HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 30 guests online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Otherarrow SIEM & Event / Alert Collection
EH-Net
May 25, 2013, 01:30:26 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: SIEM & Event / Alert Collection  (Read 5200 times)
0 Members and 1 Guest are viewing this topic.
Lubinski
Newbie
*
Offline Offline

Posts: 26


View Profile
« on: February 28, 2011, 01:43:43 PM »
In almost every network monitoring or SIEM model there is an initial phase of "planning". This would be where you want to scope out what you want to collect from where. The Securosis guys stated in their NSO Quant report "Collect alerts and log records".

I have a basic list of things that fall into this category, logins, reboots, av process crashes... and some more simple things to gather. I feel like I am missing a chunk of things to grab. What do you guys correlate or collect?
Logged
yatz
Full Member
***
Offline Offline

Posts: 222


View Profile WWW
« Reply #1 on: March 01, 2011, 08:01:32 AM »
I'm planning a SIEM project for later this year so i'm interested in y'all's opinions too (is y'all's a word?)  Smiley

There has to be best practices out there.
Logged
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
Lubinski
Newbie
*
Offline Offline

Posts: 26


View Profile
« Reply #2 on: March 01, 2011, 09:27:22 AM »
Maybe I am looking at it from too big of a perspective and should try to break it down into domains (workstations, network infra, servers).

The issue I have is that I am aware that I should be monitoring SQL logs for "something". I just don't know what that something is quite yet because I am no SQL guru. The same can be said for other technologies and pieces of equipment.
Logged
sachitre
Newbie
*
Offline Offline

Posts: 22


View Profile
« Reply #3 on: March 03, 2011, 05:46:32 PM »
Hi,

Check the blog from Anton. http://chuvakin.blogspot.com/

He has many posts on log management and seim.

I have found that if you start logging things that you know and understand you are able to build up on it. If you start with log everything and start getting rid of the noise you end up with a mess.

Cheers,
Salil
Logged
CISSP, GPEN, CCNA
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.073 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.