SIEM or SEIM or Log Correlation tools are generally considered expensive. I won’t get into the particulars of what is or is not expensive for you or your customer. It also depends on system size and what your enterprise may or may not already have in place. So do check into those things before continuing.
I was recently having a conversation with a friend who was lamenting that Loggly and LogEntries weren’t authorized and that their Management team had put the kibosh on self-hosting Splunk (let alone a Splunk cloud install). What’s a security dude to do?
The answer lies in open-source. More specifically, Graylog. And I don’t mean enterprise, I mean loading up Graylog, probably as a Docker container, and start implementing some of the marketplace plug-ins. I would also recommend tying Graylog to LDAP so that there aren’t additional accounts to manage. It was a no brainer to me, but you never know about other people’s politics.
Now that Graylog is running and accepting log data, you can update your baseline configuration so that only the service account for the forwarding service on your workloads can access the audit logs. System admins and DevOps should only have read access to the logs. Security Admins should only have read access to the logs. And Graylog should have a big ass alert whenever root or the service account clear the logs. Was a ticket submitted for that?
No matter, whenever someone needs to see the logs — the answer is “Check in Graylog.” Because you tied it to LDAP or AD, it is as simple as logging in and putting to use the training that was given to them on how to use Graylog (*snickering* There’s never time for training! *snickering*)
I’m not being paid for this but I am getting frustrated with the “we can’t because of cost”. The product cost will not be the end issue either. The real cost is that someone now must watch it. You now need to put bodies in front of screens to create reports and alerts. Otherwise you are not compliant.
So quit your bitchin’ and start logging your shit.
*** This is a Security Bloggers Network syndicated blog from How is that Assurance Evidence? - Medium authored by Chris Burton. Read the original post at: http://feedproxy.google.com/~r/HowIsThatAssuranceEvidence/~3/ro8zEprFCak/au-6-au-7-and-au-9-on-the-cheap-89131a2b9e9f