The book Implementing Splunk: Big Data Reporting and Development for Operational Intelligence written by Vincent Bumgarner and for which I was a reviewer (yes, it’s a unashamed advertisement) is now available.
Articles in category 'en'
Each applications, OS, network and security devices have their own way to log events, and so far, there is no widely adopted standard that allow to easily integrate all logs into SIEM solution. Here’s the main standard and their key points:
IDMEF:The IDMEF standard, mainly focused on IDS, is now almost dead.
CEF (Common Event Format): [...]
The latest version Splunk (5.0) is now out, with some nice improvements:
The most visible missing feature for users (customers ?) is PDF report generation: Splunk is now able to generate natively PDF reports (including for report scheduling). You can forget the crappy PDF report app .
Report acceleration (similar to ArcSight trends) that allows fast reports [...]
In a non-dsitributed architecture (your indexer is also the host receiving the events), you might want to keep Splunk running as a non-privilegied user but still be still receive syslog from remote hosts. You have (mainly) two solutions:
Setup your favorite syslog daemon (syslog-ng or rsyslogd) to listen to port 514, and then configure Splunk to [...]
Splunk 4.3 is out for a few days, and this new release contains some nice improvements:
Sparklines (like in BlueCoat): * | chart sparkline count by host gives the following result:
Flash is replaced by HTML5 (for recent browsers; flash is still used for old browsers), but the behaviour of flashtimeline or reports is kept unchanged. Allows [...]
Arcsight recently presented their new version of the Logger. Some of the new features are:
Distributed reports over multiple Logger
User configurable dashboards
Event summary (overview)
Live event viewer
LDAP and AD directory integration
dedup and transaction search commands
SNMP polling support
The main log management solutions available on the market have different features, and different way of handling the data. This article focus on how ArcSight Logger, Loglogic and Splunk are handling archives, and what are their integrity functionalities.
How the different log management solutions are handling the data archiving ?
ArcSight allocates data by one gigabyte [...]
The Juniper VPN SSL solution (Secure Access) is undoubtedly the most advanced of the market today, and I’ve always been satisfied with it. However, a few days ago, one of my customers show me his VPN SSL, for which he enabled the “virtual keyboard“.
I’ve never been really convinced about the security level added by [...]
As reported by Kaspersky, most browsers (and proxies ?) supports URL with IP addresses in format others than decimal, which can be a good way to bypass network security:
The previous URL are working with both Firefox and Chrome.
You will find below a patch for WAFW00F (a tool used to fingerprint Web Application Firewall) that allows to identify Imperva SecureSphere WAF.
On characteristic of Imperva is to respond with an HTTP/1.0 message, even if the request is made in HTTP/1.1. The other WAF I’ve worked with do not have the same behaviour (but [...]