SIEM Log Server Groupwise / GMS / edir

Hi.

Does anyone use any log server in conjunction with Groupwise / GMS / edir to be able to see incorrect logins etc... without having to manually trawl through logs?

I just went to be able to keep an eye on logins without spending hours manually trawling thorough files.

thinking of dumping all logs onto a log server that can alert me, has anyone used any with Groupwise / OES that they are happy with that works.

Thanks in advance.
  • booktrunk,

    that's an excellent question, I had the same. I am in the process of setting up netflows to a SOF-ELK system. I think you can just direct the specific logs you need from your Groupwise systems to your log aggregator(s) and do the tags/filtering/alerting before sending off to storage. That way you can setup an alert for invalid logins based on a certain threshold so you aren't getting alerts on every single log failure. I have some users who fail at least once a day, I don't care about those. I want to see the ones that are say, more than 4 or 5 at a time (or higher depending on your lockout settings). then you can alert on access attempts to disabled accounts as well, changes, etc. Whatever is logged that you are interested in you can grab it and filter and alert it.

    Val
  • booktrunk,

    that's an excellent question, I had the same. I am in the process of setting up netflows to a SOF-ELK system. I think you can just direct the specific logs you need from your Groupwise systems to your log aggregator(s) and do the tags/filtering/alerting before sending off to storage. That way you can setup an alert for invalid logins based on a certain threshold so you aren't getting alerts on every single log failure. I have some users who fail at least once a day, I don't care about those. I want to see the ones that are say, more than 4 or 5 at a time (or higher depending on your lockout settings). then you can alert on access attempts to disabled accounts as well, changes, etc. Whatever is logged that you are interested in you can grab it and filter and alert it.

    Val
  • booktrunk,

    that's an excellent question, I had the same. I am in the process of setting up netflows to a SOF-ELK system. I think you can just direct the specific logs you need from your Groupwise systems to your log aggregator(s) and do the tags/filtering/alerting before sending off to storage. That way you can setup an alert for invalid logins based on a certain threshold so you aren't getting alerts on every single log failure. I have some users who fail at least once a day, I don't care about those. I want to see the ones that are say, more than 4 or 5 at a time (or higher depending on your lockout settings). then you can alert on access attempts to disabled accounts as well, changes, etc. Whatever is logged that you are interested in you can grab it and filter and alert it.

    Val
  • It might be overkill. But, I'm thinking of using LogPoint, and starting it on Groupwise, which i can do on their free version, and then decide if I want to consider buying it and rolling it out to monitor more things.
  • Hi.

    Well other things came up and I really haven't got very far with this.

     

    So coming back to it.  Is a ELK stack and DIY Splunk the way forward or is there actually something out there that works.  Don't mind paying if there is?

    Sentinel  / ArcSight are MF do either of these work?  Or anyone worked with another SIEM Company and got it working so i don't have to start from scratch.

     

    Cheers

  • If all you're after is auditing logins to eDir/GW/GMS, then Sentinel would work fine and relatively easy, *IF* you use ldap authentication in Groupwise, aka realy authenticate against edirectory when you login to GW. Auditing native Groupwise logins unfortunately isn't all that easy, as Groupwise doesn't really provide an auditing interface. You'd have to write a connector parsing the log files.

    BTW:
    https://www.netiq.com/products/sentinel-log-manager/features/slm25.html