BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
ANLYNG
Pyrite | Level 9

We are asked to create input to a SIEM system in order to expand the security level.

 

1. Do you have any experience in that manner? let us know more ?

2. Any good ideas for how to start to feed to SIEM are welcome.

2. I suppose that SAS has a ton of logs but they are difficult to anayze from raw text?

3. If we turn on the APM a lot of relevant stuff is available but how can that information be integrated with a SIEM system ? ODBC?

 

Any ideas and experience are highly appreciated.

 

Thanks in advance. Look forward to hear from you.

1 ACCEPTED SOLUTION

Accepted Solutions
JuanS_OCS
Amethyst | Level 16

Hello @ANLYNG,

 

yours is a very good question, and it turns out I am working at this moment with a protect related with SIEM. Probably most of the  companies concerned about GDPR and Security are working at this moment on similar ways.

 

First an introduction to readers: In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. ( https://en.wikipedia.org/wiki/Security_information_and_event_management )

 

Please let me do an introduction and summary of some of my experiences and knowledge:

 

1. Do you have any experience in that manner? let us know more ?

Yes, I let SIEM to query and analise the audit trails from the filesystems (and careful with the audit trails I do enable, to not impact too much on performance). Filesystem is a very important part for SAS, and it is almost not audited (because it can) on several scenarios unless users go through metadata, Object Spawner/Workspace server or metadata bound libraries (or SAS Federation Server)

For the rest that is not the filesystem:

  • Indeed, the Logging features from SAS and SAS APM, will extend the information, a lot. If you are on SAS 9.4, the APM data will be feed to the WIP database, although the WIP database is postgresql and you might require (legally) an extra SAS/ACCESS to PostreSQL in order to be able to query this database. Of course, ODBC will work as well, but not sure if it is legal.
  • I would give a look as well to SAS Federation Server. This server is the solution for the Auditing and Security on SAS systems, which enables you to know audits even on a query level (something you cannot do otherwise, unless you include custom macros everywhere in your code...

 

2. Any good ideas for how to start to feed to SIEM are welcome.

As mentioned, I would enable feed just the filesystem audit trails, enabling to track success and failures, including the groups you want to audit, and carefull of enabling audits on "Change" or related to "Metadata" because your trails can overload your server performance.

 

3. I suppose that SAS has a ton of logs but they are difficult to anayze from raw text?

 

To parse the logs with patterns/regular expressions is your solution. SAS Environment Manager and most of the monitoring systems use patterns reading in order to create alerts. Same goes for Auditing.

http://support.sas.com/kb/34/301.html

http://support.sas.com/kb/49/032.html

http://documentation.sas.com/?docsetId=bisag&docsetTarget=n1162ioc4910wvn1n0bdojd5809i.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=n0t35nn3zod1enn1x72nmd9bcbu8.htm&docsetVer...

 

Please note: SAS logs can have outputs to the Windows/Linux consoles, or even to databases or SAS tables. Please read:

 

http://documentation.sas.com/?docsetId=logug&docsetTarget=p1nnczg61x93qon1gm8o3sle1zax.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=p1k5k4ie3e3201n13wrxmxjmmb75.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=n0of1o5hh7z9epn1wk0pxses4hqq.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=p0i5u90yyparmcn1s0ga1y2qa6tv.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=n1u9qffk71hqs2n1exo38m1a2n9q.htm&docsetVer...

 

 

4. If we turn on the APM a lot of relevant stuff is available but how can that information be integrated with a SIEM system ? ODBC?

 

SAS 9.4 already logs by default a lot of stuff on WIP (postgresql). APM enables additional loggins (as of the logging of the WorkspaceServer). And the Logging can also be customized by you http://documentation.sas.com/?docsetId=logug&docsetTarget=titlepage.htm&docsetVersion=9.4&locale=en

 

About the way to query this data, as said, ODBC is an option, but I think you would like to ask SAS Technical Support about the best way to query it and be legally compliant.

