<p>It seems so simple, at first. Then, things break down, I suspect because I start doing long before I start planning. If I were to stop and write it down first, it would probably look something like this:</p>
<ol>
<li>Make a list of devices on your network that are important.</li>
<li>Make a list of things that could happen on your devices and network that you'd want to know about.</li>
<li>Make sure your important devices are generating logs that capture those things (because they often don't by default).</li>
<li>Make sure a copy of all those logs get to a centralized server.</li>
<li>Make sure that server can recognize the info it's received.</li>
<li>Teach it what's important to you so it can let you know when it sees that.</li>
<li>Set up some visualizations that show the important things in a way that's useful (after defining "useful").</li>
</ol>
<p>This is getting more tricky as I go. I'm going to do my best to keep references to my environment consistent.</p>
<h3 id="heading-labtest-environment">Lab/test environment</h3>
<ul>
<li>192.168.130.101 - My workstation</li>
<li>192.168.160.103 - The VM</li>
<li>192.168.101.27 - Aruba switch</li>
</ul>
<p>I've never worked with a SIEM but have dug through logs manually. I know I'm too human to correlate huge amounts of info across multiple systems so it makes perfect sense to have a system do that for me. I'm stuck on step 5.</p>
<p><a target="_blank" href="https://easiertech.hashnode.dev/planning-and-a-little-doing">More later...</a></p>


It seems so simple, at first. Then, things break down, I suspect because I start doing long before I start planning. If I were to stop and write it down first, it would probably look something like this:
1. Make a list of devices on your network that are important.
2. Make a list of things that could happen on your devices and network that you'd want to know about.
3. Make sure your important devices are generating logs that capture those things (because they often don't by default).
4. Make sure a copy of all those logs get to a centralized server.
5. Make sure that server can recognize the info it's received.
6. Teach it what's important to you so it can let you know when it sees that.
7. Set up some visualizations that show the important things in a way that's useful (after defining "useful").

This is getting more tricky as I go. I'm going to do my best to keep references to my environment consistent.
### Lab/test environment

- 192.168.130.101 - My workstation
- 192.168.160.103 - The VM
- 192.168.101.27 - Aruba switch

I've never worked with a SIEM but have dug through logs manually. I know I'm too human to correlate huge amounts of info across multiple systems so it makes perfect sense to have a system do that for me. I'm stuck on step 5.

[More later...](https://easiertech.hashnode.dev/planning-and-a-little-doing)



Robert's blog

Robert's blog

Logs, SIEM, then planning

Table of contents

Lab/test environment