When you say, "has anyone tried to accomplish this?" Do you mean, "Has anyone tried to make a business case?" Or, do you mean, "Has anyone tried to centrally log all that stuff?" Although the University of Kentucky, where I work, doesn't qualify as a typical business, I did make a case. I'd be willing to share the first couple of pages of our proposal with you if you want. As we implemented the proposal, several things came to light. First, there are lots of vendors. Second, there are lots of products. Third, there are lots of standards. If one multiplies those together, the "solution space" is something like V x P x S. Someone close to the project said, "Standards are like toothbrushes, everyone wants to use their own." The same can be said of Vendors and Products. :-) I've tried to keep things simple. Collection via syslog. Store in MSSQL2000. Output via Web/XML. Few of the analysis products will deal with heterogeneous logs very well. So, being able to selectively extract them from the database for further processing by vendor X's products has been helpful. That's the main reason to store them in a robust database. With sincere humility I can say (8 months into this project), "I don't have all the answers. . .but, I'm starting to understand the questions." Frank Solomon University of Kentucky http://www.franksolomon.net -----Original Message----- From: Brian Anon [mailto:brian_anonat_private] Sent: Thursday, May 02, 2002 4:40 PM To: loganalysisat_private Subject: [logs] Centralizing Audit Logging and Reporting I am in the process of creating a business case that may involve logging system and application events to a central audit log database. Once this is done, I expect to be able to query the database to generate reports. I expect the most standard approach would be to implement SYSLOGD that logs to a RDBMS (MS SQL or Oracle). Some of the systems and applications I may like to do this with are: Windows 2000 Servers CheckPoint Firewall-1 IIS RealSecure Sensors McAfee NetShield McAfee VirusShield Microsoft IIS Microsoft Exchange Microsoft SQL Oracle Microsoft DNS Citrix MetaFrame Cisco PIX Cisco Routers Cisco Switches I am prepared ro create scripts/agents that can grab an application log and parse the information and input it into the database at scheduled intervals or on-demand. I understand each application may require a different table structure. Has anyone tried to accomplish this? Any suggestions or comments? Regards, Brian, CISSP --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 08:19:28 PDT