Highlighted
booktrunk1 Absent Member.
Absent Member.
696 views

SIEM Log Server Groupwise / GMS / edir

Hi.

Does anyone use any log server in conjunction with Groupwise / GMS / edir to be able to see incorrect logins etc... without having to manually trawl through logs?

I just went to be able to keep an eye on logins without spending hours manually trawling thorough files.

thinking of dumping all logs onto a log server that can alert me, has anyone used any with Groupwise / OES that they are happy with that works.

Thanks in advance.
Labels (1)
Tags (1)
0 Likes
5 Replies
iliadmin1 Absent Member.
Absent Member.

Re: SIEM Log Server Groupwise / GMS / edir

booktrunk,

that's an excellent question, I had the same. I am in the process of setting up netflows to a SOF-ELK system. I think you can just direct the specific logs you need from your Groupwise systems to your log aggregator(s) and do the tags/filtering/alerting before sending off to storage. That way you can setup an alert for invalid logins based on a certain threshold so you aren't getting alerts on every single log failure. I have some users who fail at least once a day, I don't care about those. I want to see the ones that are say, more than 4 or 5 at a time (or higher depending on your lockout settings). then you can alert on access attempts to disabled accounts as well, changes, etc. Whatever is logged that you are interested in you can grab it and filter and alert it.

Val

GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
0 Likes
booktrunk1 Absent Member.
Absent Member.

Re: SIEM Log Server Groupwise / GMS / edir

It might be overkill. But, I'm thinking of using LogPoint, and starting it on Groupwise, which i can do on their free version, and then decide if I want to consider buying it and rolling it out to monitor more things.
0 Likes
booktrunk Valued Contributor.
Valued Contributor.

Re: SIEM Log Server Groupwise / GMS / edir

Hi.

Well other things came up and I really haven't got very far with this.

 

So coming back to it.  Is a ELK stack and DIY Splunk the way forward or is there actually something out there that works.  Don't mind paying if there is?

Sentinel  / ArcSight are MF do either of these work?  Or anyone worked with another SIEM Company and got it working so i don't have to start from scratch.

 

Cheers

0 Likes
Knowledge Partner
Knowledge Partner

Re: SIEM Log Server Groupwise / GMS / edir

If all you're after is auditing logins to eDir/GW/GMS, then Sentinel would work fine and relatively easy, *IF* you use ldap authentication in Groupwise, aka realy authenticate against edirectory when you login to GW. Auditing native Groupwise logins unfortunately isn't all that easy, as Groupwise doesn't really provide an auditing interface. You'd have to write a connector parsing the log files.

BTW:
https://www.netiq.com/products/sentinel-log-manager/features/slm25.html

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
booktrunk Valued Contributor.
Valued Contributor.

Re: SIEM Log Server Groupwise / GMS / edir

Thanks i'll take a look at it.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.