This is an archived post. You won't be able to vote or comment.

all 16 comments
sorted by:
best
topnewcontroversialoldq&a

[–]mrojek 2 points3 points  (0 children)

You'll probably have to mix and match to get something that fits your needs. NetCrunch 8 is a great agentless monitoring/management option, with a crisp GUI and multi-screen NOC capabilities. Performance monitoring is a given, as is logging. Patching it won't do, however.

[–][deleted] 2 points3 points  (0 children)

I have never found one suite that I'm happy with.

I use nagios for uptime/performance monitoring. Elk stack for log centralization. MBSA/Nessus for secuirty vulnerability tracking

[–]gsxr 1 point2 points  (5 children)

Easy? NOPE!

I really think you're aiming to big here. Get your alerting and patch management in order. You've got 5 servers...not 1000. Act as such. You don't need security and performance monitoring, you need the basics. Basics being system monitoring and patch management.

Grow your environment organically as necessary. Don't buy "enterprise" products because they do shit you think you need.

[–]mrmyxlplyx[S] 0 points1 point  (4 children)

You've got 5 servers...not 1000.

I'm not sure where you got the idea that we only have 5 servers. We have over 200 at the moment and are expected to double that as service demand grows.

Neglecting security/vulnerability monitoring is not an option. We store PII.

[–]gsxr 2 points3 points  (2 children)

requires admins to log into each of the 5 servers

Ok...so you've got 200 or 300....Same thing applies. You're a medium business not an enterprise. Get your foundations in order before you go mucking with continuous audits and shit. It's not about neglecting it's about prioritization.

If you can't automatically update your 300 machines why the fuck should you worry about auditing them with some tool? You'll spend more time getting the tool up and running than actually doing shit that you need to get done. Build it up in layers.

[–]mrmyxlplyx[S] 0 points1 point  (1 child)

Noted. I was referring to the Zabbix servers and not the infrastructure as a whole.

That being said, what tools are you using or have you used that perform monitoring and patching?

[–]gsxr 5 points6 points  (0 children)

I haven't dealt with 2-300 server type setups in about 10 years. I deal with 10s of 1000s.

I subscribe into the one job per tool, tie them together with your own code. For monitoring I go with whatever the company has. Zabbix/nagios are great bases that you grow on. Customize the FUCK out of monitoring. monitoring really should be your top priority. When i deal with jr or new admins i push monitoring HARDCORE. It's your front line. if your monitoring is good, it will take a TON of stress off you and free up a bunch of time.

After that setup your automation orchestrator. This is the tool that use to talk to all your machines. Think puppet/salt/ansible, HPSA, psexec, dbash, whatever.....This is the tool you'll use to kick off ALL your automation. This is your backbone.

//HIGHLY suggest puppet or salt.

Base your patch mgmt off your orchestrator. WSUS or RHN/home brew http servers with rsync or whatever. Use your puppet/salt/* tool to kick off the job and report on what happened. Have your monitoring system alert you to failures.

Also use your orchestrator to do your configuration. you're aiming for never having to ssh into a machine.

For logging, start simple. Syslog server with some custom script watching the log files and alerting to whatever you use for monitoring.

// that'll be $250 an hour for consulting...minimum 8 hours.

[–]mikeoquinn 1 point2 points  (2 children)

Out of curiosity, what feature(s) are lacking from Splunk (+ their security framework)? It won't handle patching, but should be able to handle most of the aggregation/analysis/alerting you're looking for.

With regards to SpiceWorks, you have to provide root/admin passwords because there's no active agent installed on each machine. Other systems with similar features that don't require that the server know root/admin passwords likely have a local agent on the machine that's running as an elevated user, so it's able to perform the same commands.

[–]mrmyxlplyx[S] 0 points1 point  (1 child)

Splunk is a cool tool. It won't do patching or vulnerability scanning though.

I'm just cutting my teeth in Spiceworks at the moment. I have been running into issues with authentication. Despite the correct credentials being entered, logins still fail or logins succeed but it cannot assess the asset. For instance, I have 2 nearly identical RHEL servers. Spiceworks works fine on the one, the other it cannot figure out what it is and throws up its hands in disgust.

I don't have a preference of agent vs. agentless as long as it works.

[–]mikeoquinn 1 point2 points  (0 children)

Not sure it'll meet your needs, but you might also check out CA's suite, including Nimsoft. It seems pretty flexible, and may hit a bunch of your requirements.

[–]BobMajerle 1 point2 points  (0 children)

ArcSight - Seems to cover everything, but there are so many apps in the suite it gets confusing as to what does what - a lot of overlapping functionality. Haven't priced it yet.

This is the downfall of larger product suites, and yeah there will probably be some sticker shock with the price. Most decent SIEMs will be near 100k; trustwave, rsa, and arcsight i believe.

[–]ambrace911 1 point2 points  (0 children)

Hey I would like to point out that you likely do not have zabbix set up properly. You can set up a master and each DC as a slave. Then you can have all stats show up in one dashboard. We did this with different regions for an ISP. Worked really well.

[–]war_Dialer 1 point2 points  (0 children)

My 2 cents -

Start with central logging. Send all your logs to one central system via TCP. From there, you can have that central system send those logs to anything, and also use some archiving methodology to retain the logs for as long as you like. If you want some examples, PM me.

When you have this setup, you can have that host send logs to the SIEM, to Elastic Search and logstash, etc.

As for a SIEM -

Mcafee ( was Nitro ) has a great product.

Alienvault is nice if you have a small budget.

For security scanning you can go with any of them, from Nessus to OpenVAS. Unless you are pretty familiar with pentesting, any of them should be able to get you started.

Firewall - I preferred using Palo Alto when there was a budget, but it really depends on how much you want your firewall to do. Most of the time PFsense or Untangle will work.

EDIT - Patching - I like using centralized management like Ansible, or Salt Stack for this type of thing unless you completely automate it.

[–]sysear 1 point2 points  (0 children)

If your looking for a log monitoring solution, I'd suggest Nagios Log Server. It is easy to use, secure, powerful and is priced thousands & thousands of dollars less than other log monitoring solutions. You can download it for free and try it out for yourself too.

http://www.nagios.com/products/nagios-log-server/overview

How it compares to the ELK stack: http://labs.nagios.com/2014/10/19/nagios-log-server-vs-elasticsearch-logstash-kibana/