R: Fwd: Centralizing Event Viewer Logs



Hi ,

I'm working with eTrust Security Command Center (Computer Associates) from a while (on medium and very big enterprises)
i.e. Our environment up to 1000 source (w2k/w2k3/unix/aix/sun/Cisco Acs/SAP) and about 2.5Million logs at day.

If you need just to collect events without a presentation level you can just have eTrust Audit and a MSSQL or Oracle DB.
If you need a presentation level (a singol point of control and access for Log Manger) you must use the entire eSCC suite.

It works well, but it's not the right prodouct if you need to correlate events.in realtime from many different sources.

Bye
R.
--
Riccardo Biassoni Spike Reply S.r.l
www.reply.it r.biassoni@xxxxxxxx <mailto:r.biassoni@xxxxxxxx>

________________________________

Da: listbounce@xxxxxxxxxxxxxxxxx per conto di M. Burnett
Inviato: sab 02/02/2008 3.24
A: 'James Winzenz'; focus-ms@xxxxxxxxxxxxxxxxx
Oggetto: RE: Fwd: Centralizing Event Viewer Logs



In a lab environment I have seen enVision go as high as 30,000+ sustained
events per second with just one collector. The thing I like best about
envision is the ability to correlate events from multiple devices and make
your own alerts from that. So if you see too many failed logins in too many
workstation event logs all at once you can be alerted.

M. Burnett



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of James Winzenz
Sent: Friday, February 01, 2008 1:33 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Fwd: Centralizing Event Viewer Logs

If we want to start comparing enterprise products, you need to add RSA
enVision to the list. The system is completely scalable in terms of
how many events per second it can handle. We have an older HA series
appliance, which can handle 7500 events per second sustained, with
burst up to 9750. Newer enterprise level appliances from RSA enVision
are simply limited by the number of collectors you purchase, with each
collector capable of 10,000 sustained events per second. Can you tell
I am biased? I love the features it has - enterprise reporting,
alerting, ability to collect from windows, syslog, IIS, SQL, Oracle,
and lots others. We haven't even tapped the potential of our system
and we are loving what we can do with it. Of course, once you get into
these products, you are talking about several hundred thousand dollars.
Not for your average Small-medium sized business.

James Winzenz
Infrastructure Engineer - Security
Pulte Homes Information Services


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Nick Gage
Sent: Friday, February 01, 2008 11:26 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Fwd: Centralizing Event Viewer Logs

Check out Loglogic http://www.loglogic.com <http://www.loglogic.com/>

It will handle up to 4000 mps sustained and can handle spikes up to
30000 mps.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of James Winzenz
Sent: Friday, February 01, 2008 12:28 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Fwd: Centralizing Event Viewer Logs

IMHO, you get what you pay for.

Are you referring to this product?
http://sourceforge.net/projects/eventlogmonitor/

If so, it looks like it can only deal with windows logs. That is not
going to get you very far. If you want to know what is going on within
your network, you really need something that can handle syslog messages
as well (routers, firewalls, etc.).

Although not pertinent to the product you mentioned, I remembered
reading on GFI's website about their event log management product.
They were *boasting* that their collector could handle up to 6 million
events per hour. That boils down to a paltry 1667 events per second,
which is absolutely pathetic. A couple of core routers/firewalls could
easily overwhelm this.

James Winzenz
Infrastructure Engineer - Security
Pulte Homes Information Services


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of
ottobeli82@xxxxxxxxxxxx
Sent: Friday, February 01, 2008 9:08 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Fwd: Centralizing Event Viewer Logs

Is there someone who already tried the product SB Eventlog Monitor?

I´m thinking about starting some tests in my network (all windows, 2000
machines) centralizing all the logs in one server, but I would like to
hear from you any kind of experience with this product.

I would like to know how the product behaves concerning network
traffic, manageability and event correlation.

CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly
prohibited. If you have received this communication in error, please
notify the sender immediately by email and delete the message and any
file attachments from your computer. Thank you.

CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly
prohibited. If you have received this communication in error, please
notify the sender immediately by email and delete the message and any
file attachments from your computer. Thank you.
--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.



Relevant Pages

  • Re: [Full-Disclosure] Anti-MS drivel
    ... > the quality of enterprise software is any better; ... Never said corporate computing was any better, quite the opposite. ... dwelling on irrelevant software in the security community makes us, uh, look ...
    (Full-Disclosure)
  • [NEWS] Nokia IPSO Script Injection Vulnerability
    ... Get your security news from a reliable source. ... Nokia Network Voyager is "an SSL-secured, ... After the malicious code is successfully injected into the logs, ...
    (Securiteam)
  • Re: Changes to folder permissions not taking effect on Server 2008
    ... When a user logs on, Windows creates a SID (security identifier) that contains a list of the security groups the user belongs to at that particular moment. ... are only 2 special access folders, on which I turned off 'Include Inherited ... I tried gpupdate on client and server to no avail. ...
    (microsoft.public.security)
  • Re: Any personal Intrusion Detection Systems
    ... > logs" and could profit from some elaboration. ... > 'security' product from _any_ vendor that addresses all of them. ... you're right on again about clueless "support desk" techs. ... "utility" apps with open ports, etc, that I was aware of. ...
    (comp.security.firewalls)
  • Re: Federated Security Applications and Implications.
    ... yada, yada. ... Our enterprise has been running it successfully for a couple of years. ... Considering the requirements a Federated Architecture for security comes to ... SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of ...
    (Focus-Microsoft)