Are there any MSPs out there currently using cWatch? I’ve been working with Comodo support for a long time trying to get this up and running and I’m having difficulties. I’d like to chat with another MSP on the matter.
Thanks,
Josh
Hi Joshua,
I want to summarize my answer to here so that anybody can read if they confront the issue like that.
- Sending logs directly to cWatch is possible of course but for some products like Fortigate, the syslog is not well formatted and also is different from version to version. So it becomes if not impossible but very time consuming, to auto-detect the type of the log. So we require some templates to reformat that log using nxlog, rsyslog or syslog-ng.
-For such cases, our cWatch NxSensor should be used. It is not only a network monitor tool, but also a log aggregator to merges and reformats to logs coming from various customers or devices.
We have scripts and wizards to do such scenarios. So you should install the ISO, on your site or one of the customers sites, route all logs to it. And then do necessary configuration using it.
- Queries, Rules are all exportable and can be moved between your accounts by doing imports only. We are exporting the queries and rules in our custom format (nxm) file, which is text based serialized format.
I’m looking into this product as well. What is the best practice here? Do I log from all endpoints, or just servers? If I use Korugan VM firewalls for my customers, does it log IDS alets and other applicable data to cWatch as well?
Currently using OSSIM sensors at customer prem with OSSEC agents on servers, and then a master OSSIM box colo’d in our datacenter rack and it’s working as an ok solution, if cWatch is better and doesn’t work out to be ridiculously expensive, I’m game.
Hi IndieServe
You can continue using OSSEC Agents on servers or endpoints and aggregate all data on our cWatch Sensor. You can forward any kind of logs on our sensor on prem where it is aggregated and forwarded to our servers on Cloud.
For Network monitoring/IDS sensor itself does this for you so if you can SPAN or port mirror the traffic to the sensor, cWatch sensor does packet analysis/inspection, run IDS rules, extract payload etc. and send all this to the Cloud itself.
So best practice for your scenario, put cWatch Sensor on prem, install OSSEC Agents on servers or endpoints, install NxLog Agent (with our config) to get ActiveDirectory logs forward all to the sensor, activate SPAN or port mirroring on prem. If the customer has some FW or any other devices that give you better visibility forward those logs to the sensor itself. If you are using Comodo ITSM / AEP agents forward those logs as well.
Please note that we are also offering Security Operation Center 7x24 services Breach Detection, Incident Handling as well, you can whitelist or use our service on top.
So, generally speaking, if I use Korugan VM for my customer firewalls/IDS/IPS and forward it’s logs to cWatch, and do the same for customer servers which are running ITSM/AEP I’m basically good and you guys update the threat intel on the SIEM with good feeds right(ie better than publicly available STIX/TAXII feeds?)
Yes and I would also suggest to use cWatch Sensor as Network Monitoring tool/IDS, we have better signatures on it 
Yes, but from the pricing I see in the Accounts section, I do not think any of my customers will pay that much. At this point I’m looking for a basic solution that will do the centralized logging and that has provided correlation rules and threat intel feeds at the SIEM level. I want to tie that together with servers which are all in ITSM with the premium endpoint security, as well as IDS data (so the Korugan sigantures aren’t very good?)
For the record (this is a somewhat old post, but someone ‘liked’ it so I wanted to update) I was reading the pricing for a different cwatch product. The cWatch NxSIEM pricing is pretty good.
Hello @indieserve ,
Thank you for the update and feedback on our products. If you need information about the pricing of our products, please don’t hesitate to contact our Sales department by sending them an email at c1-sales@comodo.com