well I just do my own design as NFR and LMS are commercial products and can't be so flexible as I need.. and they don't do any signature identification or automatic alerting upon them.. I handle many many more devices out there and I put all in a big SQL database. one thing is syslog messages the other is firewall alerts and there are also eventlog possibilities. but unfortunatelly it takes a loooong time to code and implement all the logs and devices. but at the end I have a system on my own and I'm able to do signature identification and alerting as I wish to. The hardest thing is to get the logs in the same format into a SQL.. the rest is easy.. anyway you're right.. syslogd is the ultimate answer, as you can't install software agents on ciscos or other equipment.. then some devices talk only SNMP and then there's that microsoft stuff, that has its own log system.. now if you're lazy you can buy the NFR secure loging facility and wait till they implement all the devices/software that you want or doit yourself. I chose the second way as I need some coding practice badly.. lubo -----Original Message----- From: Brian Anon [mailto:brian_anonat_private] Sent: Donnerstag, 2. Mai 2002 22:40 To: loganalysisat_private Subject: [logs] Centralizing Audit Logging and Reporting I am in the process of creating a business case that may involve logging system and application events to a central audit log database. Once this is done, I expect to be able to query the database to generate reports. I expect the most standard approach would be to implement SYSLOGD that logs to a RDBMS (MS SQL or Oracle). Some of the systems and applications I may like to do this with are: Windows 2000 Servers CheckPoint Firewall-1 IIS RealSecure Sensors McAfee NetShield McAfee VirusShield Microsoft IIS Microsoft Exchange Microsoft SQL Oracle Microsoft DNS Citrix MetaFrame Cisco PIX Cisco Routers Cisco Switches I am prepared ro create scripts/agents that can grab an application log and parse the information and input it into the database at scheduled intervals or on-demand. I understand each application may require a different table structure. Has anyone tried to accomplish this? Any suggestions or comments? Regards, Brian, CISSP _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 08:18:56 PDT