Re: [Fed-Talk] Syslog, SIEMs, and Laptops
Re: [Fed-Talk] Syslog, SIEMs, and Laptops
- Subject: Re: [Fed-Talk] Syslog, SIEMs, and Laptops
- From: "O'Donnell, Dan" <email@hidden>
- Date: Mon, 02 Apr 2012 22:15:24 +0000
- Thread-topic: [Fed-Talk] Syslog, SIEMs, and Laptops
For your testing you'll probably want to contact them and request a 30 day
free enterprise license so you can set up a Splunk network of forwarders
and indexers. If you like you can even include load balancing indexers.
Also, for working with OSX audit data you'll need to decode the audit
binaries into text prior to having Splunk capture, forward and index that
data. That is, you can have Splunk capture and forward the standard log
files such as syslog (in /var/log/system.log) and secure.log, but those
are text. The audit trails are not text and Splunk cannot decode them.
We put together a small bash script that runs in parallel to the audit
system so that whenever an audit trail is decoded the script immediately
decodes the binary by pushing it through praudit, reducing the binary to
text, and saving it into a specified subdirectory in /var/audit/ -
/var/audit/reduced/. This script also tags this reduced file with the
hostname of the machine that originated it, so that when the local Splunk
instance forwards it to the Splunk indexer we know which machine it came
from.
If you (or anybody on the list) wants the installer with this script then
let me know and I'll make it available. (I'll either email it or put it on
github or sourceforge.)
Note that Solaris BSM has this built into the audit system, and linux does
it with snare, but *BSD and OSX don't do it. However, if anybody is going
to BSDCan they can listen to Pawel Dawidek talk about distributed audit
trail files. It seems to me that by distributing these files there must be
some additional mechanism to uniquely identify their origin, so perhaps
there is something available in FreeBSD or TrustedBSD that we don't yet
know about. <http://www.bsdcan.org/2012/schedule/events/335.en.html>
-----Original Message-----
From: Todd Heberlein <email@hidden>
Date: Mon, 2 Apr 2012 14:08:58 -0700
To: Dan O'Donnell <email@hidden>
Cc: "email@hidden" <email@hidden>
Subject: Re: [Fed-Talk] Syslog, SIEMs, and Laptops
>> Splunk will transport (forward its data stream from client to server),
>>and
>> it does encryption if you configure it to do so.
>
>Their "Universal Forwarder" looks pretty good. I missed the addition of
>that executable.
>
>Thanks!
>
>Todd
>
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden