Baselining for fetching the logs


(Praveen Kamble) #1

Hi Team,

I have a project in which, ELK implementation is done, and they have started collecting logs from some 2-3 log sources. The client wants to implement ELK as SIEM.

I have a set of use-cases to be implemented, for which the pre-requisite is to have the log sources integrated with proper base-lining.

If base-lining is done properly, we will get the necessary logs needed for use-case implementation.
Unlike other SIEMs which provide the baselines/configuration guides mentioning the steps to be performed at the log sources.

Does ELK have any such configuration guides or baselines available. ?

Please suggest.

Best Regards-
Praveen Kamble


(Mark Walkom) #2

We don't provide this at a low level, take a read through https://www.elastic.co/guide/en/elasticsearch/guide/current/deploy.html


(Praveen Kamble) #3

Hi Mark,

Thanks for sharing the link, i went through it. It describes more of a admin part, like - JVM, Clustering configuration, Garbage collection, Heap Memory Configuration, File descriptors, etc.

What i asked is more of a SIEM (Log Management) part. TO summarize, i would say "how would you decide OR does ELK tell which type of logs needs to be fetched from say Checkpoint Firewall or IDS etc", "steps to send the windows logs to ELK for monitoring etc".

In other SIEMs (Arcsight, RSA) we have log baselines and agents( which will help in reading the logs). Any such facility available in ELK.?

Please let me know, if anything needed.

Best Regards-
Praveen K


(Mark Walkom) #4

No, there is nothing.


(system) #5