Re: [Fed-Talk] Syslog, SIEMs, and Laptops
Re: [Fed-Talk] Syslog, SIEMs, and Laptops
- Subject: Re: [Fed-Talk] Syslog, SIEMs, and Laptops
- From: Joel Peterson <email@hidden>
- Date: Tue, 03 Apr 2012 02:27:56 +0000
- Thread-topic: [Fed-Talk] Syslog, SIEMs, and Laptops
I could go on and on about how many problems Splunk solves. I wish my
agency would go ahead and purchase as much licensing as they could get and
use it across the board, from the local facility level all the way up to
the national level. It would really allow my agency to troubleshoot for
once, instead of bypassing symptoms.
Joel Peterson
email@hidden
On 4/2/12 3:15 PM, "O'Donnell, Dan" <email@hidden> wrote:
>For your testing you'll probably want to contact them and request a 30 day
>free enterprise license so you can set up a Splunk network of forwarders
>and indexers. If you like you can even include load balancing indexers.
>
>Also, for working with OSX audit data you'll need to decode the audit
>binaries into text prior to having Splunk capture, forward and index that
>data. That is, you can have Splunk capture and forward the standard log
>files such as syslog (in /var/log/system.log) and secure.log, but those
>are text. The audit trails are not text and Splunk cannot decode them.
>
>We put together a small bash script that runs in parallel to the audit
>system so that whenever an audit trail is decoded the script immediately
>decodes the binary by pushing it through praudit, reducing the binary to
>text, and saving it into a specified subdirectory in /var/audit/ -
>/var/audit/reduced/. This script also tags this reduced file with the
>hostname of the machine that originated it, so that when the local Splunk
>instance forwards it to the Splunk indexer we know which machine it came
>from.
>
>If you (or anybody on the list) wants the installer with this script then
>let me know and I'll make it available. (I'll either email it or put it on
>github or sourceforge.)
>
>Note that Solaris BSM has this built into the audit system, and linux does
>it with snare, but *BSD and OSX don't do it. However, if anybody is going
>to BSDCan they can listen to Pawel Dawidek talk about distributed audit
>trail files. It seems to me that by distributing these files there must be
>some additional mechanism to uniquely identify their origin, so perhaps
>there is something available in FreeBSD or TrustedBSD that we don't yet
>know about. <http://www.bsdcan.org/2012/schedule/events/335.en.html>
>
>
>
>-----Original Message-----
>From: Todd Heberlein <email@hidden>
>Date: Mon, 2 Apr 2012 14:08:58 -0700
>To: Dan O'Donnell <email@hidden>
>Cc: "email@hidden" <email@hidden>
>Subject: Re: [Fed-Talk] Syslog, SIEMs, and Laptops
>
>>> Splunk will transport (forward its data stream from client to server),
>>>and
>>> it does encryption if you configure it to do so.
>>
>>Their "Universal Forwarder" looks pretty good. I missed the addition of
>>that executable.
>>
>>Thanks!
>>
>>Todd
>>
>
>
>__________________________________________________________________________
>
>This email message is for the sole use of the intended recipient(s) and
>may contain confidential information. Any unauthorized review, use,
>disclosure or distribution is prohibited. If you are not the intended
>recipient, please contact the sender by reply email and destroy all copies
>of the original message.
>
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden