PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Looking for some event and security log monitoring software

From: Mike Patterson <mike () snowcrash ca>
Date: Wed, 11 Jul 2012 09:06:17 -0400
On 12-07-10 8:50 PM, anthony kasza wrote:

Conceptually similar to SNMP, but not the same. You configure
Splunk with a service account. Periodically, Splunk will login to
those designated systems and collect WMI information. The service
account needs the proper rights and privileges to read WMI on each
system.


Also, SNMP is fairly lightweight; WMI is not.

Most vendors will tell you to use an agent, rather than WMI, as the
latter puts more load on and is pull rather than push. And hey, if you
don't already have WMI opened, you won't need to.

Another way you can do it is to use SCOM and have your log monitoring
query that, rather than query the systems directly.

I'm not going to recommend any product, save to say "you should look
at options other than Splunk." I've seen them and LogRhythm mentioned;
other players in the medium to big boys market are ArcSight,
NitroSecurity, and Q1 QRadar, and you'd me remiss to not look at them
if you're looking at spending any amount of money on something.

Of course, if you've got more time than money, you could probably get
by with OSSEC and WMI queries.

Mike

-- 
Every program has at least one bug and can be shortened by at least
one instruction -- from which, by induction, one can deduce that
every program can be reduced to one instruction which doesn't work.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: