Educause Security Discussion mailing list archives

Re: For those who Splunk

From: Garrett Hildebrand <gdh () UCI EDU>
Date: Wed, 12 Apr 2017 16:53:34 -0700

There is all kinds of noise in the Cisco ASA logs we don't need.
When I monitor /var/log/secure on linux systems I just look for
this:

(stunnel|SSL|login|su.*:|gsu.*:|sshd.*:|Duo |WebAuth[-:]|AuditSQL:|ftp.*:|sftp.*:|ntpd)

And I have a long whitelist for Windows log and igure the rest,
and also I trim off all the verbeage at the end of the log. I put
a translate table into my install and the event codes are automatically translated on search.

Garrett




Today (Wed, 12 Apr 2017) at 15:56 -0400 Kevin Wilcox wrote:

On 12 April 2017 at 15:42, Garrett Hildebrand <gdh () uci edu> wrote:

3.  What is your per day license?


20 Gigabytes. But we filter-out logs that have no security application.
Without those filters we would need three times that.


Garrett -- what do you generate that you consider having no security
application? An off-list response is fine if you're okay with sharing
but don't want to send it to the world.

kmw

Current thread:

For those who Splunk Emily Harris (Apr 06)
- Re: For those who Splunk Andreas Paulisch (Apr 06)
  - Re: For those who Splunk Benjamin Stein (Apr 06)
- Re: For those who Splunk hodgett (Apr 11)
- Re: For those who Splunk Garrett Hildebrand (Apr 12)
  - Re: For those who Splunk Kevin Wilcox (Apr 12)
    - Re: For those who Splunk Garrett Hildebrand (Apr 12)