In the March/April 2021 issue of The Connection, we wrote about ‘The Power of NonStop Data Analytics’ and how security can be increased and better managed by collecting select NonStop data and then streaming it to an enterprise SIEM (Security Information and Event Management) system for further data analytics tasks.
In this article, we look at some of the time-saving features and unique benefits of comforte’s SafePoint Logstream product. It locates and collects NonStop log data, formats the records into a standard format, and writes the target records to a SIEM processor or any audit collection server. In a highly fault-tolerant manner, it streams large amounts of log data to a SIEM via SYSLOG.
SafePoint Logstream can stream Safeguard, NonStop SSH, iTP Webserver, EMS, SP sudo, and KSL (keystroke) log data. We plan to offer support for an even greater variety of log sources in future releases
One very valuable feature of SafePoint Logstream is that it helps achieve compliance with the various sections of PCI Requirement 10.
Sample SafePoint Splunk App Dashboard. NonStop data feed by SafePoint Logstream
What are the main features and benefits?
High Volume Log Streaming
There can be massive amounts of HPE NonStop log data, depending on how much auditing takes place on the systems. HPE NonStop subsystems like Safeguard, SSH, EMS – and others – can emit copious quantities of audit log data which all needs to be collected and monitored efficiently. SafePoint Logstream handles enormous quantities of audit data and condenses that data to reasonably sized, normalized output streams.
High Degree of Fault-Tolerance
The SafePoint Logstream software provides high-performance parallel processing of multiple audit trails. It relies on several mechanisms to maximize resilience and fault tolerance. E.g. It is possible to restart the software so that it continues from the point where it left off. A particularly useful feature of the software is that it can reposition to the last remembered location in the input audit log files. This is achieved employing a form of checkpointing.
These mechanisms include a central component running as a NonStop process pair and processes that run with kernel persistence.
Broad integration with enterprise management infrastructures
The SafePoint Logstream product sends messages via SYSLOG to tier-two event collectors like Splunk, QRadar, and others. SafePoint Logstream’s streaming messages can be viewed and analyzed using any SYSLOG-aware SIEM. SafePoint Logstream employs the Common Event Format (CEF), which provides an industry-standard message format for its output log stream. Logstream is bundled with the SafePoint Splunk app, providing NonStop-oriented dashboards and alerts.
Currently, SafePoint Logstream can stream Safeguard, NonStop SSH, iTP Webserver, EMS, SP sudo, and KSL (keystroke) data. The software is readily expandable, and future releases will provide support for other log sources.
SafePoint Logstream enables security organizations to fully leverage event information from their HPE NonStop environments. It allows security analysts to more effectively monitor their entire infrastructure and quickly identify and respond to potential threats. For early detection of targeted attacks and security breaches SafePoint Logstream facilitates both real-time and forensic analysis of event data.
Improve Big Data Analytics
Moving event data to a SIEM facilitates detailed analysis of that data. SafePoint Logstream normalizes the data and parses it into discrete fields, enabling less complex analysis. Once at the SIEM, event data and contextual information from multiple sources can be compared and analyzed for activity patterns, trends, user activity, and overall security compliance.
Leverage infrastructure investments
SafePoint Logstream enables organizations to work with their existing security infrastructure while fully leveraging HPE NonStop-related security information, whether generated by OSS, EMS, audit clients, or other sources.
Integration with SIEM
SafePoint Logstream streams audit data directly to an enterprise SIEM system, providing security officers and auditors with access to NonStop audit data. The SafePoint Splunk App provides the final piece of this integration, simplifying the task of HPE NonStop data analysis.
Bonus: Command-level Security & Auditing
SafePoint Sudo provides an HPE NonStop Guardian/TACL interface to sudo command-level security. Sudo is a standard Unix/Linux utility that allows a permitted user to execute a command as another user. SafePoint Sudo provides TACL definitions for sudo commands so that Guardian and OSS command-level security can be easily defined, implemented, and audited. SafePoint Logstream is also able to process sudo log records.
Sample EMS events, as shown in the SafePoint Splunk App via SafePoint Logstream
If this new product is of interest to you, please contact us to investigate how you might benefit from the many capabilities and logging/analysis simplifications offered by SafePoint Logstream.