 

View solution in original post

3 REPLIES 3
JuanS_OCS
Amethyst | Level 16

Hello @ANLYNG,

 

yours is a very good question, and it turns out I am working at this moment with a protect related with SIEM. Probably most of the  companies concerned about GDPR and Security are working at this moment on similar ways.

 

First an introduction to readers: In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. ( https://en.wikipedia.org/wiki/Security_information_and_event_management )

 

Please let me do an introduction and summary of some of my experiences and knowledge:

 

1. Do you have any experience in that manner? let us know more ?

Yes, I let SIEM to query and analise the audit trails from the filesystems (and careful with the audit trails I do enable, to not impact too much on performance). Filesystem is a very important part for SAS, and it is almost not audited (because it can) on several scenarios unless users go through metadata, Object Spawner/Workspace server or metadata bound libraries (or SAS Federation Server)

For the rest that is not the filesystem:

  • Indeed, the Logging features from SAS and SAS APM, will extend the information, a lot. If you are on SAS 9.4, the APM data will be feed to the WIP database, although the WIP database is postgresql and you might require (legally) an extra SAS/ACCESS to PostreSQL in order to be able to query this database. Of course, ODBC will work as well, but not sure if it is legal.
  • I would give a look as well to SAS Federation Server. This server is the solution for the Auditing and Security on SAS systems, which enables you to know audits even on a query level (something you cannot do otherwise, unless you include custom macros everywhere in your code...

 

2. Any good ideas for how to start to feed to SIEM are welcome.

As mentioned, I would enable feed just the filesystem audit trails, enabling to track success and failures, including the groups you want to audit, and carefull of enabling audits on "Change" or related to "Metadata" because your trails can overload your server performance.

 

3. I suppose that SAS has a ton of logs but they are difficult to anayze from raw text?

 

To parse the logs with patterns/regular expressions is your solution. SAS Environment Manager and most of the monitoring systems use patterns reading in order to create alerts. Same goes for Auditing.

http://support.sas.com/kb/34/301.html

http://support.sas.com/kb/49/032.html

http://documentation.sas.com/?docsetId=bisag&docsetTarget=n1162ioc4910wvn1n0bdojd5809i.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=n0t35nn3zod1enn1x72nmd9bcbu8.htm&docsetVer...

 

Please note: SAS logs can have outputs to the Windows/Linux consoles, or even to databases or SAS tables. Please read:

 

http://documentation.sas.com/?docsetId=logug&docsetTarget=p1nnczg61x93qon1gm8o3sle1zax.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=p1k5k4ie3e3201n13wrxmxjmmb75.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=n0of1o5hh7z9epn1wk0pxses4hqq.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=p0i5u90yyparmcn1s0ga1y2qa6tv.htm&docsetVer...

http://documentation.sas.com/?docsetId=logug&docsetTarget=n1u9qffk71hqs2n1exo38m1a2n9q.htm&docsetVer...

 

 

4. If we turn on the APM a lot of relevant stuff is available but how can that information be integrated with a SIEM system ? ODBC?

 

SAS 9.4 already logs by default a lot of stuff on WIP (postgresql). APM enables additional loggins (as of the logging of the WorkspaceServer). And the Logging can also be customized by you http://documentation.sas.com/?docsetId=logug&docsetTarget=titlepage.htm&docsetVersion=9.4&locale=en

 

About the way to query this data, as said, ODBC is an option, but I think you would like to ask SAS Technical Support about the best way to query it and be legally compliant.

 

ANLYNG
Pyrite | Level 9
What a great answer and so detailed og usefull. Thanks you so much. I will start up next week and look forward to hear more on your progress and work on the same topic. Thanks.
JuanS_OCS
Amethyst | Level 16

Hi @ANLYNG I am glad that it will help you to at least have a good start and to explore some parallel answers. If you have further questions, please do not hesitate to open new posts, I also feeling interested about your work and your version of the truth !

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 2769 views
  • 4 likes
  • 2 in conversation