Educause Security Discussion mailing list archives
Re: Event Log Monitoring - Recommendations
From: Patrick Gorsuch <patrick.gorsuch () GALLAUDET EDU>
Date: Thu, 25 Apr 2013 12:45:04 -0400
Pulling from my history in Startup-land, I completely agree with expanding the view from security to include system/application maintenance and development. As necessary, partition views, and scrub recorded data, but definitely elevate this collection of event data to the level of a valued resource for all that are involved in system management and design. (Meaningful log entries from developers. You're silly.)
I'm a huge fan of Splunk, hence the cluster that I fought for many years ago. Yes, it's a bit of work to create all of the audience-appropriate screens and views, but the ability to "just dig in" to an otherwise daunting bucket of data really can't be beat. Since its inception, my teams have grown to rely on this ready access which has translated into drastically reduced troubleshooting times.
- Pat Patrick N. Gorsuch Manager, Networks and Information Security Gallaudet University patrick.gorsuch () gallaudet edu On 4/25/2013 12:26 PM, Matt Pasiewicz wrote:
For any of you that have rich search interfaces, are you exposing slices of the data to your devops crews? You've got a wealth of information there. When I was in the private sector, our goals for systems like these encompassed more than security ... depending on what log information you capture, they can provide great insight into defects and performance tuning (which can reduce costs). My current thinking is that by enlarging the circle of participation, you get lots of intangible benefits ... developers are encouraged to make logs more meaningful (reducing the signal-to-noise ratio) and the the team as a whole realizes economies of scale across silos of security, development, operations, etc. It creates the conditions for many reciprocal benefits.Thoughts?On Thu, Apr 25, 2013 at 9:53 AM, William C. Moore <wcmoore () valdosta edu <mailto:wcmoore () valdosta edu>> wrote:Allow me to throw another name into the mix for comment. I have been checking on Q1Labs also but I am also interested in Logrhythm as a viable SIEM. We too used Splunk for several years but we found that it was not providing the reports and trending data we require. I have yet to go through an on-campus demo so if anyone has a recommendation I too am very interested in their experience. Bill William C. Moore II, CISSP, MEd, MLIS Chief Information Security Officer Valdosta State University Valdosta, GA 31698 Phone:(229)333-5974 <tel:%28229%29333-5974> Fax: (229)245-4349 <tel:%28229%29245-4349> *********************************************************************** The information transmitted is intended only for the person addressed. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this message in error, please contact the sender and delete or destroy this message and any copies. *********************************************************************** *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Greg Williams *Sent:* Thursday, April 25, 2013 11:20 *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* Re: [SECURITY] Event Log Monitoring - Recommendations Greg, for strictly log management I would recommend Splunk. We put our Splunk deployment in place last year. The goal wasn’t event correlation, it was log management so we weren’t really looking at a SIEM, such as QRadar, Nitro, ArcSight, etc. I put together a log management policy and matrix before I started looking at products. It helped narrow down the products before we started getting bids. I can email it to you if you are interested. Greg Williams IT Security Principal University of Colorado at Colorado Springs Website: http://www.uccs.edu/itsecure greg.williams () uccs edu <mailto:greg.williams () uccs edu> *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Greg Schmalhofer *Sent:* Thursday, April 25, 2013 9:11 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* [SECURITY] Event Log Monitoring - Recommendations We do not currently have any product for event log and/or system log monitoring, reporting, and alerting, but are about to begin the process of reviewing various products to see what might be the best fit for our environment, needs, and budget(small). We are a mix of Windows (AD), HP Unix, and Linux servers with Exchange and Oracle. Please let me know if you are able to recommend any product or solution for monitoring logs and providing various reporting and alerting. At the recent Educause Security Professionals Conference several individuals had recommended QRadar. Any thoughts or feedback on these products and/or any others would be greatly appreciated. -QRadar (Q1Labs) -What’s Up Log Management Suite (IPswitch) -GFI Events Manager (GFI) -Event Log Analyzer (ManageEngine) -StealthWatch (Lancope) -Others Thanks for any and all feedback! Thanks, Greg *Greg Schmalhofer* Information Security Coordinator Millersville University
Current thread:
- Event Log Monitoring - Recommendations Greg Schmalhofer (Apr 25)
- Re: Event Log Monitoring - Recommendations Greg Williams (Apr 25)
- Re: Event Log Monitoring - Recommendations Matt Pasiewicz (Apr 25)
- Re: Event Log Monitoring - Recommendations Kevin Wilcox (Apr 25)
- Re: Event Log Monitoring - Recommendations William C. Moore (Apr 25)
- Re: Event Log Monitoring - Recommendations Matt Pasiewicz (Apr 25)
- Re: Event Log Monitoring - Recommendations David Gillett (Apr 25)
- Re: Event Log Monitoring - Recommendations Patrick Gorsuch (Apr 25)
- Re: Event Log Monitoring - Recommendations Matt Pasiewicz (Apr 25)
- Re: Event Log Monitoring - Recommendations Greg Williams (Apr 25)
- Re: Event Log Monitoring - Recommendations William C. Moore (Apr 25)
- Re: Event Log Monitoring - Recommendations Bradley, Stephen (Apr 25)
- Re: Event Log Monitoring - Recommendations Greg Williams (Apr 25)