Hi Patrick,

MOM as a SIEM tool? Ouch.

There are a bunch of real SIEM tools out there; MOM's not one of them. Disclaimer here, I work on Sentinel, where our approach is that we accept whatever you throw at us: syslog, WMI, JDBC, OPSEC LEA, really anything. But we also apply some intelligence to the inbound data, integrate identity data and asset data, correlate IDS and vulnerability information, so on and so forth. Any other real SIEM tool will do the same, but not MOM.

Incidentally, it would be perfectly possible to use our tool to accept WMI (or JDBC, or any other format data) and spit it back out as syslog. This wouldn't be a very good way to do it, as of course what you want to provide on the backend is a nice query-able datastore which is what we offer, but we've done it for some customers that already have a SIEM tool in place and are just using Sentinel to monitor Novell apps.

> I realize I am diverging a bit from the original discussion of MS support of
> the
> syslog transport, but given the existence of MOM and it's apparent support
> of
> syslog, it seems inevitable that the discussion (at least with my employer)
> will
> eventually lead down the path of MOM's abilities as a heterogeneous event
> analysis (i.e. SEM) tool.
>
> thx,
> -pat.

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]