Re: Setting up Arcsight/Tripwire



Is SPLUNK also similar to ArcSight, as it also captures different logs
and provides reports.
If they both are similar....then which one is better suited in terms
of easy implementation/configuration.

Regards
Aseem

On Wed, Apr 8, 2009 at 3:40 AM, Randal T. Rioux <randy@xxxxxxxxxxxxxxx> wrote:

On Tue, April 7, 2009 4:15 am, venkatesh.selvaraju@xxxxxxxxx wrote:
Dear All,

I was wondering if anyone has any standard rules and policies which can
be instantly deployed & added to Arcsight ESM for monitoring Windows,
UNIX, database and network devices. I understand the rules vary and are
specific to the OS and n/w devices. We have to setup the rules and
commission Arcsight in our company. If anyone has prior hands-on using
Arcsight or if you have any literature, please share.  Also, if you have
any docs on how to setup rules on Tripwire tool for file integrity
checking please share the information. Thank you in advance.

ArcSight doesn't so much depend on rules, like an IDS. The agents just
grab log/event data and the main engine fondles it to make pretty charts
and correlations. The real benefit is in writing/modifying policies to get
you the info you want. Write me offlist if you'd like help with anything
ArcSight.

As for Tripwire, that very much depends on your environment. Here is a
good tutorial:

http://www.linuxjournal.com/article/8758

Also, if you haven't already implemented Tripwire, give Osiris and Samhain
a look.

Randy







--
Love enables you to put your deepest feelings and fears in the palm of
your partner's hand, knowing they will be handled with care.