Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
Education & Development
IT Jobs / Degrees
Interview coming up, SIEM log question
matai
Hey all,
I'm going in for a face to face interview soon and the HR person said that some days I could spend 75% of the day looking through AlienVault logs. This is not something I have much experience with, anybody have some tips on how I could quickly ramp up my log reviewing knowledge/skills?
Thanks!
Find more posts tagged with
Comments
Chitownjedi
Understand that logs get turned into events by a priority based system, usually risk based, however this could be overridden by a Global log processing rule based on if you want to change how the log is handled when being indexed.
Usually some Pull mechanic is used for pulling logs into a centralized data collector which forwards logs to a data processor where meta data and field translations happen. When there isn't an MPE or parsing rule available you may have to build a customer one, which usually requires some significant regex type of experience.
Sometimes an agent goes on host to package and compress logs from complex log types that aren't natively handled via Alienvault or whatever your SIEM platform can do.
Using some Alarm Rule based engine to create correlated events is needed (Someone logs into a machine, creates elevated account, removes audit logs,) could be one rule, where all those steps have to take place in that order before it triggers the alarm. Also, timers can be set in between events happening to make sure the time frame is within an hour bases, versus indefinitely.
Tuning out False Positives is a must. Being able to create reports based off events that shows compliance or regulatory adherence is a help. You don't want to be looking at logs if you can help it, you want to be looking at alarms or alerts that are triggered from logs, that have been tuned either via threshold or very risky behavior. This will lead you to viewing the events that triggered them and being able to infer if its a legit problem or an operational misconfiguration or anomaly
dmoore44
For a more practical answer... Download and install Splunk or GrayLog and start sending logs to it. This will work best if you have multiple machines you can export logs from. You could also see if your modem/router supports syslog.
From there, you just need to start logging things. Check out this page on configuring logging settings for Server 2008/Vista/7:
https://blogs.technet.microsoft.com/askds/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista/
bigdogz
It siems you will have better knowledge by going through logs.
...sorry. I just could not avoid it.
Good Luck !!!
LaSeeno
Download and install AlienVault OSSIM. And watch the demos.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
