This topic contains 3 replies, has 3 voices, and was last updated by 
-
Posts
-
In almost every network monitoring or SIEM model there is an initial phase of “planning”. This would be where you want to scope out what you want to collect from where. The Securosis guys stated in their NSO Quant report “Collect alerts and log records”.
I have a basic list of things that fall into this category, logins, reboots, av process crashes… and some more simple things to gather. I feel like I am missing a chunk of things to grab. What do you guys correlate or collect?
-
I’m planning a SIEM project for later this year so i’m interested in y’all’s opinions too (is y’all’s a word?) 🙂
There has to be best practices out there.
-
Maybe I am looking at it from too big of a perspective and should try to break it down into domains (workstations, network infra, servers).
The issue I have is that I am aware that I should be monitoring SQL logs for “something”. I just don’t know what that something is quite yet because I am no SQL guru. The same can be said for other technologies and pieces of equipment.
-
Hi,
Check the blog from Anton. http://chuvakin.blogspot.com/
He has many posts on log management and seim.
I have found that if you start logging things that you know and understand you are able to build up on it. If you start with log everything and start getting rid of the noise you end up with a mess.
Cheers,
Salil
You must be logged in to reply to this topic.
