Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] Management of Logs Stored in Database Tables
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 17 Feb 2021 12:15:19 -0500
On Wed, Feb 17, 2021 at 11:59 AM Frank Barton <bartonf () husson edu> wrote:
Ghassan, We have done "A" in a number of cases - however, we use per-system credentials that only have read access to the specific tables needed (and in some cases field-specific) "Least Privilege"
Similar here. If something happens that compromises the creds for the db connection, and those creds can be used anywhere, there are much larger problems to solve. If something happens on the host that the creds can be stolen, there are much larger problems to solve. We do have a couple of use cases where folks do a db query and then stick the results into a windows event channel that gets picked up or they do an HTTPS "POST" directly to the log aggregators. Honestly, I'm fine with any of those methods and have taught all three as options to get data into a SIEM. The solution you can reasonably secure, that is scalable and supportable, is the one you use. If it takes more effort to get the data in for new sources than the time saved having that data in the SIEM, you need to review other methods. kmw ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Management of Logs Stored in Database Tables Ghassan Salem (Feb 17)
- Re: Management of Logs Stored in Database Tables Frank Barton (Feb 17)
- Re: [External] Re: [SECURITY] Management of Logs Stored in Database Tables Kevin Wilcox (Feb 17)
- Re: Management of Logs Stored in Database Tables Frank Barton (Feb 17)