Re: [External] Re: [SECURITY] Management of Logs Stored in Database Tables

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

On Wed, Feb 17, 2021 at 11:59 AM Frank Barton <bartonf () husson edu> wrote:

> Ghassan,
>  We have done "A" in a number of cases - however, we use per-system credentials that only have read access to the 
> specific tables needed (and in some cases field-specific) "Least Privilege"

Similar here. If something happens that compromises the creds for the
db connection, and those creds can be used anywhere, there are much
larger problems to solve. If something happens on the host that the
creds can be stolen, there are much larger problems to solve.

We do have a couple of use cases where folks do a db query and then
stick the results into a windows event channel that gets picked up or
they do an HTTPS "POST" directly to the log aggregators.

Honestly, I'm fine with any of those methods and have taught all three
as options to get data into a SIEM. The solution you can reasonably
secure, that is scalable and supportable, is the one you use. If it
takes more effort to get the data in for new sources than the time
saved having that data in the SIEM, you need to review other methods.

kmw

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community