RE: [logs] Centralizing Audit Logging and Reporting

From: Lubomir.Nistor@star-21.de
Date: Fri May 03 2002 - 01:48:40 PDT

  • Next message: Solomon, Frank: "RE: [logs] Centralizing Audit Logging and Reporting"

    well I just do my own design as NFR and LMS are commercial products and can't be so flexible as I need..
    and they don't do any signature identification or automatic alerting upon them..
    
    I handle many many more devices out there and I put all in a big SQL database.
    one thing is syslog messages the other is firewall alerts and there are also eventlog possibilities.
    but unfortunatelly it takes a loooong time to code and implement all the logs and devices.
    but at the end I have a system on my own and I'm able to do signature identification and alerting as I wish to.
    
    The hardest thing is to get the logs in the same format into a SQL.. the rest is easy..
    
    
    anyway you're right.. syslogd is the ultimate answer, as you can't install software agents on ciscos or other equipment..
    then some devices talk only SNMP and then there's that microsoft stuff, that has its own log system..
    
    now if you're lazy you can buy the NFR secure loging facility and wait till they implement all the devices/software that you want or doit yourself.
    
    I chose the second way as I need some coding practice badly..
    
    
    lubo
    
    
    -----Original Message-----
    From: Brian Anon [mailto:brian_anonat_private]
    Sent: Donnerstag, 2. Mai 2002 22:40
    To: loganalysisat_private
    Subject: [logs] Centralizing Audit Logging and Reporting
    
    
    I am in the process of creating a business case that may involve logging 
    system and application events to a central audit log database.  Once this is 
    done, I expect to be able to query the database to generate reports.
    
    I expect the most standard approach would be to implement SYSLOGD that logs 
    to a RDBMS (MS SQL or Oracle).
    
    Some of the systems and applications I may like to do this with are:
    Windows 2000 Servers
    CheckPoint Firewall-1
    IIS RealSecure Sensors
    McAfee NetShield
    McAfee VirusShield
    Microsoft IIS
    Microsoft Exchange
    Microsoft SQL
    Oracle
    Microsoft DNS
    Citrix MetaFrame
    Cisco PIX
    Cisco Routers
    Cisco Switches
    
    I am prepared ro create scripts/agents that can grab an application log and 
    parse the information and input it into the database at scheduled intervals 
    or on-demand.  I understand each application may require a different table 
    structure.
    
    Has anyone tried to accomplish this?  Any suggestions or comments?
    
    Regards,
    Brian, CISSP
    
    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Fri May 03 2002 - 08:18:56 PDT