https://simple-evcorr.github.io
Le lun. 15 avr. 2019 à 12:26, Scarpafo Scarpafo <[email protected]> a écrit : > Ok, > Read your blog. Nice. > I think before everything of technique we have to define the Supervision > Policy. > What we are facing? > Where? > ..... > > Le lun. 15 avr. 2019 à 11:54, Scarpafo Scarpafo <[email protected]> a > écrit : > >> Ok i will check your blog to night. >> rsyslog is already inside each system. Better to use it instead of >> install syslog-ng. Event if ng is better :) >> >> Le lun. 15 avr. 2019 à 09:37, Zrubi <[email protected]> a écrit : >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote: >>> > Ahah i suggest it to Frederic one years ago. But we need to salt >>> > all VM with auditd policy, rsyslog forward, hids, build a repo >>> > syslog-ng and the most difficult part... did you know any siem >>> > without eating the power? xD. >>> Well, we should not aim to create a full SIEM in this project, but >>> "only" a log collecting (and parsing) VM, and the stuff needed for this. >>> >>> As log collecting (and parsing) is the very first requirement of every >>> SIEM, we can't skip this part. As I already did (see my blog) it: >>> basic log parsing can be done by syslog-ng (or maybe rsyslog, or >>> nxlog) with only very small resources needed. >>> >>> The Qubes specific part would be the "special" log forwarding, instead >>> of using TCP/UDP network. But the solution is already here: see the >>> current template network access method. >>> >>> Then, if we have the architecture and the Qubes specific log >>> collecting solution we can start extending it by defining what kind >>> of logs we need, and what we can do with them... >>> >>> But to jump ahead, and answer your question: >>> As you may read on my blog, I started a tiny SIEM like project which >>> runs on my home NAS. And this thing has only 512Mb RAM total. :) >>> >>> Of course it is not works like the big huge ELK/Splunk/Qradar, but >>> something like well defined daily statistics instead. I would say that >>> is a good start by seeing what happened in our home network. And I >>> think the same should apply for a Qubes box. >>> >>> - -- >>> Zrubi >>> -----BEGIN PGP SIGNATURE----- >>> >>> iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAly0NJIACgkQVjGlenYH >>> FQ2vig/9GTvDEqmbIPIAk4d/WMZm3rqFiqNhjoYTw4ECFW0BSNxy1d9wsgRpCw+G >>> mhUPX1twgznzkHPuNTrxrAuynlTO5NUgrA/tTcOxuAzrYHbdDOA5TOgcXmkWJ3GE >>> Fm0RWTuJYt4XnGmz43mPPdXtKv8gJ76AkjnYvOfhSySjxE659v5AfbOeNre5Raz1 >>> +OvasfUMxnlpzAwS/wUNauSU7zqWGy4adBDR3H6l4aoVV1N3A4fg78kFdG33TO5J >>> CD8MaCiLOF4UmJwsDY0dt8gT3CERzwR+x/4qlu/9eHBykNBs9J9Gc1zTyvbm04Bb >>> dnCc/0O+W/sS/jBAXiAEOipWhOWmr62klnBHKaVXP8MW2rzysAB484Cw9R3IFbrQ >>> jNOVa3BbZzPrptqjD1uyfkYUxXicRdWrNLEO9Tb3X9Z0EYXJQFTPab58Qn6M3hmT >>> 2crtjcPpNAjq7Zi+5LIce4zqTaAg1bdqlJLwkioOa0MI2g2SJxxJ+SBdXOBYWs2U >>> O4g13Tiw6vgM5J48qAx116OebZLWNIuheBI9sC+63oMV/AU3/ioZAIZty75KSUrp >>> pu0cXhlCh+3ntD5Jx1kcYDT+o5advbMpI9uKXEM6P9frkAKTa5EpC2Gqa9CZknJQ >>> qcPFvGw76nqGrFU6rm13vDqtux4b8c1uW4tjSMw7t4JjPD+mfwA= >>> =8k6w >>> -----END PGP SIGNATURE----- >>> >> -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CALwLNsm4%3DTgJVD_ptHjj7L6CAwvGmvdsJ0OyO9829JBmmX1_fQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
