Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Log management appliances/software

Posted on 2009-04-15
Medium Priority
Last Modified: 2012-08-14
Are there any SIEM log management appliances that allow the user to export the data captured to it's native format (e.g. Windows event log data captured in the appliance exported from the appliance back into the native Windows event log format)?

I have heard that RSA Envision can do this yet I can't find anything to tell me the allowable export formats from this appliance. Has anyone come across any legal cases where they have been asked to provide log data in its native format? I have heard that there are laws written that state that this is the case but I don't know the exact law or how people are getting around this.

Question by:snowmizer
  • 2
LVL 65

Accepted Solution

btan earned 200 total points
ID: 24178357
The article below should help you in the choice of devices

By comparison, the more mature listeners and parsers from CheckPoint, High Tower and Q1 Labs allow you to simply point your device  any device  to the appliance and the SIEM platform will automatically accept the feed, identify the format, and figure out which event came from which device of which type (for example, a syslog-based event from a Cisco ASA firewall vs. a Linux host). This is extremely helpful if you happen to have a centralized syslog implementation already in place as you can then "relay" all inbound syslog messages with something like the syslog-ng (Syslog Next-Generation) "spoof source" configuration directive. But even if you don't have a centralized syslog implementation in place being able to point all devices to a single syslog destination helps make device deployment simple.

Other data acquisition features of these products include support for protocols such as CheckPoint's OPSEC LEA, database scraping mechanisms for products from established security vendors such as ISS and McAfee, and proprietary agents that can run on hosts to acquire non-syslog based event data like that found in vulnerability scanner data and Windows event logs. The products from Q1 Labs and eIQ supported the widest assortment of security devices and platforms out of the box but organizations will want to gather their own compatibility requirements when compiling their SIEM evaluation short-lists.
You can also set filter in the link below to know the supporting appliances

Check out syslogappliance as well
- http://www.syslogappliance.de/en/features.php

There are more in Annex C of the NIST SP800-92 - "GUIDE TO COMPUTER SECURITY LOG MANAGEMENT". It also talks about the compliance need in section 2.2 addresses five major regulations  PCI, SOX, HIPAA, GLBA and FISMA

Useful Excerpt:

Syslog provides a simple framework for log entry generation, storage, and transfer, that any OS, security software, or application could use if designed to do so. Many log sources either use syslog as their native logging format or offer features that allow their log formats to be converted to syslog format.

When evaluating syslog replacements, organizations should pay particular attention to interoperability, because many syslog clients and servers offer features not specified in RFC 3195 or other standard-related efforts. Also, organizations that use security information and event management software (as described in Section 3.4) to store or analyze syslog messages should ensure that their syslog clients and servers are fully compatible and interoperable with the security information and event management software.

Section 3.4

There are no standards specific to SIEM, so each SIEM product stores and transmits data in any format it chooses. However, SIEM products usually offer capabilities to protect the confidentiality, integrity, and availability of log data. For example, network communications between agents and the SIEM servers typically occur over the reliable TCP protocol and are encrypted. Also, agents and SIEM servers may need to provide credentials to each other and be authenticated successfully before they can transfer data (e.g., agent sending logs to server, server reconfiguring agent).
LVL 65

Assisted Solution

btan earned 200 total points
ID: 24178360
You may want to read this blog as well for using SIEM for fraud detection

As for law cases, I will say the guidelines set the pace for vendor competition in the compliance domain


Expert Comment

ID: 24287842
RSA enVision uses IPDB, which stores all the logs in their native format, "RAW" format, as they are stored , they are compressed using their own proprietory encryption as well it is basically WORM method, Write Once and Read many,

as compared to other SIEM appliance or tools, they either rely on Oracle Database, MS SQL, or MySQL database basically any RDBMS, however with RSA it is purely in Native RAW format.

I hope this helps.

which compliance regulation are you dealing with, SOX,HIPAA,FISMA..?

hope this may help.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question