Educause Security Discussion mailing list archives

Re: Log Management

From: "Ferris, Joe" <jferris () ADMIN FSU EDU>
Date: Wed, 10 Mar 2010 09:42:33 -0500

Stanley -

We have been using the NitroSecurity SIEM for a three years now and have
had great success pulling together logs from all over campus into one
central database.  The ability to pull in logs from critical server,
databases, routers , switches, firewalls, campus flows and our IPS
devices has given us great insight into the campus network.  Recently
Nitro has included the ability to take feeds from NeXpose giving us the
ability to track a connection from the campus border through the network
until it reaches the endpoint system where we can also see if a system
is vulnerable to attack.  I do not know of another product that can do
all of this to be honest and the speed of the backend database is second
to none.  If you have any additional questions on or off list please let
me know.

Regards,

Joe Ferris, GCIH, GCFW, GPEN
Network Security Engineer
Florida State University
IT Security Team
850.645.8051

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hammond, Stanley
Sent: Friday, March 05, 2010 10:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Log Management

I am looking to see what other institutions are using to manage their
event/system log files.

Currently I have Snare installed on our Windows servers and sending

the

events to a syslog server.  That server originally had Prelude IDS
installed and I was using Prewikka to view the logs as needed.  The
problem with Prelude IDS/Prewikka is that accessing the database is
painfully slow unless you purchase the database module for fast

access.

The other option I tested was Splunk which I liked, but because it
access Windows systems using WMI it looked like the some of the

Windows

virtual machines took a performance hit (according to our Technical
Director).  Right now, I query the logs on the syslog server using
customized Perl scripts whenever an information request is made.  We
are
making some changes to our environment and would like to get something
setup that is a little better than using Perl scripts on the CLI.

Stanley M. Hammond
Information Security Specialist
Cape Cod Community College
Email: shammond () capecod edu

Current thread:

Re: Log Management, (continued)
- Re: Log Management Bradley, Stephen W. Mr. (Mar 05)
- Re: Log Management Joe Vieira (Mar 05)
- Re: Log Management Pufahl, Jason (Mar 05)
- Re: Log Management Hart, Lee Anne (Mar 05)
- Re: Log Management Justin Azoff (Mar 05)
- Re: Log Management Hart, Lee Anne (Mar 05)
- Re: Log Management Wier, Timothy A. (Mar 05)
- Re: Log Management Christopher Jones (Mar 05)
- Re: Log Management King, Ronald A. (Mar 05)
- Re: Log Management Dexter Caldwell (Mar 05)
- Re: Log Management Ferris, Joe (Mar 10)