[Fed-Talk] Syslog, SIEMs, and Laptops
[Fed-Talk] Syslog, SIEMs, and Laptops
- Subject: [Fed-Talk] Syslog, SIEMs, and Laptops
- From: Todd Heberlein <email@hidden>
- Date: Mon, 02 Apr 2012 09:25:52 -0700
What are people using to aggregate log messages from the Macs in their organization? And in particular, security-relevant logs? And how do you handle it when laptops are connected at the local Starbucks? Do you still send security-relevant log messages (unencrypted?) over the public Wi-Fi?
I want to plug my live analysis directly into an appropriate existing and widely-used log aggregation infrastructure (at least for Macs), but I'm having troubles identifying the right beast to use. Any pointers or suggestions would be appreciated.
Todd
----------------
(some observations so far)
The classic syslog seems problematic for security. It has no reliability (UDP-based), no encryption for confidentiality, and no integrity and authentication mechanisms. An updated RFC 5424 seems to address these issues, but I'm not finding anyone using it, especially on the Mac.
Apple System Log (ASL) appears to add more power via searchable structured data, but I can't find anything on the confidentiality, integrity, or authentication issues. Are people using ASL in an enterprise fashion?
There is syslog-ng by Balabit that addresses the reliability and security concerns, but it doesn't support Macs natively. I could port the code myself and maintain it, but I'd rather not be responsible for maintaining a big chunk of someone else's code.
Years ago I tracked the DARPA Common Intrusion Detection Framework (CIDF) effort, which morphed into the IEEE Intrusion Detection Message Exchange Format (IDMEF). But I think these efforts died a long time ago. These would have been ideal :(
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden