Educause Security Discussion mailing list archives
Re: Administering OSSEC
From: "Bradley, Stephen W. Mr." <bradlesw () MUOHIO EDU>
Date: Tue, 16 Feb 2010 14:57:33 -0500
We put OSSEC on our PCI servers (Linux and Windows) and have the management end of it running on one of our Syslog servers. It took about a week off and on to tune it and we use the e-mail function to let us know instead of constantly checking the logs. Unless you hire someone to just look at the logs it will be the last thing that anyone will do every day and it won't get done. It was an eye opener to see how many people lock themselves out of the servers every day. steve -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric C. Lukens Sent: Tuesday, February 16, 2010 2:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Administering OSSEC -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, We are evaluating a log management and file integrity monitoring solution for PCI Compliance. Our QSAs are pushing their partner services such as Tripwire, which we feel is cost prohibitive, or a complete outsourcing of the log monitoring, which we feel is also cost prohibitive. When pressed, our QSAs admit they've used OSSEC at several other sites as well and that it is fully capable of meeting the PCI requirements for logging and integrity monitoring. We are aware that we'll have to designate people to watch the logs 365 days a year. We have a few questions: 1) Has anyone purchased support for OSSEC, like from Trend Micro? If so, do you feel the added "perks" and the support were worth the cost? 2) Roughly how many man-hours of work did it take to get the alerts in OSSEC "tuned" properly in your network? 3) Roughly how many man-hours does it take to look through the logs each day? Thanks for any comments and concerns you might share, Eric - -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt67UMACgkQN+w4PqsMNp05qACdHdrROqEfR7UhBgw9i6YDuFaP 6t8An03dlz/t65UO7uqIJGBZo2wykbtD =YebA -----END PGP SIGNATURE-----
Current thread:
- Administering OSSEC Eric C. Lukens (Feb 16)
- <Possible follow-ups>
- Re: Administering OSSEC Kevin Wilcox (Feb 16)
- Re: Administering OSSEC Bradley, Stephen W. Mr. (Feb 16)
- Re: Administering OSSEC Chris Green (Feb 16)
- Re: Administering OSSEC Bradley, Stephen W. Mr. (Feb 16)
- Re: Administering OSSEC Will Froning (Feb 16)