.

SIEM & Event / Alert Collection

<<

Lubinski

Newbie
Newbie

Posts: 26

Joined: Fri Dec 03, 2010 1:34 pm

Post Mon Feb 28, 2011 2:43 pm

SIEM & Event / Alert Collection

In almost every network monitoring or SIEM model there is an initial phase of "planning". This would be where you want to scope out what you want to collect from where. The Securosis guys stated in their NSO Quant report "Collect alerts and log records".

I have a basic list of things that fall into this category, logins, reboots, av process crashes... and some more simple things to gather. I feel like I am missing a chunk of things to grab. What do you guys correlate or collect?
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Tue Mar 01, 2011 9:01 am

Re: SIEM & Event / Alert Collection

I'm planning a SIEM project for later this year so i'm interested in y'all's opinions too (is y'all's a word?)  :)

There has to be best practices out there.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

Lubinski

Newbie
Newbie

Posts: 26

Joined: Fri Dec 03, 2010 1:34 pm

Post Tue Mar 01, 2011 10:27 am

Re: SIEM & Event / Alert Collection

Maybe I am looking at it from too big of a perspective and should try to break it down into domains (workstations, network infra, servers).

The issue I have is that I am aware that I should be monitoring SQL logs for "something". I just don't know what that something is quite yet because I am no SQL guru. The same can be said for other technologies and pieces of equipment.
<<

sachitre

Newbie
Newbie

Posts: 22

Joined: Sat Jan 09, 2010 7:55 am

Post Thu Mar 03, 2011 6:46 pm

Re: SIEM & Event / Alert Collection

Hi,

Check the blog from Anton. http://chuvakin.blogspot.com/

He has many posts on log management and seim.

I have found that if you start logging things that you know and understand you are able to build up on it. If you start with log everything and start getting rid of the noise you end up with a mess.

Cheers,
Salil
CISSP, GPEN, CCNA

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software