PaulDotCom mailing list archives
Re: Looking for some event and security log monitoring software
From: fd <fd () secure-designs com>
Date: Tue, 10 Jul 2012 22:05:50 -0500
I also have to jump on the Splunk bandwagon. However, you should get a good look at your budget and the amount of log messages you receive on a daily basis. I'd start with a generic syslog machine spun up on vm to gather each and every log message your network has to offer. I'm guessing it's well over 500mb per day. Take a look at one day's worth of logs, find what's really important, filter that down, and take another look at the size of the logs. Then talk to the Splunk sales team. One of the key points to remember with an enterprise license is the expanded reporting and alerting capabilities that are essential to log management. Upper management loves pie charts, and an RSS or SMS alert can mean the difference between proactive or reactive security enforcement. Especially when inheriting a network that you know little to nothing about.
OP: I also work in a healthcare environment and am more that familiar with the situation you are in. If you want to discuss things in more detail feel free to contact me off list, and I'll be happy to share my wins and lessons learned in healthcare security. The less people have to stumble when securing PHI the better off we all are.
On 7/10/2012 9:21 PM, Champ Clark III wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/10/12 9:38 PM, anthony kasza wrote:The time between polling is configurable. I too prefer agents as it takes the resource burden away from a single machine and provides real time log collection. Installing agents isn't always the best solution, however. I've been told that Splunk agents (known as Universal Forwarders) have a minimal resource footprint but I have never used one.Well, I can see pretty much everyone is in agreement :) All of the event -> syslog forwarding software i've used have been pretty light weight. Even the Evt2sys (open source) version we've used takes almost no resources. They all seem to be fairly configurable about "tuning" out "noise" (crap). I too dislike polling for the same reasons you listed. I've also _seen_ an attacker modify logs before they where "shipped" (pushed in this case) to a centralized system. However, that was Linux boxes and a poorly thought out centralized logging architecture (not real time, using log offsets.. bleh! ... complete horror story).... Hence the reason I was wonder about WMI. I was thinking that there might be some "trick" I wasn't aware of. I'll take real time logging... Thanks again for the responses.- -- - - Champ Clark III (cclark () quadrantsec com)Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP/OM/AAoJENnmXt7Lmc3KRpgH/06I8mlqVe0jmcn7AUjr1mO2 8BE/D7WVn50Y5TBwcYrBomAgWdFMbWhnykuO5w7Yvq791BdEGG6C9DeWAmRdVkHz 7dJfqbbe8QYgf4C/2sh5zGEo6e97vLrMzXc6tlwex40qlk2Bb9WiED1+URl/JAAq 3tzb0ISqXbU5PkcUPRm4OwBRXUohQ8u//ht61u6THDzQBv2t8UnvxC7ddYdNWPoN wBQp4KYSCarjkVdviBjDF1EW7B6qlAjoAFYUeDjRhixDXGMbN7aeup8GiLjG9lfN aONTO8ua0gjiOxmwFaNW09TyZzUwu5wwv+gRRm2Nb9kwrjAk552uMrhNE3GWGho= =pHnZ -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.” -Anonymous Stuxnet Engineer _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: Looking for some event and security log monitoring software, (continued)
- Re: Looking for some event and security log monitoring software Champ Clark III (Jul 10)
- Re: Looking for some event and security log monitoring software anthony kasza (Jul 10)
- Re: Looking for some event and security log monitoring software Champ Clark III (Jul 10)
- Re: Looking for some event and security log monitoring software anthony kasza (Jul 10)
- Re: Looking for some event and security log monitoring software Matthew Perry (Jul 10)
- Re: Looking for some event and security log monitoring software Guillaume Ross (Jul 10)
- Re: Looking for some event and security log monitoring software Doug Burks (Jul 11)
- Re: Looking for some event and security log monitoring software Bigger Thomas (Jul 10)
- Re: Looking for some event and security log monitoring software Chesmore, Michael [DAS] (Jul 11)
- Re: Looking for some event and security log monitoring software Champ Clark III (Jul 10)
- Re: Looking for some event and security log monitoring software fd (Jul 11)
- Re: Looking for some event and security log monitoring software Chris Tizzano (Jul 17)
- Re: Looking for some event and security log monitoring software Chris Keladis (Jul 18)
- Re: Looking for some event and security log monitoring software Mike Patterson (Jul 11)
- Re: Looking for some event and security log monitoring software Mike Patterson (Jul 11)
- Re: Looking for some event and security log monitoring software Brian Schultz (Jul 11)
- Re: Looking for some event and security log monitoring software Ron Gula (Jul 11)