Re: [logs] log review policies

From: peff-loganalat_private
Date: Fri Oct 12 2001 - 12:59:16 PDT

  • Next message: Tom Perrine: "[logs] any syslog implementations of draft-ietf-syslog-reliable?"

    On Fri, 12 Oct 2001, John Rowan Littell wrote:
    
    > regards to keeping the IDS output on the loghost, I might suggest
    > creating email accounts on the loghost to which you directly send the
    > mails.  This wouldn't be any more difficult than sending them
    > off-host.  Then you can dictate a login method of your favorite
    
    Yes, this was what I had intended. The ideal interface for reviewing
    these log entries (IMHO) is to bunch the entries into sets wherein each
    entry can be viewed and then marked as "read". Most mail reader provide
    this interface for you already, so keeping it is a big plus.
    
    > (major) vulnerability point to the workstation from which the admins
    > log in, but with a secure connection, this is a lot less troublesome.
    
    Yes. My main worry would be the compromise of the sysadmin workstation.
    This is much less likely than an actual server (since we're not running
    any services that listen on the network on the workstations), but still
    possible through passive attacks (browsers overflows, email
    vulnerabilities, etc).
    
    My gut feeling is to say that the sysadmin workstations are "secure
    enough" for our environment.
    
    -Jeff
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 13:00:03 PDT