I was asked a couple of times about sending the slide deck to people and wanted to post it here. Here's a list of what I have prepared for those who asked:

• PowerPoint slides

• Link to video of the presentation

• Transcription of best comments from audience in the presentation

• Answers to questions people sent out via Twitter during the presentation

You can find it all here:

http://blog.thenetworknerd.com/2017/10/21/spiceworld-2017-session-the-it-managers-guide-to-shadow-it...

Thanks so much to everyone who came and made this such a great discussion. I think my favorite question was the one @JaredBusch asked about keeping yourself from Shadow IT. And I want to give a special shout out to Paul Mai for recording the session for me.

Also, thanks to the Mango community for vetting the original blog post I wrote months ago that gave me the idea for a presentation. @MattSpeller

After asking the Wazuh employee I had been speaking to about Kibana 5.6.3, the GitHub repo was updated to include it.

I think this may answer it. The Wazuh employee I had been chatting with sent me here - https://github.com/wazuh/wazuh-kibana-app. They don't officially list Kibana 5.6.3 there, but the upgrade and Wazuh app install worked like a champ.

I'd still love community opinions nonetheless.

As I mentioned in this thread, we're looking to roll out Wazuh.

I noticed they had an OVA, so naturally I gravitated toward using it as opposed to installing everything myself from a base CentOS 7 install. Not that there's anything wrong with building from scratch, it's just the decision I made. The great thing about their OVA as opposed to many others out there is it happens to be a full CentOS 7 instance that you can update / upgrade via yum (which I love).

After installing the OVA, I could login to the Kibana interface with no issues, see Wazuh info, etc. But I wanted to update all components so everything would be fully patched when we start (OS and all components of the ELK stack). Here's what you see if you run yum check-update after installing the OVA:

I went ahead and performed the updates and rebooted the CentOS box. After that I could login to Kibana with no issues and see the version had been updated from 5.6.1 to 5.6.3. When I did that I actually lost the Wazuh plugin for Kibana. Then I followed the guide here to remove and re-install the Wazuh Kibana app to get back in business: - https://documentation.wazuh.com/current/installation-guide/upgrading/same_major.html.

My question here is more about running updates to the ELK stack and how concerned I need to be about their affect on Wazuh moving forward. From what I see from the install guide, if you were rolling your own CentOS instance you would just run yum install kibana and end up with the latest version out there anyway. Maybe I just got lucky because the Wazuh app was already compatible with the latest version of Kibana? When I look in the Kibana interface, I still see the same version of Wazuh (2.1.1, revision 0345), which should be the case since Wazuh itself was not updated at all.

The OVA on their site shows it is Wazuh 2.1.1 and ELK 5.5.1. I sent out a Tweet about installing Wazuh and being able to update the OVA, and one of their employees mentioned they needed to upgrade elasticsearch in the OVA anyway.

We decided to stick with Wazuh. It runs on CentOS 7 and has a shiny OVA we used to deploy it. So for the purposes of this thread, we have our distro selected. Thanks everyone for the help.

The meeting had to be rescheduled for 11/16 instead of 11/7. The library double booked the meeting room and had previously committed to using it for Election Day.

After hearing the session on open source security tools at Spiceworld, I am going to give Wazuh a shot and do a POC of it vs. OSSEC. From what I have read, Wazuh is essentially OSSEC on steroids.

Date: Thursday, Nov 16
Time: 6:00pm - 9:00pm CDT
Location:
North Richland Hills Library
9015 Grand Ave
North Richland Hills, TX 76180

All of us take the time to work on other people's technology problems. Day after day we try with undying effort to save the world from all who would seek to destroy it. This can be a tough job which leaves you feeling spent. At the end of the day when you hang up that super hero cape, do you take some time for self reflection? Is this what you really want to be doing? Is the future so bright you have to wear shades, or do you not even have time to think about the future? Is IT Manager the only way up for you, or is there another way? Do you feel like you're capable of something more?

Make some time for yourself, and come join us for career night at the DFW SpiceCorps! We will have a panel of IT industry veterans talking everything career - where they came from, where they are now, how they got there, and how you have the power to choose your destiny. The panel will be moderated, but there will be plenty of time for audience questions. Come pick brains and learn the secrets of leveling up.

In addition to this, our very own Paul Mai will be taking head shots you can use to beef up your LinkedIn profile completely free of charge.

This meeting is unsponsored, so there will be no food and beverage provided. Feel free to bring your own. NO ALCOHOL IS ALLOWED.

This event is not sponsored or endorsed by the North Richland Hills Library or the City of North Richland Hills.

Parking Info:
Park in the main library lot. The meeting will be held in the community room, which is on the right on the lower level as you enter the building.

RSVP here - https://community.spiceworks.com/meeting/show/2534

I had no clue it still existed. I would have been a sophomore in high school in 1997.

