If you're looking at correlation and other fancy features check out SEM/SIM
security event/information management software.
Some vendors incl:
Arcsight
Intellitactics
netForensics
NetIQ
These solutions can be costly but nice if you're receiving crazy amounts of
logs.
Have a read of the article below:
http://www.computerworld.com/securitytopics/security/story/0,10801,83978,00.
html
Also
http://www.infosecwriters.com/text_resources/pdf/SEM.pdf
Nhon
-----Original Message-----
From: Kurt [mailto:kurtbuff@spro.net]
Sent: Saturday, 16 October 2004 9:27 AM
To: security-basics@securityfocus.com
Subject: RE: Event log monitoring
The solution(s) I proposed are pretty much roll-your-own setups.
The benefit is that they are incredibly cheap. Another benefit (if you
squint just right) is that you'll learn an incredible amount in putting it
all together, which does indeed mean setting up your own reports, etc.
If you want something that works right out of the box, you might want to go
fishing at http://loganalysis.org.
Actually, I'd suggest you go there anyway, as it is quite a good resource
for lots of this kind of stuff.
Kurt
| -----Original Message-----
| From: Ryan Murphy [mailto:RMurphy@irvinecompany.com]
| Sent: Friday, October 15, 2004 11:54
| To: security-basics@securityfocus.com
| Subject: RE: Event log monitoring
|
|
| I am in a similar situation as the original poster in that I am
| looking for consolidated server event logging for our Windows server
| farms. The options provided on this list so far provide a good base
| for windows syslog servers/clients. The real question I need answered
| is, which of these products provide correlation/analyzation/reporting
| on the log data collected? That is the real value in having a
| centralized logging system.
| Which of these products will let me answer questions like:
|
| How many failed logins occured between a certain time period?
| Which logins
| and on which servers?
| What are repeated application failures, and are they correlated in
| some way to the security or system logs?
| Creation of new administrator accounts correlated with a series of
| failed login attempts followed by a single successful attempt.
|
| Basically, which log server analyzer will provide reports for
| suspicious activity, or other activity possibly indicative of someone
| trying to fiddle with things they shouldn't be? Does this kind of
| thing exist, or are we still at the point where the vigilant sys admin
| has to pour through these logs himself, or with a series of scripts in
| hand?
|
| Thanks,
|
| Ryan
|
|
|
| -----Original Message-----
| From: Kurt [mailto:kurtbuff@spro.net]
| Sent: Wednesday, October 13, 2004 3:42 PM
| To: 'Stephane Auger'; security-basics@securityfocus.com
| Subject: RE: Event log monitoring
|
|
| http://ntsyslog.sourceforge.net or
| http://intersectalliance.com/snare -
| will send your eventlogs to a syslog server in realtime
|
| http://kiwisyslog.com - a very good syslog server for Windows, and if
| you pay for it (it's very inexpensive for the impressive quality),
| it'll even log to an ODBC DSN
|
| http://mysql.com - A free SQL database server, with an ODBC interface,
| both Windows and *nix.
|
| Pretty much all you need.
|
| | -----Original Message-----
| | From: Stephane Auger [mailto:stephaneauger@pre2post.com]
| | Sent: Tuesday, October 12, 2004 13:26
| | To: security-basics@securityfocus.com
| | Subject: Event log monitoring
| |
| |
| | Hey everyone,
| |
| | I'm looking for a practical way to monitor event logs on multiple
| | servers. There are multiple subnets at multiple sites, and
| I have one
| | main LAN to monitor everything. Is there some kind of
| software/batch
| | file that could be installed on the servers so that the
| events be sent
| | on my monitoring lan (a little bit like SNMP sending to a listening
| | server)? Thanks!!
| |
| | Stephane Auger, MCP
|
|
|
| =============================
| Notice to recipient: This e-mail is meant for only the intended
| recipient of the transmission, and may be a confidential communication
| or a communication privileged by law. If you received this e-mail in
| error, any review, use, dissemination, distribution, or copying of
| this e-mail is strictly prohibited. Please notify us immediately of
| the error by return e-mail and please delete this message from your
| system. Thank you in advance for your cooperation.
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
