Re: Event Log Monitoring - Recommendations

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

On Thu, Apr 25, 2013 at 11:19 AM, Greg Williams <gwillia5 () uccs edu> wrote:

> Greg, for strictly log management I would recommend Splunk.   We put our
> Splunk deployment in place last year.  The goal wasn’t event correlation, it
> was log management so we weren’t really looking at a SIEM, such as QRadar,
> Nitro, ArcSight, etc.

I think most folks will find that their biggest immediate concern IS
log management, not SIEM. I like Splunk but it's super expensive - so
now I deploy ELSA anywhere someone asks me about log management. My
personal documentation is a little dated (the exchange between web
heads and nodes has changed, so I'll do an update in the near future)
but it's still pretty useful as a starting point:

http://opensecgeek.blogspot.com/2013/01/enterprise-logging-with-elsa.html

For folks wanting to add a log anomaly component (which is really just
setting up rules to do automated monitoring/alerting), I love OSSEC.
Of course, I also use OSSEC for file integrity monitoring so it's
doubly useful for me:

http://opensecgeek.blogspot.com/2013/03/hids-with-ossec-part-1-basic-install.html

I also need to update that so I can discuss the file monitoring and
custom rule components, so that document is a little sparse on
details.

Now that the SPC is over and I'm coming to the end of some SANS stuff,
I'll have some time to square away the updates I've been meaning to
make.

Note that I am very much a build-rather-than-buy person - I think
knowledgeable admins and analysts are more important than
button-pushers and expensive products. Not that they don't have their
place - I'd love a 50GB/day or 100GB/day Splunk licence and their SIEM
module, I think they're *awesome* products, but when funding is
problematic or there isn't sufficient support you NEED those smart
people with latitude to solve problems in interesting ways. In my case
it was pushing gigs of log files per day to an open source solution
and still being able to search a billion indexed items in just a
couple of seconds (while still maintaining a volume based or time
based retention plan).

> I put together a log management policy and matrix before I started looking at
> products.  It helped narrow down the products before we started getting bids.

*Fantastic advice*. I'd definitely suggest the OP outlines exactly
what they need before they start courting vendors. <Uber cool
functions they'll never use> are still cool...but they'll still never
use them. There's no point in letting those functions hijack the
discussion about what they need.

kmw

--
Kevin Wilcox GAWN GCIH GPEN GCIA
Network Infrastructure and Control Systems
Appalachian State University
Email: wilcoxkm () appstate edu
Office: 828.262.6259