DK 'Log
Tutorial 2: Syslog data mining with attached md5sum. AKA "Store 100% of data".
Thu, 06 Dec 2007

1. The need. The Hype.

There's obviously a need for storing vast amount of logs, and few things today aren't able to log into syslog. So it's just obvious to stumble upon that request every once in a while, and this tutorial illustrates the OSSIM approach at massive syslog data storage. Of course, where you say syslog you can say windows event log, snmp data, whatever generates a big amount of raw data.

Compliance

I don't know much yet about all of this compliance stuff (I were lucky, Julio always has been much more knowledgeable on that area than me so I could skip it) but I guess I'll have to start learning, there are just too many people asking for it and I'm getting very curious.

From what I've seen, a short list of regulations requiring, or at least strongly recommending a certain amount of raw data storage and reports are:
  • ISO27001/17799
  • SOX
  • HIPAA
  • PCI
  • Basel II
  • NIST 800-53
  • Many more...
(Searching for SIM and compliance information I see that's a major marketing point from vendors too, well, just for the records, ossim helps you to be compliant with all that stuff)

Centralized logging

Maybe the need is pure sysadmin's lazyness. You want to be able to answer to questions you get asked by your management / customers in the easiest possible way.
I heard this from a guy a couple of days ago: the more information about your network you've got, the more answers you can give, and that's exactly what SIM/SEM systems are good at.

Data mining

This is a bit redundant with the previous entry, but there are people that just don't care about exact data, but they're in desperate need of colorful graphs in order to be able to keep their bosses calm. Well, having logs from everything in your network allows for easy colorful report generation with little knowledge of the underlying data. The worthyness of those reports in the end will be highly questionable of course.


::read more

posted at: 20:10 | path: /ossim/tutorials | permanent link to this entry | 11 comments |
Tags: ossim, tutorial, syslog, compliance, plugin, agent



OSSIM Mobile now available ;-)
Sat, 01 Dec 2007

Well, kindof at least...

Since Apple's iPhone is basically a stripped down MacosX and it has some nice toys to play with, I thought I'd give the provided python port a try and fire up the OSSIM agent. As expected everything worked like a charm and getting ossim up & running was very easy. Here is the rest of it.


::read more

posted at: 18:43 | path: /ossim/plugins | permanent link to this entry | 3 comments |
Tags: ossim, iphone, agent, plugins



Categories

/ (62)
    code/ (1)
    feed/ (1)
    friends/ (1)
    ossim/ (39)
        installer/ (3)
        plugins/ (2)
        tuning/ (3)
        tutorials/ (8)
    personal/ (19)
        campus/ (2)
        opinion/ (1)
        travel/ (1)
    rants/ (1)


Dominique Karg
(feel free to get in touch)
  • Mail (gpg key)
  • Linkedin
  • Twitter
  • Forums

Friend's blogs:
  • /blog/jaime
  • /blog/juanma
  • /blog/santiago





Certified Application Security Specialist



RSS



< December 2007 >
MoTuWeThFrSaSu
      1 2
3 4 5 6 7 8 9
10111213141516
17181920212223
24252627282930
31      



Archives

2009-Dec
2009-Sep
2009-Aug
2009-Jul
2009-Jun
2009-May
2009-Apr
2009-Mar
2009-Feb
2009-Jan
2008-Dec
2008-Oct
2008-Aug
2008-Jul
2008-May
2008-Mar
2008-Feb
2008-Jan
2007-Dec
2007-Nov



Tags

installer ossim tutorial untagged



Made with PyBlosxom