2 replies to this topic

[mobikhan]

Hi guyz,

Hope you are fine and doing well. I am working on a task where I have to centrally collect all events from all nodes (Windows XP, LINUX and UNIX and Network Devices).

We are going to use third party software which will collect these events centrally. For windows it will requires WMI and Admin rights on that machine to collect events and for LINUX/UNIX we have to send the syslog to this third party software/application.

I do not want to get every event happening on the machines that’s why I have categorized the windows event which will be critical for our environment for that I have got a great help from Microsoft document, but I do not have enough information for Linux/Unix events/syslogs.

I will really appreciate if you please help me in this regard and give me information about the different types of Syslog and any documentation for implementing event monitoring related to Linux/Unix systems. As I do not want that syslog to degrade the performance of the system and the network. So I just want to select only those events which are critical.

Secondly is there any way that for windows we can also forward the events to this third party application? As I think the system admin will have a great issue for giving the admin rights or even creating an id that has admin rights on that system.
Thirdly being the IT Security Analyst do I have to look all these events or I will make sys admin responsible to act whenever there is a critical event generated and they get an alert on that? What will be the role of Security Analyst once the application is deployed?

[bonarez]

I think Nagios would fit your needs:

/http://www.nagios.org/

[whiskah]

Hi guyz,

Hope you are fine and doing well. I am working on a task where I have to centrally collect all events from all nodes (Windows XP, LINUX and UNIX and Network Devices).

We are going to use third party software which will collect these events centrally. For windows it will requires WMI and Admin rights on that machine to collect events and for LINUX/UNIX we have to send the syslog to this third party software/application.

I do not want to get every event happening on the machines that’s why I have categorized the windows event which will be critical for our environment for that I have got a great help from Microsoft document, but I do not have enough information for Linux/Unix events/syslogs.

I will really appreciate if you please help me in this regard and give me information about the different types of Syslog and any documentation for implementing event monitoring related to Linux/Unix systems. As I do not want that syslog to degrade the performance of the system and the network. So I just want to select only those events which are critical.

I think this is hard for linux.. unless you have some way to determine which ones are critical which is usually the job for log analysis/correlation tools like OSSEC

Secondly is there any way that for windows we can also forward the events to this third party application? As I think the system admin will have a great issue for giving the admin rights or even creating an id that has admin rights on that system.

If your 3rd party supports syslog: http://www.intersect...dows/index.html

Thirdly being the IT Security Analyst do I have to look all these events or I will make sys admin responsible to act whenever there is a critical event generated and they get an alert on that?

Performance related alerts to sysadmin.
Security related alerts to sec analyst

What will be the role of Security Analyst once the application is deployed?

- Log reviews
- Fine tuning your rules
- Incident response


I think you are looking at SIEM/SEM solutions?