[logs] SIM solution - Objectives ?
Paul Melson
pmelson at gmail.com
Thu May 24 06:43:36 PDT 2007
>Are corporates [who have
> some level of maturity in
> this space] using
> SIM solutions to do real
> time response or are we
> using it for weekly
> reports and then doing
> trend analysis ?
Yes. We've had our SIM approaching 3 years and use it for both
reportinng & trend analysis as well as real-time response. But those
things that make pagers beep are based on very specific filters and/or
correlation and threshold rules.
> Does it make sense to
> receive High alerts and take
> a 15 minute response when
> a login failure happens on a > few servers.?
Probably not, but it depends on the servers. It would make more sense
to me to use the SIM to correlate multiple failed login events around
source, destination, username, service, etc. Getting a page every
time someone fat-fingers a password seems like too much noise to be
tolerable.
PaulM
More information about the LogAnalysis
mailing list