-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote: > Ahah i suggest it to Frederic one years ago. But we need to salt > all VM with auditd policy, rsyslog forward, hids, build a repo > syslog-ng and the most difficult part... did you know any siem > without eating the power? xD. Well, we should not aim to create a full SIEM in this project, but "only" a log collecting (and parsing) VM, and the stuff needed for this.
As log collecting (and parsing) is the very first requirement of every SIEM, we can't skip this part. As I already did (see my blog) it: basic log parsing can be done by syslog-ng (or maybe rsyslog, or nxlog) with only very small resources needed. The Qubes specific part would be the "special" log forwarding, instead of using TCP/UDP network. But the solution is already here: see the current template network access method. Then, if we have the architecture and the Qubes specific log collecting solution we can start extending it by defining what kind of logs we need, and what we can do with them... But to jump ahead, and answer your question: As you may read on my blog, I started a tiny SIEM like project which runs on my home NAS. And this thing has only 512Mb RAM total. :) Of course it is not works like the big huge ELK/Splunk/Qradar, but something like well defined daily statistics instead. I would say that is a good start by seeing what happened in our home network. And I think the same should apply for a Qubes box. - -- Zrubi -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAly0NJIACgkQVjGlenYH FQ2vig/9GTvDEqmbIPIAk4d/WMZm3rqFiqNhjoYTw4ECFW0BSNxy1d9wsgRpCw+G mhUPX1twgznzkHPuNTrxrAuynlTO5NUgrA/tTcOxuAzrYHbdDOA5TOgcXmkWJ3GE Fm0RWTuJYt4XnGmz43mPPdXtKv8gJ76AkjnYvOfhSySjxE659v5AfbOeNre5Raz1 +OvasfUMxnlpzAwS/wUNauSU7zqWGy4adBDR3H6l4aoVV1N3A4fg78kFdG33TO5J CD8MaCiLOF4UmJwsDY0dt8gT3CERzwR+x/4qlu/9eHBykNBs9J9Gc1zTyvbm04Bb dnCc/0O+W/sS/jBAXiAEOipWhOWmr62klnBHKaVXP8MW2rzysAB484Cw9R3IFbrQ jNOVa3BbZzPrptqjD1uyfkYUxXicRdWrNLEO9Tb3X9Z0EYXJQFTPab58Qn6M3hmT 2crtjcPpNAjq7Zi+5LIce4zqTaAg1bdqlJLwkioOa0MI2g2SJxxJ+SBdXOBYWs2U O4g13Tiw6vgM5J48qAx116OebZLWNIuheBI9sC+63oMV/AU3/ioZAIZty75KSUrp pu0cXhlCh+3ntD5Jx1kcYDT+o5advbMpI9uKXEM6P9frkAKTa5EpC2Gqa9CZknJQ qcPFvGw76nqGrFU6rm13vDqtux4b8c1uW4tjSMw7t4JjPD+mfwA= =8k6w -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/d278b28a-cdc2-5993-d33b-28ea5a5bc35c%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
