Logs, SIEM, then planning
Table of contents
It seems so simple, at first. Then, things break down, I suspect because I start doing long before I start planning. If I were to stop and write it down first, it would probably look something like this:
- Make a list of devices on your network that are important.
- Make a list of things that could happen on your devices and network that you'd want to know about.
- Make sure your important devices are generating logs that capture those things (because they often don't by default).
- Make sure a copy of all those logs get to a centralized server.
- Make sure that server can recognize the info it's received.
- Teach it what's important to you so it can let you know when it sees that.
- Set up some visualizations that show the important things in a way that's useful (after defining "useful").
This is getting more tricky as I go. I'm going to do my best to keep references to my environment consistent.
Lab/test environment
- 192.168.130.101 - My workstation
- 192.168.160.103 - The VM
- 192.168.101.27 - Aruba switch
I've never worked with a SIEM but have dug through logs manually. I know I'm too human to correlate huge amounts of info across multiple systems so it makes perfect sense to have a system do that for me. I'm stuck on step 5.