Some thoughts about Security
-
@anonymous said:
@scottalanmiller said:
Well think about building a lab. You want a storage device, jump box and logging kind of at a minimum. That's three.
I don't have a storage device or logging yet. What do you recommend? And what do you mean by a storage device? Like for shared /home?
I do so much with syslog at home it's ridiculous. syslog-ng to MySQL database with custom written PHP front-end. Works like a charm. Have been using it for a few customers too. 0 cost to me or my company and way better than all those crappy Kiwi imitators logging to a flat text file with minimal searching. Try logging 10 ASA's to Kiwi for a week then searching for inbound/outbound connections for a single IP....not going to happen.
-
-
@quicky2g said:
@anonymous said:
@scottalanmiller said:
Well think about building a lab. You want a storage device, jump box and logging kind of at a minimum. That's three.
I don't have a storage device or logging yet. What do you recommend? And what do you mean by a storage device? Like for shared /home?
I do so much with syslog at home it's ridiculous. syslog-ng to MySQL database with custom written PHP front-end. Works like a charm. Have been using it for a few customers too. 0 cost to me or my company and way better than all those crappy Kiwi imitators logging to a flat text file with minimal searching. Try logging 10 ASA's to Kiwi for a week then searching for inbound/outbound connections for a single IP....not going to happen.
Yeah, can't imagine ever using Kiwi. What made you decide to not use ELK but to write something custom?
-
@scottalanmiller said:
@quicky2g said:
@anonymous said:
@scottalanmiller said:
Well think about building a lab. You want a storage device, jump box and logging kind of at a minimum. That's three.
I don't have a storage device or logging yet. What do you recommend? And what do you mean by a storage device? Like for shared /home?
I do so much with syslog at home it's ridiculous. syslog-ng to MySQL database with custom written PHP front-end. Works like a charm. Have been using it for a few customers too. 0 cost to me or my company and way better than all those crappy Kiwi imitators logging to a flat text file with minimal searching. Try logging 10 ASA's to Kiwi for a week then searching for inbound/outbound connections for a single IP....not going to happen.
Yeah, can't imagine ever using Kiwi. What made you decide to not use ELK but to write something custom?
Never heard of ELK. Will have to check it out. Wrote the custom one a while ago and never found a reason to use anything else. Super lightweight and can export to Excel. Log analysis and visual stats would be nice though.
-
-
@scottalanmiller said:
@quicky2g http://mangolassi.it/topic/5364/showing-off-our-new-elk-install
Do you use the real-time dashboard from this guys article?
-
Not yet, ours is pretty basic right now, but going to be doing a lot more with it soon, hopefully.
-
I'm currently installing mine again. I tried about 2 weeks ago and there were issues since they had just switched from the forwarder to filebeat.
-
How does filebeat compare for how it is used?
-
@Reid-Cooper said:
How does filebeat compare for how it is used?
I'm not done building yet so I can't say. Here's what they say the changes are,
Filebeat introduces the following major changes:
The config file was restructured and converted from JSON to YAML.
The registry file, which stores the state of the currently read files, was changed.
Command line options were removed and moved to the configuration file.
Configuration options for outputs are now inherited from libbeat. For details, see the Beats Platform Reference.
A new Logstash input plugin called logstash-input-beats is required.It doesn't seem like you would notice a difference.
