[logs] Re: Security Management Tool

From: Raffael Marty (rmarty@private)
Date: Wed Apr 12 2006 - 11:39:18 PDT

> In order to monitor all the types of systems you describe, look for a
> solution that can accept non-security sources, store the data in their
> native schema/context (ie, not normalized), and allow you to query the
> data any way you want to. Oh, and you probably wat to keep a decent amount
> of history online for forensics and investigations.

Well, it really depends on what your goal is. If you want to do
real-time correlation of those sources, a solution which does not
normalize events is not going to cut it. 

If you just want to archive and query the data ad-hoc, you are fine with
just collecting it, without any additional intelligence. However, in
that case, you don't need an expensive solution, just dump the raw logs
into some kind of a storage (db or something) and query. Probably a
google appliance would do ;)

My 2 cents



Raffael Marty, GCIA, CISSP                    raffael.marty@private
Senior Security Engineer                 Strategic Application Solutions
ArcSight, Inc.                                         +1 (408) 864 2662

ArcSight 2006 User Conference--Register by May 5 and Save $500!
LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Wed Apr 12 2006 - 19:32:23 PDT