Ok i will check your blog to night. rsyslog is already inside each system. Better to use it instead of install syslog-ng. Event if ng is better :)
Le lun. 15 avr. 2019 à 09:37, Zrubi <[email protected]> a écrit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote: > > Ahah i suggest it to Frederic one years ago. But we need to salt > > all VM with auditd policy, rsyslog forward, hids, build a repo > > syslog-ng and the most difficult part... did you know any siem > > without eating the power? xD. > Well, we should not aim to create a full SIEM in this project, but > "only" a log collecting (and parsing) VM, and the stuff needed for this. > > As log collecting (and parsing) is the very first requirement of every > SIEM, we can't skip this part. As I already did (see my blog) it: > basic log parsing can be done by syslog-ng (or maybe rsyslog, or > nxlog) with only very small resources needed. > > The Qubes specific part would be the "special" log forwarding, instead > of using TCP/UDP network. But the solution is already here: see the > current template network access method. > > Then, if we have the architecture and the Qubes specific log > collecting solution we can start extending it by defining what kind > of logs we need, and what we can do with them... > > But to jump ahead, and answer your question: > As you may read on my blog, I started a tiny SIEM like project which > runs on my home NAS. And this thing has only 512Mb RAM total. :) > > Of course it is not works like the big huge ELK/Splunk/Qradar, but > something like well defined daily statistics instead. I would say that > is a good start by seeing what happened in our home network. And I > think the same should apply for a Qubes box. > > - -- > Zrubi > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAly0NJIACgkQVjGlenYH > FQ2vig/9GTvDEqmbIPIAk4d/WMZm3rqFiqNhjoYTw4ECFW0BSNxy1d9wsgRpCw+G > mhUPX1twgznzkHPuNTrxrAuynlTO5NUgrA/tTcOxuAzrYHbdDOA5TOgcXmkWJ3GE > Fm0RWTuJYt4XnGmz43mPPdXtKv8gJ76AkjnYvOfhSySjxE659v5AfbOeNre5Raz1 > +OvasfUMxnlpzAwS/wUNauSU7zqWGy4adBDR3H6l4aoVV1N3A4fg78kFdG33TO5J > CD8MaCiLOF4UmJwsDY0dt8gT3CERzwR+x/4qlu/9eHBykNBs9J9Gc1zTyvbm04Bb > dnCc/0O+W/sS/jBAXiAEOipWhOWmr62klnBHKaVXP8MW2rzysAB484Cw9R3IFbrQ > jNOVa3BbZzPrptqjD1uyfkYUxXicRdWrNLEO9Tb3X9Z0EYXJQFTPab58Qn6M3hmT > 2crtjcPpNAjq7Zi+5LIce4zqTaAg1bdqlJLwkioOa0MI2g2SJxxJ+SBdXOBYWs2U > O4g13Tiw6vgM5J48qAx116OebZLWNIuheBI9sC+63oMV/AU3/ioZAIZty75KSUrp > pu0cXhlCh+3ntD5Jx1kcYDT+o5advbMpI9uKXEM6P9frkAKTa5EpC2Gqa9CZknJQ > qcPFvGw76nqGrFU6rm13vDqtux4b8c1uW4tjSMw7t4JjPD+mfwA= > =8k6w > -----END PGP SIGNATURE----- > -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CALwLNs%3DFEAi2Cm%2BaU6JC0cM3dx0j2AQRwT%3DVYqOEo%2BNTEBFQ1g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
