E*: gs37 () aub edu lb
>
> *W* <http://www.aub.edu.lb/> . *Fb* <http://www.facebook.com/aub.edu.lb> .
> *Fl* <http://www.flickr.com/groups/aub> . *T*
> <http://twitter.com/AUB_Lebanon> . *Y*
> <http://www.youtube.com/AUBatLebanon> . *L*
> <http://www.linkedin.com/company/american-university-of-beirut> . *IT*
> <http://www.aub.edu.lb/it/>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community