Hi folks, In the company where i work, we are implementing a security standard. A part of this is a log monitoring and reporting software. There are a few requirements, that the software must fulfil: - It must be capable of collecting logs from different devices (Linux machines, network equipment, ...). - it must be capable of sending alarms on security events - it has to generate daily (weekly, monthly) reports - it's a plus if it is easy configurable - it has to have a good support or at least a good community if it is an opensource product
So what are you using or at least some recommendations would be nice. An opensource product would be nice, but it's not required.
I know i could google it, but it's difficult to decide for a product just from online and marketing presentations. It would be nice to get some real world experience.
Thanx
On 03/03/11 1:12 AM, Janez Kosmrlj wrote:
Hi folks, In the company where i work, we are implementing a security standard. A part of this is a log monitoring and reporting software. There are a few requirements, that the software must fulfil:
- It must be capable of collecting logs from different devices (Linux
machines, network equipment, ...).
- it must be capable of sending alarms on security events
- it has to generate daily (weekly, monthly) reports
- it's a plus if it is easy configurable
- it has to have a good support or at least a good community if it is
an opensource product
Nagios can probably do all of that. I dunno what you want in those daily/weekly/monthly reports. how many times people logged on and stuff? how many noise packets at your network gateways?
the key to any of these systems is configuring the agents to collect the data you want, and deciding whats a security event worthy of an alarm. whether its a commercial system or freeware, you'll be spending a lot of time on that.
On 3/3/11 3:12 AM, Janez Kosmrlj wrote:
Hi folks, In the company where i work, we are implementing a security standard. A part of this is a log monitoring and reporting software. There are a few requirements, that the software must fulfil:
- It must be capable of collecting logs from different devices (Linux machines,
network equipment, ...).
- it must be capable of sending alarms on security events
- it has to generate daily (weekly, monthly) reports
- it's a plus if it is easy configurable
- it has to have a good support or at least a good community if it is an
opensource product
So what are you using or at least some recommendations would be nice. An opensource product would be nice, but it's not required.
I know i could google it, but it's difficult to decide for a product just from online and marketing presentations. It would be nice to get some real world experience.
OpenNMS is a good snmp monitoring framework with notification/reporting. It doesn't 'collect' logs but you can configure it to receive syslog from other machines and there are a variety of other ways you can pick up data. I'm not sure I'd call it easy to configure, but there are examples on their wiki. http://www.opennms.org
On Thu, Mar 3, 2011 at 2:46 PM, Les Mikesell lesmikesell@gmail.com wrote:
On 3/3/11 3:12 AM, Janez Kosmrlj wrote:
Hi folks, In the company where i work, we are implementing a security standard. A
part of
this is a log monitoring and reporting software. There are a few
requirements,
that the software must fulfil:
- It must be capable of collecting logs from different devices (Linux
machines,
network equipment, ...).
- it must be capable of sending alarms on security events
- it has to generate daily (weekly, monthly) reports
- it's a plus if it is easy configurable
- it has to have a good support or at least a good community if it is an
opensource product
So what are you using or at least some recommendations would be nice. An opensource product would be nice, but it's not required.
I know i could google it, but it's difficult to decide for a product just
from
online and marketing presentations. It would be nice to get some real
world
experience.
OpenNMS is a good snmp monitoring framework with notification/reporting. It doesn't 'collect' logs but you can configure it to receive syslog from other machines and there are a variety of other ways you can pick up data. I'm not sure I'd call it easy to configure, but there are examples on their wiki. http://www.opennms.org
-- Les Mikesell lesmikesell@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
It has to collect logs from syslog (or similar service ), because one requirement for certification is "log history from all devices in one place". And since we are talking about 1500 devices it should be easy to configure and maintain.
After our security team completed POC testing from multiple vendors, we are in the process of implementing LogRhythm in our environment which includes 5000+ servers (Linux, Windows and Solaris).
Len
Date: Thu, 3 Mar 2011 15:00:53 +0100 From: postnalista@googlemail.com To: centos@centos.org Subject: Re: [CentOS] log monitoring and reporting software
On Thu, Mar 3, 2011 at 2:46 PM, Les Mikesell lesmikesell@gmail.com wrote:
On 3/3/11 3:12 AM, Janez Kosmrlj wrote:
Hi folks,
In the company where i work, we are implementing a security standard. A part of
this is a log monitoring and reporting software. There are a few requirements,
that the software must fulfil:
- It must be capable of collecting logs from different devices (Linux machines,
network equipment, ...).
- it must be capable of sending alarms on security events
- it has to generate daily (weekly, monthly) reports
- it's a plus if it is easy configurable
- it has to have a good support or at least a good community if it is an
opensource product
So what are you using or at least some recommendations would be nice. An
opensource product would be nice, but it's not required.
