Re: Event Log Monitoring - Recommendations

[Patrick Gorsuch <patrick.gorsuch () GALLAUDET EDU>]

Pulling from my history in Startup-land, I completely agree with 
expanding the view from security to include system/application 
maintenance and development.  As necessary, partition views, and scrub 
recorded data, but definitely elevate this collection of event data to 
the level of a valued resource for all that are involved in system 
management and design.  (Meaningful log entries from developers.  You're 
silly.)

I'm a huge fan of Splunk, hence the cluster that I fought for many years 
ago.  Yes, it's a bit of work to create all of the audience-appropriate 
screens and views, but the ability to "just dig in" to an otherwise 
daunting bucket of data really can't be beat.  Since its inception, my 
teams have grown to rely on this ready access which has translated into 
drastically reduced troubleshooting times.

- Pat

Patrick N. Gorsuch
Manager, Networks and Information Security
Gallaudet University
patrick.gorsuch () gallaudet edu

On 4/25/2013 12:26 PM, Matt Pasiewicz wrote:
> For any of you that have rich search interfaces, are you exposing 
> slices of the data to your devops crews?  You've got a wealth of 
> information there.  When I was in the private sector, our goals for 
> systems like these encompassed more than security ... depending on 
> what log information you capture, they can provide great insight into 
> defects and performance tuning (which can reduce costs).  My current 
> thinking is that by enlarging the circle of participation, you get 
> lots of intangible benefits ... developers are encouraged to make logs 
> more meaningful (reducing the signal-to-noise ratio) and the the team 
> as a whole realizes economies of scale across silos of security, 
> development, operations, etc.  It creates the conditions for many 
> reciprocal benefits.
>
> Thoughts?
>
>
> On Thu, Apr 25, 2013 at 9:53 AM, William C. Moore 
> <wcmoore () valdosta edu <mailto:wcmoore () valdosta edu>> wrote:
>
>     Allow me to throw another name into the mix for comment.  I have
>     been checking on Q1Labs also but I am also interested in Logrhythm
>     as a viable SIEM.  We too used Splunk for several years but we
>     found that it was not providing the reports and trending data we
>     require.  I have yet to go through an on-campus demo so if anyone
>     has a recommendation I too am very interested in their experience.
>
>     Bill
>
>     William C. Moore II, CISSP, MEd, MLIS
>
>     Chief Information Security Officer
>
>     Valdosta State University
>
>     Valdosta, GA 31698
>
>     Phone:(229)333-5974 <tel:%28229%29333-5974>
>
>     Fax: (229)245-4349 <tel:%28229%29245-4349>
>
>     ***********************************************************************
>
>     The information transmitted is intended only for the person addressed.
>
>     Any unauthorized review, distribution or other use of or the taking of
>
>     any action in reliance upon this information is prohibited. If you
>
>     received this message in error, please contact the sender and
>     delete or
>
>     destroy this message and any copies.
>
>     ***********************************************************************
>
>     *From:*The EDUCAUSE Security Constituent Group Listserv
>     [mailto:SECURITY () LISTSERV EDUCAUSE EDU
>     <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Greg Williams
>     *Sent:* Thursday, April 25, 2013 11:20
>     *To:* SECURITY () LISTSERV EDUCAUSE EDU
>     <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
>     *Subject:* Re: [SECURITY] Event Log Monitoring - Recommendations
>
>     Greg, for strictly log management I would recommend Splunk.   We
>     put our Splunk deployment in place last year.  The goal wasn’t
>     event correlation, it was log management so we weren’t really
>     looking at a SIEM, such as QRadar, Nitro, ArcSight, etc.
>
>     I put together a log management policy and matrix before I started
>     looking at products.  It helped narrow down the products before we
>     started getting bids.  I can email it to you if you are interested.
>
>     Greg Williams
>     IT Security Principal
>     University of Colorado at Colorado Springs
>     Website: http://www.uccs.edu/itsecure
>     greg.williams () uccs edu <mailto:greg.williams () uccs edu>
>
>     *From:*The EDUCAUSE Security Constituent Group Listserv
>     [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Greg
>     Schmalhofer
>     *Sent:* Thursday, April 25, 2013 9:11 AM
>     *To:* SECURITY () LISTSERV EDUCAUSE EDU
>     <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
>     *Subject:* [SECURITY] Event Log Monitoring - Recommendations
>
>     We do not currently have any product for event log and/or system
>     log monitoring, reporting, and alerting, but are about to begin
>     the process of reviewing various products to see what might be the
>     best fit for our environment, needs, and budget(small). We are a
>     mix of Windows (AD), HP Unix, and Linux servers with Exchange and
>     Oracle. Please let me know if you are able to recommend any
>     product or solution for monitoring logs and providing various
>     reporting and alerting. At the recent Educause Security
>     Professionals Conference several individuals had recommended
>     QRadar. Any thoughts or feedback on these products and/or any
>     others would be greatly appreciated.
>
>     -QRadar (Q1Labs)
>
>     -What’s Up Log Management Suite (IPswitch)
>
>     -GFI Events Manager (GFI)
>
>     -Event Log Analyzer (ManageEngine)
>
>     -StealthWatch (Lancope)
>
>     -Others
>
>     Thanks for any and all feedback!
>
>     Thanks,
>
>     Greg
>
>     *Greg Schmalhofer*
>
>     Information Security Coordinator
>
>     Millersville University