SIEM Log Server Groupwise / GMS / edir
Does anyone use any log server in conjunction with Groupwise / GMS / edir to be able to see incorrect logins etc... without having to manually trawl through logs?
I just went to be able to keep an eye on logins without spending hours manually trawling thorough files.
thinking of dumping all logs onto a log server that can alert me, has anyone used any with Groupwise / OES that they are happy with that works.
Thanks in advance.
that's an excellent question, I had the same. I am in the process of setting up netflows to a SOF-ELK system. I think you can just direct the specific logs you need from your Groupwise systems to your log aggregator(s) and do the tags/filtering/alerting before sending off to storage. That way you can setup an alert for invalid logins based on a certain threshold so you aren't getting alerts on every single log failure. I have some users who fail at least once a day, I don't care about those. I want to see the ones that are say, more than 4 or 5 at a time (or higher depending on your lockout settings). then you can alert on access attempts to disabled accounts as well, changes, etc. Whatever is logged that you are interested in you can grab it and filter and alert it.
GW 2018 & Mobility Service-Version: 18.1.0 Build: 410 on SLES 12SP3, GW Client 18.02 (Build 131493) on Windows 7 64bit; server OES 11 on SLES 11 SP3; eDirectory 9.1 on SLES12SP3 and eDirectory 8.8sp8 on SLES11 SP3
Well other things came up and I really haven't got very far with this.
So coming back to it. Is a ELK stack and DIY Splunk the way forward or is there actually something out there that works. Don't mind paying if there is?
Sentinel / ArcSight are MF do either of these work? Or anyone worked with another SIEM Company and got it working so i don't have to start from scratch.
If all you're after is auditing logins to eDir/GW/GMS, then Sentinel would work fine and relatively easy, *IF* you use ldap authentication in Groupwise, aka realy authenticate against edirectory when you login to GW. Auditing native Groupwise logins unfortunately isn't all that easy, as Groupwise doesn't really provide an auditing interface. You'd have to write a connector parsing the log files.
Micro Focus Knowledge Partner
No emails please!