ALM Log Sources

Buyer beware! The debate about how many log types are supported by different SIEM products can be extremely misleading and many vendors claim support for a wide range of log types by simply listing every system and device they can think of that can forward events via Syslog. This is a relatively crude, insecure and inefficient method of collecting log data and will not provide a forensic audit trail. But it can have a role to play in some circumstances and Assuria Log Manager supports Syslog collection as well, via its own built-in and improved Syslog server!


Ask your SIEM vendor to tell you how they actually collect and manage log data, specifically the method employed. This is where their proposition will often fall apart and where the limitations of the Syslog only approach is laid bare. With ALM, there are numerous methods for management and collection of log data, depending on the environment and on the relative importance of true log management and log data integrity.

 

Take Sourcefire as an example. The Syslog events are quite limited; the really useful audit and intrusion data (along with greater integrity) come from the Sourcefire eStreamer or JDBC API's. ALM supports all three of these methods, whereas most current SIEM solutions can only use Syslog because the other methods don't fit into their limited range of supported formats. So, most other SIEM's make do with the limited value Syslog data, and yet still claim full support of Sourcefire. Technically correct, but disingenuous at best!  This depth of log data access is why, increasingly, ALM is the SIEM of choice for major SOC implementations. 

 

Bear in mind also, that unlike most SIEM products, ALM can manage log data that include binary data, video, images and many other forms of non textual data. Another example of true enterprise log collection.

Assuria Log Manager provides three distinct log collection methods, (1) via resident ALM agents, (2) via ALM agentless collection and (3) via syslog forwarding, as follows:-

 
Log Collection methods - Via ALM resident agents

      • Binary Files
      • Checkpoint OPSEC
      • C / C# / Java plugin**(please see note below)
      • HP HP-UX Trusted Mode audit
      • HTTP / HTTPS
      • IBM AIX 5L audit
      • Linux audit (raw)
      • Linux audit (ausearch)
      • Microsoft SharePoint plugin
      • Microsoft Exchange 2007 plugin
      • Microsoft Windows event log .evt
      • Microsoft Windows event log .evtx
      • Microsoft Windows event log via WMI
      • ODBC
      • Oracle Solaris BSM
      • Python script
      • SNMP Traps
      • Syslog
      • Tcl script
      • Text files / Rotated text files
      • UNIX Pipe
      • VMWare ESX 3.5  


Via ALM agent-less collection, where an ALM agent is not resident on the source system
  • C / C# / Java plugin**(please see note below)
  • Checkpoint OPSEC (R55, R61, R65, R70, R75)
  • CIDEE
  • ClearSwift Email
  • ClearSwift Web
  • HTTP / HTTPS
  • Microsoft Windows event log via WMI
  • ODBC
  • Python script
  • SDEE
  • Syslog
  • SNMP
  • Sourcefire eStreamer
  • Sourcefire JDBC 
  • Tcl script
  • VMWare ESX 3.5, 4.0, 4.0i, 4.1, 4.1i

 

** Assuria, Partner or Customer written ALM agent ‘plugins’.  A Log Source Development Kit (LSDK) is available from Assuria. The LSDK allows for the development of ALM agent ‘plugins’ for unusual log sources or where the log / event data cannot be accessed or collected via one of the standard ALM supported collection methods. This means that logs from almost any source can be collected and secured!

 

Just simply looking at a list of the type of logs that can be supported by ALM, there is a wide range of log sources that are supported out of the box, including those listed below (note - this is just a sample list - please contact Assuria for the full list of supported log sources): 

 

• AIX Audit Log
• Apache Web Server
• AppGate
• Barracuda
• Bloxx
• CheckPoint
• Cisco IOS
• Cisco ASA
• Cisco CIDEE
• Cisco PIX Syslog Server
• ClearSwift Email (29 different logs)
• ClearSwift Web (54 different logs)
• DHCP
• Encrypted Web Traffic
• HP-UX Audit Log
• IBM DB2
• IBM Websphere
• JIRA Access Logs
• Juniper
• Juniper Syslog Server
• Kiwi syslog server
• Linux Daemon
• McAfee ePolicy Orchestrator
• McAfee NSM
• MS Windows .EVT
• MS Windows .EVTX logs
• MS SQL Server Error Log
• MS SQL Server Audit Log
• MS DNS Server Debug Logs
• MS IIS 5
• MS IIS 6
• MS IIS 7
• MS IIS 7.5
• MS IAS
• MS SharePoint
• MS Exchange Server 2003
• MS Exchange Server 2007
• NetFlow
• OPSEC LEA
• Oracle Directory Server - Access Logs
• Oracle Directory Server - Error Logs
• ODBC (i.e. SQL Db Query)
• Oracle Directory Server - Audit Logs
• Palo-Alto
• RHEL Audit Log
• Solaris BSM Logs
• SDEE
• SNMP Trap / Inform receiver
• Sophos
• Sourcefire eStreamer
• Sourcefire JDBC
• SuSE SLES Audit Log
• Symantec Netbackup
• Symantec Endpoint Protection
• Unix Daemon
• Unix/Linux Syslog
• Verint Ultra (call centre logs)
• VMware ESX
• VMware ESXi
  

Please note that the list of supported log types is growing rapidly through new customer implementations, so please ask for the latest list. However, ALM's architecture also means that almost any log type can be fully supported, even custom application logs, so please let us know what your log management needs are!

 

 

 

assuria litd - tech support and software
© Copyright 2011  Assuria Limited.  All rights reserved worldwide.