> In order to monitor all the types of systems you describe, look for a
> solution that can accept non-security sources, store the data in their
> native schema/context (ie, not normalized), and allow you to query the
> data any way you want to. Oh, and you probably wat to keep a decent amount
> of history online for forensics and investigations.
Well, it really depends on what your goal is. If you want to do
real-time correlation of those sources, a solution which does not
normalize events is not going to cut it.
If you just want to archive and query the data ad-hoc, you are fine with
just collecting it, without any additional intelligence. However, in
that case, you don't need an expensive solution, just dump the raw logs
into some kind of a storage (db or something) and query. Probably a
google appliance would do ;)
My 2 cents
-raffy
--
Raffael Marty, GCIA, CISSP raffael.marty@private
Senior Security Engineer Strategic Application Solutions
ArcSight, Inc. +1 (408) 864 2662
__________________________________________________________________
ArcSight 2006 User Conference--Register by May 5 and Save $500!
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Apr 12 2006 - 19:32:23 PDT