The power of NonStop data analytics – Part II – introducing safePoint Logstream –

Introduction

In the March/April 2021 issue of The Connection, we wrote about ‘The Power of NonStop Data Analytics’ and how security can be increased and better managed by collecting select NonStop data and then streaming it to an enterprise SIEM (Security Information and Event Management) system for further data analytics tasks.

In this article, we look at some of the time-saving features and unique benefits of comforte’s SafePoint Logstream product. It locates and collects NonStop log data, formats the records into a standard format, and writes the target records to a SIEM processor or any audit collection server. In a highly fault-tolerant manner, it streams large amounts of log data to a SIEM via SYSLOG.

SafePoint Logstream can stream Safeguard, NonStop SSH, iTP Webserver, EMS, SP sudo, and KSL (keystroke) log data. We plan to offer support for an even greater variety of log sources in future releases

One very valuable feature of SafePoint Logstream is that it helps achieve compliance with the various sections of PCI Requirement 10.

NonStop Authentications Dashboard

Sample SafePoint Splunk App Dashboard. NonStop data feed by SafePoint Logstream

What are the main features and benefits?

Features

High Volume Log Streaming

There can be massive amounts of HPE NonStop log data, depending on how much auditing takes place on the systems. HPE NonStop subsystems like Safeguard, SSH, EMS – and others – can emit copious quantities of audit log data which all needs to be collected and monitored efficiently. SafePoint Logstream handles enormous quantities of audit data and condenses that data to reasonably sized, normalized output streams.

High Degree of Fault-Tolerance

The SafePoint Logstream software provides high-performance parallel processing of multiple audit trails. It relies on several mechanisms to maximize resilience and fault tolerance. E.g. It is possible to restart the software so that it continues from the point where it left off. A particularly useful feature of the software is that it can reposition to the last remembered location in the input audit log files. This is achieved employing a form of checkpointing.

These mechanisms include a central component running as a NonStop process pair and processes that run with kernel persistence.

Broad integration with enterprise management infrastructures

The SafePoint Logstream product sends messages via SYSLOG to tier-two event collectors like Splunk, QRadar, and others. SafePoint Logstream’s streaming messages can be viewed and analyzed using any SYSLOG-aware SIEM. SafePoint Logstream employs the Common Event Format (CEF), which provides an industry-standard message format for its output log stream. Logstream is bundled with the SafePoint Splunk app, providing NonStop-oriented dashboards and alerts.

Extensible Architecture

Currently, SafePoint Logstream can stream Safeguard, NonStop SSH, iTP Webserver, EMS, SP sudo, and KSL (keystroke) data. The software is readily expandable, and future releases will provide support for other log sources.

 

Benefits

Boost security

SafePoint Logstream enables security organizations to fully leverage event information from their HPE NonStop environments. It allows security analysts to more effectively monitor their entire infrastructure and quickly identify and respond to potential threats. For early detection of targeted attacks and security breaches SafePoint Logstream facilitates both real-time and forensic analysis of event data.

Improve Big Data Analytics

Moving event data to a SIEM facilitates detailed analysis of that data. SafePoint Logstream normalizes the data and parses it into discrete fields, enabling less complex analysis. Once at the SIEM, event data and contextual information from multiple sources can be compared and analyzed for activity patterns, trends, user activity, and overall security compliance.

Leverage infrastructure investments

SafePoint Logstream enables organizations to work with their existing security infrastructure while fully leveraging HPE NonStop-related security information, whether generated by OSS, EMS, audit clients, or other sources.

Integration with SIEM

SafePoint Logstream streams audit data directly to an enterprise SIEM system, providing security officers and auditors with access to NonStop audit data. The SafePoint Splunk App provides the final piece of this integration, simplifying the task of HPE NonStop data analysis.

Bonus: Command-level Security & Auditing

SafePoint Sudo provides an HPE NonStop Guardian/TACL interface to sudo command-level security. Sudo is a standard Unix/Linux utility that allows a permitted user to execute a command as another user. SafePoint Sudo provides TACL definitions for sudo commands so that Guardian and OSS command-level security can be easily defined, implemented, and audited. SafePoint Logstream is also able to process sudo log records.

Splunk EMS search result

Sample EMS events, as shown in the SafePoint Splunk App via SafePoint Logstream

If this new product is of interest to you, please contact us to investigate how you might benefit from the many capabilities and logging/analysis simplifications offered by SafePoint Logstream.

Author


  • Thomas Gloerfeld is Director of Partner Development & Marketing NonStop Solutions at comforte and has been associated with the NonStop community for 25 years. Before joining comforte, he held various management positions at ACI Worldwide in Germany and the UK. In his role at comforte he closely monitors topics such as data security, risk and compliance.

Be the first to comment

Leave a Reply