Hello @ANLYNG,
yours is a very good question, and it turns out I am working at this moment with a protect related with SIEM. Probably most of the companies concerned about GDPR and Security are working at this moment on similar ways.
First an introduction to readers: In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. ( https://en.wikipedia.org/wiki/Security_information_and_event_management )
Please let me do an introduction and summary of some of my experiences and knowledge:
1. Do you have any experience in that manner? let us know more ?
Yes, I let SIEM to query and analise the audit trails from the filesystems (and careful with the audit trails I do enable, to not impact too much on performance). Filesystem is a very important part for SAS, and it is almost not audited (because it can) on several scenarios unless users go through metadata, Object Spawner/Workspace server or metadata bound libraries (or SAS Federation Server)
For the rest that is not the filesystem:
- Indeed, the Logging features from SAS and SAS APM, will extend the information, a lot. If you are on SAS 9.4, the APM data will be feed to the WIP database, although the WIP database is postgresql and you might require (legally) an extra SAS/ACCESS to PostreSQL in order to be able to query this database. Of course, ODBC will work as well, but not sure if it is legal.
- I would give a look as well to SAS Federation Server. This server is the solution for the Auditing and Security on SAS systems, which enables you to know audits even on a query level (something you cannot do otherwise, unless you include custom macros everywhere in your code...
2. Any good ideas for how to start to feed to SIEM are welcome.
As mentioned, I would enable feed just the filesystem audit trails, enabling to track success and failures, including the groups you want to audit, and carefull of enabling audits on "Change" or related to "Metadata" because your trails can overload your server performance.
3. I suppose that SAS has a ton of logs but they are difficult to anayze from raw text?
To parse the logs with patterns/regular expressions is your solution. SAS Environment Manager and most of the monitoring systems use patterns reading in order to create alerts. Same goes for Auditing.
http://support.sas.com/kb/34/301.html
http://support.sas.com/kb/49/032.html
http://documentation.sas.com/?docsetId=bisag&docsetTarget=n1162ioc4910wvn1n0bdojd5809i.htm&docsetVer...
http://documentation.sas.com/?docsetId=logug&docsetTarget=n0t35nn3zod1enn1x72nmd9bcbu8.htm&docsetVer...
Please note: SAS logs can have outputs to the Windows/Linux consoles, or even to databases or SAS tables. Please read:
http://documentation.sas.com/?docsetId=logug&docsetTarget=p1nnczg61x93qon1gm8o3sle1zax.htm&docsetVer...
http://documentation.sas.com/?docsetId=logug&docsetTarget=p1k5k4ie3e3201n13wrxmxjmmb75.htm&docsetVer...
http://documentation.sas.com/?docsetId=logug&docsetTarget=n0of1o5hh7z9epn1wk0pxses4hqq.htm&docsetVer...
http://documentation.sas.com/?docsetId=logug&docsetTarget=p0i5u90yyparmcn1s0ga1y2qa6tv.htm&docsetVer...
http://documentation.sas.com/?docsetId=logug&docsetTarget=n1u9qffk71hqs2n1exo38m1a2n9q.htm&docsetVer...
4. If we turn on the APM a lot of relevant stuff is available but how can that information be integrated with a SIEM system ? ODBC?
SAS 9.4 already logs by default a lot of stuff on WIP (postgresql). APM enables additional loggins (as of the logging of the WorkspaceServer). And the Logging can also be customized by you http://documentation.sas.com/?docsetId=logug&docsetTarget=titlepage.htm&docsetVersion=9.4&locale=en
About the way to query this data, as said, ODBC is an option, but I think you would like to ask SAS Technical Support about the best way to query it and be legally compliant.
