We recently had a customer ask us if Guardium can import
Windows system events. Guardium can do this. The traditional method is to use
the Configuration Audit System (CAS). You build a script and let the CAS call
it. One of the Guardium Forum posts here has a PDF attachment that explains how to do it.
This does fulfill the requirement, but there are a couple of problems with this idea. First, it requires you to build a custom script that you now have to maintain. Second, the CAS will send the complete output of the script to the collector where it is stored and can be pretty awkward to query. It’s not that the CAS is bad per se, this use case is just outside of the original intent of the CAS. The CAS' primary purpose is to monitor database configuration changes that don’t involve client/server communication (eg: a change to Oracle’s listener.ora configuration file).
Essentially you are telling Guardium to do something it was not designed specifically to do. Instead of doing this, you should consider using a Security Event and Information Monitor (SIEM) or a log aggregator to bring in these events as well as all the other events that occur at the operating system and application level. This is, after all, why they were built. For the same reason people prefer to use Guardium for database activity monitoring, it’s probably a better idea to let these other systems manage your server logs. You can even stick with IBM Software and pick up QRadar or Tivoli’s SIEM to help you do it.
That’s nice to say but what if you have Guardium, you don’t have a SIEM, and cannot purchase a SIEM? Our customer is a small non-profit and has this problem. If you are in that situation, by all means, use CAS. But I want to present an alternative. If you are a small company like our customer, you might be open to using an open source product called the Snare Agent for Windows by a company called InterSect Alliance. Snare, which is licensed under GPL, takes the Windows System events and publishes them to a syslog feed. From there you capture the feed using the (also free) Backlog syslog receiver from InterSect and dump the data to a tab separated text file. At that point you can import the event files into Guardium on a regular basis to get consolidated reporting in one environment.
- You will be using a component specifically designed for this, rather than coaxing CAS into performing the task. As such, I contend that a Snare deployment is going to put less of a load on the monitored server, and will be easier to maintain
- Syslog is a relatively well implemented standard. You are not limited to Windows System events. You can register your new Backlog syslog receiver with your UNIX and linux systems as well and import the events from those systems into Guardium. This goes for all devices that use syslog such as network devices like switches and firewalls. There are also open source snare agents for other things – IIS web servers for instance
- No code and no execution environments. Your server doesn’t need Java to run the CAS and any script execution environment (perl in the example above)
In the next post I will explain how you can configure Snare and Backlog to put the data in a format that Guardium can easily consume.