We are looking at using Orion for our PCI compliance. I am wondering if there is a way to create a report to show failed logons by user name.
As far as I know there is none out of the box but you could create a custom SQL report for this
I don't have much SQL experience. Anyone willing to create something like this?
Firstly, if you are managing any significant quantity of Syslogs then the Syslog functionality of Orion NPM is almost definitely not going to satisfy PCI compliancy requirements, specifically for retention. You will need to find a way to archive these logs outside of the database, potentially use Kiwi Syslog or something like that as an alternative. Orion NPM Syslog is not designed for retention and if that table in the database gets too large you will experience significant performance problems with Orion.
To try and answer your report question...
Just use report writer to create a Syslog report, in the Filter tab specify conditions where Message contains <your failed login text>, if all of the messages you capture look the same and you sort by that it should order them by name. I am assuming that at this point you already have verified that Syslog contains the logs that you need as well as the specific text you need to filter for.
Hope this helps, let me know if you have any other questions about this.
ok...I do like not having another product to do syslog for PCI but if Orion can not handle it we will look at the other products we were looking at. We have been evaluting ManageEngine, Splunk, LogRhythm. Any facorites by people on the board?
