Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: GFI SELM Question

from [Chris Petersen] Network Security [Permanent Link]
Subject: RE: GFI SELM Question
Date: Mon, 25 Apr 2005 16:47:09 -0600 
******** I represent the vendor **************

When looking at log management solutions that write to a RDBMS, ask the
vendor how they are dealing with large database table record counts.  You
can't keep writing millions of records (logs) into a database without
eventually reaching a performance bottleneck.  If there answer is buy bigger
hardware, get worried.

I can't speak to SELM capabilities but if you are looking for something on a
larger scale, we have one customer monitoring 300+ Windows servers (all 3
event logs) on a single Log Manager (HP DL380 ~5K server) using both our
agent and agent-less capabilities without a hitch.  They are centralizing
approx 5 Million logs/day.

Chris Petersen, CTO
(303) 413-8740 (direct)
(720) 938-2589 (mobile)
(303) 413-8791 (fax)
chris.petersen@LogRhythm.com
www.LogRhythm.com 


-----Original Message-----
From: Brian Browne [mailto:brian.browne@edoxa.com] 
Sent: Monday, April 25, 2005 12:41 PM
To: graxius@gmail.com; focus-ids@securityfocus.com
Subject: RE: GFI SELM Question


I'm not sure how much you want it to scale, but I implemented 
SELM for a client recently that had bought a 20-server 
license and was using it to monitor 14 servers.  We 
implemented it using SQL Server as the backend database as 
part of a Sarbanes-Oxley compliance effort.  

The client had initially enabled all of the pre-configured 
rules, so the "main" database quickly grew in size.  This 
caused problems in the archival feature -- where events in 
the "main" database older than a specific number of days are 
moved to the "backup" database, from which it is eventually 
deleted.  We never got a clear answer from GFI, but judging 
from the available debug information, it looked like there 
were issues with the amount of data being moved from one 
database to the other, the transaction log vs. commit 
frequency within the GFI code, and the SQL Server Recovery 
Model.  We resolved the issue by starting over from scratch 
(i.e., new databases) and very selectively enabling and 
defining the rules.

I recently checked in with the client, and they are happy 
with its performance at this point.  From an operational 
perspective, it beats manually reviewing 14 individual 
security event logs.  It is priced at a point that it would 
be worthwhile for some companies verus a more expensive 
solution.  Of course, it ultimately depends on the requirements . . . 

Hope this helps.  

- Brian


-----Original Message-----
From: Graxius [mailto:graxius@gmail.com]
Sent: Friday, April 22, 2005 4:58 PM
To: focus-ids@securityfocus.com
Subject: GFI SELM Question


Hello All,
I am curious if anyone is using GFI's System Event Long 

Manager and if 

so how well has it scaled?

Thanks!



----------------------------------------------------------------------

----
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds 
vulnerabilities, applications and new hosts without the 

need for network scanning.

It also finds compromised systems with application-based intrusion 
detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to 

learn more.



----------------------------------------------------------------------

----





--------------------------------------------------------------
------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds 
vulnerabilities, applications and new hosts without the need 
for network scanning. 
It also finds compromised systems with application-based 
intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to 
learn more.
--------------------------------------------------------------
------------





--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: I am looking for some papers experimenting on KDD CUP 1999 Datasets, James Riden
Next by Date:  RE: Intrushield User Experiences Warts 'n' All, Brian Smith
Previous by Thread:  RE: GFI SELM Question, Brian Browne
Next by Thread:  Intrushield User Experiences Warts 'n' All, Andy Cuff
Indexes:  [Date] [Thread] [Top] [All Lists]