Consolidated Logging / Syslog Solution (27001)

DHR · 7 Feb 2019 at 16:23

I've come to the point where I need to begin looking at logging for ISO 27001 compliance.

Budgets are tight (aren't they always!) but I'm thinking the easiest way is to use some form of syslog server in our Windows domain based environment and regularly review the most frequent or critical events logged?

Has anyone done this recently? Ideally looking at open source, free solutions to make our compliance lives just that little bit easier?

DHR · 8 Feb 2019 at 07:32

Not sure what put me of ELK, greylog looks like an ideal one to get up and running today. @LizardKing you collecting windows logs with it?

DHR · 13 Feb 2019 at 15:26

Go my teeth stuck into graylog, bit of a learning curve, windows logs were a nightmare to get right but i'm there now, well with the logging, need to come up with some fancy dashboards.

Currently starting to pipe in ASA logs which is a joy

DHR · 14 Feb 2019 at 08:52

droyden said:
Have you gone for a single server deployment?
I am also trying this at the moment, currently single server but will look at splitting it all out if we go for it

Yes single server, I'm hoping it'll be enough for our environment, I'm selectively logging only critical systems at the moment. Firewall logs are going to be a challenge.

One thing I've not gotten my head around yet is retention and disk space management, anyone have any input on that when you're not using the enterprise version?

DHR · 14 Feb 2019 at 10:17

Have I made a mistake not going for version 3? I've been working with 2.5 so far?

Having a nightmare with it trying to bring in Jira security logs too

DHR · 14 Feb 2019 at 17:33

It was RC until today I think, I'm fuming!! Got notified of it by 2.5 :eek:

Being handed one over a grok pattern and extractor too.

I’m using the following pattern which works on the following log entry...

2018-03-19 15:11:46,181 https-jsse-nio-443-exec-246 JiraServiceAccount 911x8252778x1 - 192.168.0.1 /rest/api/2/search The user ‘ServiceAccount’ has PASSED authentication.

%{TIMESTAMP_ISO8601} %{DATA:UNWANTED} %{USERNAME:UNWANTED} %{DATA:UNWANTED} %{DATA:UNWANTED} %{IPV4} %{PATH}

I need to extract the username between quotes from “The user ‘ServiceAccount’ has PASSED authentication.” To do this i’ve set a grok pattern up called JIRASECUSER which is the following regex

(?<=The user ‘).*?(?=’) DeleteEdit

Again this works in isolation as does the %{JIRASECUSER} on it’s own in the extractor.

As soon as I try to use the following the filter refuses to run:

%{TIMESTAMP_ISO8601} %{DATA:UNWANTED} %{USERNAME:UNWANTED} %{DATA:UNWANTED} %{DATA:UNWANTED} %{IPV4} %{PATH} %{JIRASECUSER}

Totally clueless as to where to go from there now. Believe any errors are logged somewhere but I can't find the server.log anywhere on the OVA appliance :rolleyes:

DHR · 16 Feb 2019 at 12:25

Ev0 said:
Does Graylog come with any ready made parsers, or ready made connectors to get the data in from various sources?

Not really no, there are a load of marketplace ones you can try and install.

It's on my list of things to look at this weekend if I get a chance.

DHR · 3 Apr 2020 at 11:24

Bringing this one back from the dead, going to start looking at using ELK via ElastiSearch Service if I can get the price right.

DHR · 5 Apr 2020 at 05:08

Thanks Ev0, really helpful, it's that age old balance isn't it. From a business perspective, as many do, my place falls into the category of only do what you 'have to' mainly because of our size but we all know that goes against a lot of what 27001 is about really.

Liking the sound of the threat model though, I've not really considered approaching it like that before.

My concern is on a day to day basis time, as always is limited. Any time spent here is probably me considering ways I can make my life easier doing the basic 27001 stuff whilst having the data there to go digging if I need to.

I had a very quick look at the community version of Alien vault but didn't take it much further at the time, I think the attraction to ELK is that I'm hoping I can get it to do the basics easily and any additional SIEM stuff is an added bonus as they enhance that, understand it's a pretty new feature for them at the moment?

DHR · 5 Apr 2020 at 23:43

Ev0 said:
I don’t know much about ELK SIEM yet, probably got some documentation on it (I work for another vendor, so likely will have some competitive info somewhere).

Preparing myself for the hard sell punchline

All amazing points and something I've genuinely seen first hand Looking at CE+ too which will inevitably want more of this too no doubt.