Log Management at Zero Cost and One Hour per Week?

Monday, August 01, 2011

Anton Chuvakin

Ebb72d4bfba370aecb29bc7519c9dac2

As I was drinking cognac on the upper deck of a 747, flying TPE-SFO back from a client meeting, the following idea crossed my mind: 

CAN one REALLY do a decent job with log management (including log review) if their budget is $0 AND their “time budget” is 1 hour/week?

I got asked that when I was teaching my SANS SEC434 class a few months ago and the idea stuck in my head – and now cognac, courtesy of China Airlines, helped  stimulate it into a full blog post.

So, $0 budget points to using open-source, free tools (duh!), but 1hr/week points in exactly the opposite direction: commercial or even outsourced model.

The only slightly plausible way that I came up with is:

  • Spend your 1st hour building a syslog server; it can be done, especially if starting from a old Linux box that you found in the basement (at $0); don’t forget logrotate or equivalent
  • Spend a few next weeks (i.e. hours) configuring various Unix, Linux and network devices (essentially, all syslog log sources) to log to it
  • Consider deploying Snare on a few Windows boxes (if needed); it would likely be easier to do than doing remote pull – too much tuning might be needed
  • Next, drop a default OSSEC install on your log server and – gasp! – enable all alerts
  • Spend the next  few hours (in the next few weeks) turning off the ones that are too numerous, irrelevant or don’t trigger any action in your environment
  • If you log volume fits within a free Splunk license size (500MB/day), also spend an hour deploying Splunk on your log server and have it index all gathered logs
  • Now you’d be spending your “one log hour each week” on reviewing alerts and (if installed) digging in Splunk for additional details
  • Congrats! $0 and 1hr/week gave you semblance of log management and even monitoring…

What do you think? It just might work for organizations with severe time AND money constraints.

Enjoy the pos … while it lasts.

Cross-posted from Security Warrior

Possibly Related Articles:
8054
Network->General
Information Security
Budgets Log Management Operating Systems IDS/IPS Network Security Monitoring Splunk
Post Rating I Like this!
Default-avatar
f t congrats. we did this for years ago.
1312274319
Default-avatar
f t well, except for the ossec part, we added that recently. we were using samhain before that, which is still a great tool.
1312274395
Default-avatar
f t for=four; have a nice day
1312274436
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked