4. SOC STATISTICS
Get ready for (over)size
S I E M M E T R I C S
2862 log sources
>11 000 events per second
> 700 000 flows per minute
D A I LY S TAT S
67-145 Gb raw event logs per day
37-53 Gb network communication events
Q R A D A R C O R E
45 virtual servers
2 hardware servers(QFlow)
1 archive server
8. LOGGING CHALLENGES
S Y S L O G
Standard syslog message
size (RFC 5424)
W I N D O W S
Security logs permissions
on W7/2008+
D ATA B A S E S
What to log?
L O G S AT F S
IIS, Exchange and so on
I N - H O U S E
D E V E L O P M E N T
N O N - S TA D A R D L O G S
Arista, 1C, Wallarm…
9. STANDARD SOURCES
W I N D O W S * N I X - L I K E D A T A B A S E S N E T W O R K
• Event collectors vs. agents
• Extended system audit
• Non-English logs
10. STANDARD SOURCES
W I N D O W S * N I X - L I K E D A T A B A S E S N E T W O R K
• Syslog as a standard
• TCP syslog+network issues=pain
(google: “TCP is not reliable”)
• UDP syslog message size
• Auditd – what to log?
11. STANDARD SOURCES
W I N D O W S * N I X - L I K E D A T A B A S E S N E T W O R K
Is login history enough?
Syslog vs DB connection
IBM Guardium alerts
12. STANDARD SOURCES
W I N D O W S * N I X - L I K E D A T A B A S E S N E T W O R K
Syslog for device-level events
Qflow, Vflow, Netflow/Jflow
13. NON-STANDARD SOURCES
N E T W O R K
Exotic network devices
I N T E R N A L
In-house development –
business applications logs
C O U N T R Y- S P E C I F I C
1C and so on
S E C U R I T Y
S Y S T E M S
DBFW, NGFW, DLP, WAF,
honeypots…