@dbeato said in Distro Selection for OSSEC:

I usually use OSSIM but is from Alienvault, I don't usually engage with their vendors though so that's good.
https://www.alienvault.com/products/ossim

Interesting. I love the fact that you have to enter your information to watch a webcast on the product. It seems like they have at least skinned up a decent web interface for management, however. How many endpoints are you monitoring with OSSIM? It looks like you only get to have a single OSSIM server in terms of deployment (not that this is super important for us) and that it does not do log management. But we do have Log Insight which could be used for that purpose.

@travisdh1 - did you install the web UI on your OSSEC server? It looks like that has not been updated since 2015, so it seemed like that would not be wise (although someone else shows they did it here. But it also looks like if you don't install the web UI you're basically managing all things via command line. The documentation is what I'd call less than stellar.

To give some frame of reference, I was able to stand up a CentOS 7 minimal install and install OSSEC without much trouble. It's the configuration part that is a bit challenging. It looks like /var/ossec/etc/ossec.conf controls a great deal of the magic.

@jmoore said in Generating content ideas for topics, posts, articles:

@networknerd said in Generating content ideas for topics, posts, articles:

I actually get frustrated at times with the length of my commute and the fact that I could have been blogging about something during that time. I feel like that is part of the problem I have with hitting a regular cadence of more than every couple of weeks.

I think it is Evernote that allows you to do voice memos right into your notes. So while you are commuting you could talk into phone and flesh out an article and at least make some progress. Just an idea for you

Thanks for that. I hope the voice recognition for Evernote is better than when I try to voice text someone on my iPhone. It's a good idea though.

@scottalanmiller said in Generating content ideas for topics, posts, articles:

I find getting into online arguments is a great way to come up with things to write about.

So are you advocating that we should seek to be argumentative? Only for the purposes of coming up with new topics to write about, of course.

Also look at the way things are priced. Some carriers charge based on number of concurrent calls, while other charge a low per-minute fee or give you a bucket of minutes and charge a small overage fee if you go over that bucket amount. Find out how much the new carrier charges for things like inbound / outbound CNAM, how much they charge per DID you have using their service, etc.

Knowing the max concurrent calls happening right now can help you plan for how much bandwidth gets used. If you plan for 100 Kbps per concurrent call of internet bandwidth needed, that's a decent estimate if the provider is using G711u as the codec (less if G729).

@scottalanmiller said in Choosing a SIP Provider - What Should I Look For?:

Voip.ms and Twilio are the plances to look first.

I'd consider Intelepeer as well. We used them at my previous company, and they were very good.

Here is a great podcast on technical blogging. The hosts (Chris Wahl and Ethan Banks) give some great tips on how to organize your thoughts, how they do it, whether you should blog about things others have already written about, etc. I probably listened to it 5 times as I was beginning to get into blogging.

http://packetpushers.net/podcast/podcasts/datanauts-061-trials-tribulations-technical-blogging/

Thanks also for your content idea generation experience. I guess some abstractive ideas are better generated when we are walking, drink a coffee etc. But content for some specific theme is better generated by tools. Am i right?

Yep - sometimes an idea can come out of nowhere. It just kind of hits you. When it does, try to jot down your thoughts so they are not lost, especially if you are not able to start writing the full blog at that moment.

@jmoore said in Generating content ideas for topics, posts, articles:

@ivan-palii I use OneNote several times a day and do it every day. Among other things, I keep a running list of things to write about based on things I encounter with my users. Excel tutorial, network question, c++ problem a professor had, basic Linux concepts for another professor to help her class. things like that.

When i encounter something I use OneNote app on phone and enter it in and refer to it and add a lot more to make a post. http://aindien.com/blog Its real basic material and its stuff that would bore you all to tears but I have found an audience for it.

I'm in the same boat and think of ideas all the time based on problems I have solved at work, a podcast I have listened to, someone in the community I have talked to about an issue they have had. I just started this year at http://blog.thenetworknerd.com. I usually make a draft in Wordpress to save for later so I do not forget. At times I have so many ideas it is hard to pick one.

I actually get frustrated at times with the length of my commute and the fact that I could have been blogging about something during that time. I feel like that is part of the problem I have with hitting a regular cadence of more than every couple of weeks.

@kelly said in Fighting the Afternoon Energy Dip:

You might also look at your work schedule. I've recently become aware of the fact that the tasks that seem to come up during the morning are the ones that are outside of my "sweet spot" from a personality perspective. When those occupy my morning and spend zero time doing things that give me life I end up wiped by lunch regardless of diet or exercise.

That's a good point. When you're really excited about doing something or find it very engaging, it normally does not matter how tired you might be. I say normally here because there are truly times where you are just too wiped out to even do what you enjoy.

I know this is FOSS and that there are support options out there, but we do have license to vRealize Log Insight also, which would already fall under paid support through VMware. It certainly won't do the HID like OSSEC would, but we may end up partnering with a vendor like Arctic Wolf to do that part for us down the road. The jury is still out on that one.