5 Replies Latest reply on Dec 1, 2010 12:16 PM by byrona

    Syslog Report

    etucker

      We are looking at using Orion for our PCI compliance. I am wondering if there is a way to create a report to show failed logons by user name.

        • Re: Syslog Report
          Questionario

          As far as I know there is none out of the box but you could create a custom SQL report for this

            • Re: Syslog Report
              etucker

              I don't have much SQL experience. Anyone willing to create something like this?

                • Re: Syslog Report
                  byrona

                  Firstly, if you are managing any significant quantity of Syslogs then the Syslog functionality of Orion NPM is almost definitely not going to satisfy PCI compliancy requirements, specifically for retention.  You will need to find a way to archive these logs outside of the database, potentially use Kiwi Syslog or something like that as an alternative.  Orion NPM Syslog is not designed for retention and if that table in the database gets too large you will experience significant performance problems with Orion.

                  To try and answer your report question... 

                  Just use report writer to create a Syslog report, in the Filter tab specify conditions where Message contains <your failed login text>, if all of the messages you capture look the same and you sort by that it should order them by name. I am assuming that at this point you already have verified that Syslog contains the logs that you need as well as the specific text you need to filter for.

                  Hope this helps, let me know if you have any other questions about this.

                    • Re: Syslog Report
                      etucker

                      ok...I do like not having another product to do syslog for PCI but if Orion can not handle it we will look at the other products we were looking at. We have been evaluting ManageEngine, Splunk, LogRhythm. Any facorites by people on the board?

                        • Re: Syslog Report
                          byrona


                          ok...I do like not having another product to do syslog for PCI but if Orion can not handle it we will look at the other products we were looking at. We have been evaluting ManageEngine, Splunk, LogRhythm. Any facorites by people on the board?

                           



                          I agree with not wanting to have to introduce other products but I wanted you to be aware of the problems that you will likely encounter.  Orion is not designed as a Syslog management/retention product, it's really only designed for Syslog alerting.

                          As far as other products are concerned, we did evaluate ManageEngine against Orion and I personally was not a fan.  Despite it's US face, it's in India based company and the support I received was very very poor.  I have heard good things about Splunk though I have had little personal experience with it.

                          If I were you, I would evaluate Kiwi Syslog (which you can do with the free download), you can attach it to a database (such as MySQL) that you can use for retention as far as I am aware.  The big benefit here is that you get to use SolarWinds as the vendor and the Kiwi product is a great value for the price.

                          Ultimately what I would recommend is take your PCI compliance requirements and create a list of Log Management requirements and then compare the different products against that and pick the one that best fits your needs.

                          Hope this helps!