Educause Security Discussion mailing list archives

Re: Administering OSSEC

From: "Bradley, Stephen W. Mr." <bradlesw () MUOHIO EDU>
Date: Tue, 16 Feb 2010 14:57:33 -0500

We put OSSEC on our PCI servers (Linux and Windows) and have the management end of it running on one of our Syslog 
servers.

It took about a week off and on to tune it and we use the e-mail function to let us know instead of constantly checking 
the logs.  Unless you hire someone to just look at the logs it will be the last thing that anyone will do every day and 
it won't get done.

It was an eye opener to see how many people lock themselves out of the servers every day.

steve

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric C. 
Lukens
Sent: Tuesday, February 16, 2010 2:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Administering OSSEC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

We are evaluating a log management and file integrity monitoring
solution for PCI Compliance.  Our QSAs are pushing their partner
services such as Tripwire, which we feel is cost prohibitive, or a
complete outsourcing of the log monitoring, which we feel is also cost
prohibitive.  When pressed, our QSAs admit they've used OSSEC at several
other sites as well and that it is fully capable of meeting the PCI
requirements for logging and integrity monitoring.  We are aware that
we'll have to designate people to watch the logs 365 days a year.

We have a few questions:

1) Has anyone purchased support for OSSEC, like from Trend Micro? If so,
do you feel the added "perks" and the support were worth the cost?

2) Roughly how many man-hours of work did it take to get the alerts in
OSSEC "tuned" properly in your network?

3) Roughly how many man-hours does it take to look through the logs each
day?

Thanks for any comments and concerns you might share,
Eric

- -- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
http://www.uni.edu/elukens/
http://weblogs.uni.edu/elukens/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt67UMACgkQN+w4PqsMNp05qACdHdrROqEfR7UhBgw9i6YDuFaP
6t8An03dlz/t65UO7uqIJGBZo2wykbtD
=YebA
-----END PGP SIGNATURE-----

Current thread:

Administering OSSEC Eric C. Lukens (Feb 16)
- <Possible follow-ups>
- Re: Administering OSSEC Kevin Wilcox (Feb 16)
- Re: Administering OSSEC Bradley, Stephen W. Mr. (Feb 16)
- Re: Administering OSSEC Chris Green (Feb 16)
- Re: Administering OSSEC Bradley, Stephen W. Mr. (Feb 16)
- Re: Administering OSSEC Will Froning (Feb 16)