Are there any MSPs out there currently using cWatch? I’ve been working with Comodo support for a long time trying to get this up and running and I’m having difficulties. I’d like to chat with another MSP on the matter.
Thanks,
Josh
Are there any MSPs out there currently using cWatch? I’ve been working with Comodo support for a long time trying to get this up and running and I’m having difficulties. I’d like to chat with another MSP on the matter.
Thanks,
Josh
Hi Joshua,
I want to summarize my answer to here so that anybody can read if they confront the issue like that.
-For such cases, our cWatch NxSensor should be used. It is not only a network monitor tool, but also a log aggregator to merges and reformats to logs coming from various customers or devices.
We have scripts and wizards to do such scenarios. So you should install the ISO, on your site or one of the customers sites, route all logs to it. And then do necessary configuration using it.
I’m looking into this product as well. What is the best practice here? Do I log from all endpoints, or just servers? If I use Korugan VM firewalls for my customers, does it log IDS alets and other applicable data to cWatch as well?
Currently using OSSIM sensors at customer prem with OSSEC agents on servers, and then a master OSSIM box colo’d in our datacenter rack and it’s working as an ok solution, if cWatch is better and doesn’t work out to be ridiculously expensive, I’m game.
Hi IndieServe
You can continue using OSSEC Agents on servers or endpoints and aggregate all data on our cWatch Sensor. You can forward any kind of logs on our sensor on prem where it is aggregated and forwarded to our servers on Cloud.
For Network monitoring/IDS sensor itself does this for you so if you can SPAN or port mirror the traffic to the sensor, cWatch sensor does packet analysis/inspection, run IDS rules, extract payload etc. and send all this to the Cloud itself.
So best practice for your scenario, put cWatch Sensor on prem, install OSSEC Agents on servers or endpoints, install NxLog Agent (with our config) to get ActiveDirectory logs forward all to the sensor, activate SPAN or port mirroring on prem. If the customer has some FW or any other devices that give you better visibility forward those logs to the sensor itself. If you are using Comodo ITSM / AEP agents forward those logs as well.
Please note that we are also offering Security Operation Center 7x24 services Breach Detection, Incident Handling as well, you can whitelist or use our service on top.
So, generally speaking, if I use Korugan VM for my customer firewalls/IDS/IPS and forward it’s logs to cWatch, and do the same for customer servers which are running ITSM/AEP I’m basically good and you guys update the threat intel on the SIEM with good feeds right(ie better than publicly available STIX/TAXII feeds?)
Yes and I would also suggest to use cWatch Sensor as Network Monitoring tool/IDS, we have better signatures on it
Yes, but from the pricing I see in the Accounts section, I do not think any of my customers will pay that much. At this point I’m looking for a basic solution that will do the centralized logging and that has provided correlation rules and threat intel feeds at the SIEM level. I want to tie that together with servers which are all in ITSM with the premium endpoint security, as well as IDS data (so the Korugan sigantures aren’t very good?)
For the record (this is a somewhat old post, but someone ‘liked’ it so I wanted to update) I was reading the pricing for a different cwatch product. The cWatch NxSIEM pricing is pretty good.
Hello @indieserve ,
Thank you for the update and feedback on our products. If you need information about the pricing of our products, please don’t hesitate to contact our Sales department by sending them an email at c1-sales@comodo.com