PaulDotCom mailing list archives
Re: Looking for some event and security log monitoring software
From: "Chesmore, Michael [DAS]" <Michael.Chesmore () iowa gov>
Date: Wed, 11 Jul 2012 10:11:50 -0500
I would advocate for OSSEC. It is open source extremely easy to configure and can handle massive volumes of logs. The alerting rules are xml based and very easy to tune. Plus the author hangs out in the OSSEC IRC all the time. If you have a question you can ping him directly. That is way cool. We also use SPLUNK and it is great as well, but it can get pretty expensive when you talk about enterprise logging. -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Bigger Thomas Sent: Tuesday, July 10, 2012 8:54 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Looking for some event and security log monitoring software The splunk agent footprint is very small and the polling isn't as noisy as you'd expect, I've run the software both ways and have no real complaints either way. Really it boils down to what are you comfortable with. Please excuse typos, I'm on my mobile On Jul 10, 2012, at 21:39, anthony kasza <anthony.kasza () gmail com> wrote:
The time between polling is configurable. I too prefer agents as it takes the resource burden away from a single machine and provides real time log collection. Installing agents isn't always the best solution, however. I've been told that Splunk agents (known as Universal Forwarders) have a minimal resource footprint but I have never used one. -AK On Tue, Jul 10, 2012 at 8:04 PM, Champ Clark III <cclark () quadrantsec com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/10/12 8:50 PM, anthony kasza wrote:Conceptually similar to SNMP, but not the same. You configure Splunk with a service account. Periodically, Splunk will login to those designated systems and collect WMI information. The service account needs the proper rights and privileges to read WMI on each system.Thank you. I was using SNMP-trap in my example, but that was incorrect. SNMP is a better analogy. That's the way I was told WMI, which I've never used, worked. How often does polling typically take place? I assume that configurable? I typically don't like systems that have to manually "poll" for logs. Hence the reason I believe loading the agent is better. However, the downfall of that is... well... you have to load the agent... Some organizations/people don't like that idea either. - -- - - Champ Clark III (cclark () quadrantsec com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP/NEzAAoJENnmXt7Lmc3KLcYH/ihIDmKtJfbgSdlFMwRVI9j9 I41Kcpz1cvL817VhgY0mv4uKYNnQ4laSrRYHkAhI4bkIVRkGOV3aEez8vl/0t83R z5z1Bdr0T/+VNDLAuJRM3AqlUn6BPQ/8Z7WRBKAyJ0PZZiSwcxWvWRNhRvrBRczS 086j0hIoDQr/K/3yIwJnvbk+5bcgRqSfsv7B3Etaz/OKoYCcN/TRGu8+pjMeRF1g D+f7x/jPpzhGTlc/JIMS1EnBIqq8YEjJ34IJuoT7vK+HSx5mJ1sGiP+aO6X23YJ6 Xzv7y9Dfq1dFB4ZmmUj7LVA/4wDLAbi5OQIqkpTd/2oQMjtHj2mA6zWhb8PVCz4= =6QkV -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: Looking for some event and security log monitoring software, (continued)
- Re: Looking for some event and security log monitoring software Bigger Thomas (Jul 10)
- Re: Looking for some event and security log monitoring software anthony kasza (Jul 10)
- Re: Looking for some event and security log monitoring software Champ Clark III (Jul 10)
- Re: Looking for some event and security log monitoring software anthony kasza (Jul 10)
- Re: Looking for some event and security log monitoring software Champ Clark III (Jul 10)
- Re: Looking for some event and security log monitoring software anthony kasza (Jul 10)
- Re: Looking for some event and security log monitoring software Matthew Perry (Jul 10)
- Re: Looking for some event and security log monitoring software Guillaume Ross (Jul 10)
- Re: Looking for some event and security log monitoring software Doug Burks (Jul 11)
- Re: Looking for some event and security log monitoring software anthony kasza (Jul 10)
- Re: Looking for some event and security log monitoring software Bigger Thomas (Jul 10)
- Re: Looking for some event and security log monitoring software Chesmore, Michael [DAS] (Jul 11)
- Re: Looking for some event and security log monitoring software Bigger Thomas (Jul 10)
- Re: Looking for some event and security log monitoring software Champ Clark III (Jul 10)
- Re: Looking for some event and security log monitoring software fd (Jul 11)
- Re: Looking for some event and security log monitoring software Chris Tizzano (Jul 17)
- Re: Looking for some event and security log monitoring software Chris Keladis (Jul 18)
- Re: Looking for some event and security log monitoring software Mike Patterson (Jul 11)
- Re: Looking for some event and security log monitoring software Mike Patterson (Jul 11)
- Re: Looking for some event and security log monitoring software Brian Schultz (Jul 11)
- Re: Looking for some event and security log monitoring software Ron Gula (Jul 11)