RE: GFI SELM Question

• Previous message: Andy Cuff: "Intrushield User Experiences Warts 'n' All"
• In reply to: Brian Browne: "RE: GFI SELM Question"
• Next in thread: jkowall: "Re: GFI SELM Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Brian Browne'" <brian.browne@edoxa.com>, <graxius@gmail.com>, <focus-ids@securityfocus.com>
Date: Mon, 25 Apr 2005 16:47:09 -0600

******** I represent the vendor **************

When looking at log management solutions that write to a RDBMS, ask the
vendor how they are dealing with large database table record counts. You
can't keep writing millions of records (logs) into a database without
eventually reaching a performance bottleneck. If there answer is buy bigger
hardware, get worried.

I can't speak to SELM capabilities but if you are looking for something on a
larger scale, we have one customer monitoring 300+ Windows servers (all 3
event logs) on a single Log Manager (HP DL380 ~5K server) using both our
agent and agent-less capabilities without a hitch. They are centralizing
approx 5 Million logs/day.

Chris Petersen, CTO
(303) 413-8740 (direct)
(720) 938-2589 (mobile)
(303) 413-8791 (fax)
chris.petersen@LogRhythm.com
www.LogRhythm.com

> -----Original Message-----
> From: Brian Browne [mailto:brian.browne@edoxa.com]
> Sent: Monday, April 25, 2005 12:41 PM
> To: graxius@gmail.com; focus-ids@securityfocus.com
> Subject: RE: GFI SELM Question
>
>
> I'm not sure how much you want it to scale, but I implemented
> SELM for a client recently that had bought a 20-server
> license and was using it to monitor 14 servers. We
> implemented it using SQL Server as the backend database as
> part of a Sarbanes-Oxley compliance effort.
>
> The client had initially enabled all of the pre-configured
> rules, so the "main" database quickly grew in size. This
> caused problems in the archival feature -- where events in
> the "main" database older than a specific number of days are
> moved to the "backup" database, from which it is eventually
> deleted. We never got a clear answer from GFI, but judging
> from the available debug information, it looked like there
> were issues with the amount of data being moved from one
> database to the other, the transaction log vs. commit
> frequency within the GFI code, and the SQL Server Recovery
> Model. We resolved the issue by starting over from scratch
> (i.e., new databases) and very selectively enabling and
> defining the rules.
>
> I recently checked in with the client, and they are happy
> with its performance at this point. From an operational
> perspective, it beats manually reviewing 14 individual
> security event logs. It is priced at a point that it would
> be worthwhile for some companies verus a more expensive
> solution. Of course, it ultimately depends on the requirements . . .
>
> Hope this helps.
>
> - Brian
>
> > -----Original Message-----
> > From: Graxius [mailto:graxius@gmail.com]
> > Sent: Friday, April 22, 2005 4:58 PM
> > To: focus-ids@securityfocus.com
> > Subject: GFI SELM Question
> >
> >
> > Hello All,
> > I am curious if anyone is using GFI's System Event Long
> Manager and if
> > so how well has it scaled?
> >
> > Thanks!
> >
> >
> ----------------------------------------------------------------------
> > ----
> > Stop hurting your network!
> >
> > The NeVO passive vulnerability sensor continuously finds
> > vulnerabilities, applications and new hosts without the
> need for network scanning.
> > It also finds compromised systems with application-based intrusion
> > detection.
> > Go to http://www.tenablesecurity.com/products/nevo.shtml to
> learn more.
> >
> ----------------------------------------------------------------------
> > ----
> >
> >
> >
>
> --------------------------------------------------------------
> ------------
> Stop hurting your network!
>
> The NeVO passive vulnerability sensor continuously finds
> vulnerabilities, applications and new hosts without the need
> for network scanning.
> It also finds compromised systems with application-based
> intrusion detection.
> Go to http://www.tenablesecurity.com/products/nevo.shtml to
> learn more.
> --------------------------------------------------------------
> ------------
>
>

--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities,
applications and new hosts without the need for network scanning.
It also finds compromised systems with application-based intrusion detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------

• Previous message: Andy Cuff: "Intrushield User Experiences Warts 'n' All"
• In reply to: Brian Browne: "RE: GFI SELM Question"
• Next in thread: jkowall: "Re: GFI SELM Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]