IDS mailing list archives

RE: GFI SELM Question

From: "Chris Petersen" <chris.petersen () logrhythm com>
Date: Mon, 25 Apr 2005 16:47:09 -0600

******** I represent the vendor **************

When looking at log management solutions that write to a RDBMS, ask the
vendor how they are dealing with large database table record counts.  You
can't keep writing millions of records (logs) into a database without
eventually reaching a performance bottleneck.  If there answer is buy bigger
hardware, get worried.

I can't speak to SELM capabilities but if you are looking for something on a
larger scale, we have one customer monitoring 300+ Windows servers (all 3
event logs) on a single Log Manager (HP DL380 ~5K server) using both our
agent and agent-less capabilities without a hitch.  They are centralizing
approx 5 Million logs/day.

Chris Petersen, CTO
(303) 413-8740 (direct)
(720) 938-2589 (mobile)
(303) 413-8791 (fax)
chris.petersen () LogRhythm com
www.LogRhythm.com

-----Original Message-----
From: Brian Browne [mailto:brian.browne () edoxa com] 
Sent: Monday, April 25, 2005 12:41 PM
To: graxius () gmail com; focus-ids () securityfocus com
Subject: RE: GFI SELM Question

I'm not sure how much you want it to scale, but I implemented 
SELM for a client recently that had bought a 20-server 
license and was using it to monitor 14 servers.  We 
implemented it using SQL Server as the backend database as 
part of a Sarbanes-Oxley compliance effort.  

The client had initially enabled all of the pre-configured 
rules, so the "main" database quickly grew in size.  This 
caused problems in the archival feature -- where events in 
the "main" database older than a specific number of days are 
moved to the "backup" database, from which it is eventually 
deleted.  We never got a clear answer from GFI, but judging 
from the available debug information, it looked like there 
were issues with the amount of data being moved from one 
database to the other, the transaction log vs. commit 
frequency within the GFI code, and the SQL Server Recovery 
Model.  We resolved the issue by starting over from scratch 
(i.e., new databases) and very selectively enabling and 
defining the rules.

I recently checked in with the client, and they are happy 
with its performance at this point.  From an operational 
perspective, it beats manually reviewing 14 individual 
security event logs.  It is priced at a point that it would 
be worthwhile for some companies verus a more expensive 
solution.  Of course, it ultimately depends on the requirements . . . 

Hope this helps.  

- Brian

-----Original Message-----
From: Graxius [mailto:graxius () gmail com]
Sent: Friday, April 22, 2005 4:58 PM
To: focus-ids () securityfocus com
Subject: GFI SELM Question


Hello All,
I am curious if anyone is using GFI's System Event Long

Manager and if

so how well has it scaled?

Thanks!

----------------------------------------------------------------------

----
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds 
vulnerabilities, applications and new hosts without the

need for network scanning.

It also finds compromised systems with application-based intrusion 
detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to

learn more.

----------------------------------------------------------------------

----


--------------------------------------------------------------
------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds 
vulnerabilities, applications and new hosts without the need 
for network scanning. 
It also finds compromised systems with application-based 
intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to 
learn more.
--------------------------------------------------------------
------------



--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------

Current thread:

GFI SELM Question Graxius (Apr 25)
- Message not available
  - Re: GFI SELM Question jkowall (Apr 27)
- <Possible follow-ups>
- RE: GFI SELM Question Khan, Afzal (Apr 25)
- RE: GFI SELM Question Brian Browne (Apr 25)
  - RE: GFI SELM Question Chris Petersen (Apr 27)