On Mon, Apr 15, 2019 at 12:26:43PM +0200, Scarpafo Scarpafo wrote: > Ok, > Read your blog. Nice. > I think before everything of technique we have to define the Supervision > Policy. > What we are facing? > Where? > ..... > > Le lun. 15 avr. 2019 à 11:54, Scarpafo Scarpafo <[email protected]> a > écrit : > > > Ok i will check your blog to night. > > rsyslog is already inside each system. Better to use it instead of install > > syslog-ng. Event if ng is better :) > > > > Le lun. 15 avr. 2019 à 09:37, Zrubi <[email protected]> a écrit : > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA256 > >> > >> On 4/15/19 8:36 AM, Scarpafo Scarpafo wrote: > >> > Ahah i suggest it to Frederic one years ago. But we need to salt > >> > all VM with auditd policy, rsyslog forward, hids, build a repo > >> > syslog-ng and the most difficult part... did you know any siem > >> > without eating the power? xD. > >> Well, we should not aim to create a full SIEM in this project, but > >> "only" a log collecting (and parsing) VM, and the stuff needed for this. > >> > >> As log collecting (and parsing) is the very first requirement of every > >> SIEM, we can't skip this part. As I already did (see my blog) it: > >> basic log parsing can be done by syslog-ng (or maybe rsyslog, or > >> nxlog) with only very small resources needed. > >> > >> The Qubes specific part would be the "special" log forwarding, instead > >> of using TCP/UDP network. But the solution is already here: see the > >> current template network access method. > >> > >> Then, if we have the architecture and the Qubes specific log > >> collecting solution we can start extending it by defining what kind > >> of logs we need, and what we can do with them... > >> > >> But to jump ahead, and answer your question: > >> As you may read on my blog, I started a tiny SIEM like project which > >> runs on my home NAS. And this thing has only 512Mb RAM total. :) > >> > >> Of course it is not works like the big huge ELK/Splunk/Qradar, but > >> something like well defined daily statistics instead. I would say that > >> is a good start by seeing what happened in our home network. And I > >> think the same should apply for a Qubes box. > >> > >> - -- > >> Zrubi
Please don't top post. It makes it much more difficult to follow the thread. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20190415133201.lkzmpwppancfyhwp%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