I know i could google it, but it's difficult to decide for a product just from
online and marketing presentations. It would be nice to get some real world
experience.
OpenNMS is a good snmp monitoring framework with notification/reporting. It
doesn't 'collect' logs but you can configure it to receive syslog from other
machines and there are a variety of other ways you can pick up data. I'm not
sure I'd call it easy to configure, but there are examples on their wiki.
--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
It has to collect logs from syslog (or similar service ), because one requirement for certification is "log history from all devices in one place". And since we are talking about 1500 devices it should be easy to configure and maintain.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
------------
It has to collect logs from syslog (or similar service ), because one requirement for certification is "log history from all devices in one place". And since we are talking about 1500 devices it should be easy to configure and maintain. ----------
You might want to think about:
syslog-ng/rsyslog remote logging + syslog-ng/rsyslog master log receiver + splunk
If you find that log messages are getting lost or you need to guarantee that messages arrive you can also consider RELP (supported by rsyslog and possibly by syslog-ng).
I actually have experience with writing these types of tools in perl, and found it is not really that hard to do if you have good in-house devops talent at hand. Management and retention of the all that data is the biggest challenge.
Geoff Galitz wrote:
You might want to think about:
syslog-ng/rsyslog remote logging + syslog-ng/rsyslog master log receiver + splunk
CentOS6 (will) use rsyslog by default and rsyslog is available with CentOS5, so you might want to use rsyslog rather than syslog-ng for CentOS hosts.
James Pearson
On 3/3/2011 8:00 AM, Janez Kosmrlj wrote:
OpenNMS is a good snmp monitoring framework with notification/reporting. It doesn't 'collect' logs but you can configure it to receive syslog from other machines and there are a variety of other ways you can pick up data. I'm not sure I'd call it easy to configure, but there are examples on their wiki. http://www.opennms.orgIt has to collect logs from syslog (or similar service ), because one requirement for certification is "log history from all devices in one place". And since we are talking about 1500 devices it should be easy to configure and maintain.
It doesn't deal with logs as files, but if syslog messages are sent or forwarded to it, it can generate events and notifications from the central configuration. http://www.opennms.org/wiki/Syslogd
It doesn't deal with logs as files, but if syslog messages are sent or forwarded to it, it can generate events and notifications from the central configuration. http://www.opennms.org/wiki/Syslogd
-- Les Mikesell lesmikesell@gmail.com
That's probably not what the OP wanted. Anybody using prelude (http://www.prelude-ids.org)?
Rainer
On 3/3/2011 10:22 AM, rainer@ultra-secure.de wrote:
It doesn't deal with logs as files, but if syslog messages are sent or forwarded to it, it can generate events and notifications from the central configuration. http://www.opennms.org/wiki/Syslogd
That's probably not what the OP wanted. Anybody using prelude (http://www.prelude-ids.org)?
If it has to deal with network equipment it won't have access to logs as files anyway - and some syslog handlers can forward the messages if you want both files and real time network processing.
I have deployed LogAnalyzer, and it has been working great in our environment.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Les Mikesell Sent: Thursday, March 03, 2011 12:08 PM To: centos@centos.org Subject: Re: [CentOS] log monitoring and reporting software
On 3/3/2011 10:22 AM, rainer@ultra-secure.de wrote:
It doesn't deal with logs as files, but if syslog messages are sent or forwarded to it, it can generate events and notifications from the central configuration. http://www.opennms.org/wiki/Syslogd
That's probably not what the OP wanted. Anybody using prelude (http://www.prelude-ids.org)?
If it has to deal with network equipment it won't have access to logs as files anyway - and some syslog handlers can forward the messages if you want both files and real time network processing.
2011/3/3 Janez Kosmrlj postnalista@googlemail.com:
Hi folks, In the company where i work, we are implementing a security standard. A part of this is a log monitoring and reporting software. There are a few requirements, that the software must fulfil:
- It must be capable of collecting logs from different devices (Linux
machines, network equipment, ...).
- it must be capable of sending alarms on security events
- it has to generate daily (weekly, monthly) reports
- it's a plus if it is easy configurable
- it has to have a good support or at least a good community if it is an
opensource product
So what are you using or at least some recommendations would be nice. An opensource product would be nice, but it's not required.
I know i could google it, but it's difficult to decide for a product just from online and marketing presentations. It would be nice to get some real world experience.
syslog + ossec (www.ossec.net) is usually used in high security environments.
-- Eero
-
Eero Volotinen -
Geoff Galitz -
James Pearson -
Janez Kosmrlj -
John R Pierce -
Kaplan, Andrew H. -
Len Kuykendall -
Les Mikesell -
rainer@ultra-secure.de