Well other things came up and I really haven't got very far with this.
So coming back to it. Is a ELK stack and DIY Splunk the way forward or is there actually something out there that works. Don't mind paying if there is?
Sentinel / ArcSight are MF do either of these work? Or anyone worked with another SIEM Company and got it working so i don't have to start from scratch.
If all you're after is auditing logins to eDir/GW/GMS, then Sentinel would work fine and relatively easy, *IF* you use ldap authentication in Groupwise, aka realy authenticate against edirectory when you login to GW. Auditing native Groupwise logins unfortunately isn't all that easy, as Groupwise doesn't really provide an auditing interface. You'd have to write a connector parsing the log files.