Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
stephan.winkler1 Absent Member.
Absent Member.
242 views

Restricting Search on Specific Categories of Log Data and Management of Blacklists

We have a new opportunity in Germany where the customer has strong requirements on sensitive data. On the other hand the full functionality of searching with regular expression etc. is requested so that we might have an issue with the combination of requirements for the ArcSight Logger product.

Details of requirements that might make a problem::

1) The customer wants to use the full fledged functionalities of searches on the data logs. On the other hand he wants to ensure that user shall search only in parts of the logs which shlall be configurable by a kind of access control.. So for specific categories of logs only security or administrator stuff or specific groups allowed to apply searches. So disallowing the search function for a grouo or a user and and relying only on reports is not an option, as we don't have then sophisticated search functions any more. We only see here the option to apply some kind of categorziation on a connector and define specific report capabilities to overcome these security requirement, but with the down side listed above.

2) The customer would like apply black lists in regular time interval for specific logs (e.g. IP addresses etc.)  which can only be monitored by security guys. We see similar problems as in 1).

3) Some sensitive data shall be encypted and not presented to normal users. However, securty guys shall be allowed to see the information.

Has anybody seen similar requirements and / or has an answer to how this could be implemented.

Best regards,

Stephan

Labels (3)
0 Likes
Reply
2 Replies
stephan.winkler1 Absent Member.
Absent Member.

Re: Restricting Search on Specific Categories of Log Data and Management of Blacklists

We have studied the functionalities and options that the logger provides here for the requirements ( we are new in this technical area). What we see as an option for the first two points is:

1)  Define specific categories in the connectors depending on a Access Profile of the different groups that the customer would like to introduce, e.g. one group shall only search for syslogs of a specifc telephony network (e.g. with normal sensitive data ), other groups with highly sensitive data e.g.on a database etv.

Then apply group search (enforced event) filter in the Logger which limits the search for any user that is a member of the group with the categories that have been defined and applied in the connectors before

We are not yet sure if all requirements and categorizations can be met with the categorization function and its configuration file and options of the connectors, but hopefully if will as we have only a limited set of log producers. It would be interesting to know if  e.g. a kind of Java function could be used for define the category in addition to what could be done with the category config files.

2) This is similar to 1) and we think that a kind of blacklist category could help here. However, we may get potentially thousands or even more of blacklist entries. It is questionable if the category config approach with one row per entry is then still efficient if we encounter for instance 30.000 black list entries. Maybe a (database) table-based would result in better performance. Does anybody has experience here?

3) This is still open. First of all the connector needs to apply a kind of replacement on the orginal data which should be easy. However, displaying the data to a special group is difficult. I would onbly  see at first sight the option to encrypt it in the event and offer him a tool to decrypt it on demand. Another possibility coud be to generate two events  where one event is encrypted and the other not, but with a different category, so that only special users are allowed to filter this. Any other ideas or comments?

Point 3 might be somehow different from 1) and 2) and we should think about  to open a separate thread for it.

Stephan

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: Restricting Search on Specific Categories of Log Data and Management of Blacklists

The filtering option you mentioned is the best way forward, you define what each user group can see and apply filters to the groups. Users in those groups will not be able to see anything beyond what the filter allows, this however might required some work as you have to specify what each group can search on.

Regarding the encryption, there is not much you can do about that. If you want to hide certain parts of the log message you can scramble those at the connector, this however cannot be reversed and therefore the security people will not be able to see the original values.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.