I don't mean to belabor the point, but my experience with the new NFR product shows that: 1) It does handle firewall logs, as well as routers and switches, NT Event logs, AIX, HP-UX, and Solaris logs, in anything you can point at it. 2) It does a fine job of alerting via a variety of means 3) It indeed does signature analysis 4) I can easily write my own signatures, as well as custom audit, collection and detection criteria 5) It works with Oracle or SQL Server 6) It can export in nearly any form you like, including HTML, XML, RTF, Word, Excel etc. 7) Is very flexible and open and can be customized to a fare-thee-well. 8) The folks at NFR were excellent helping me implement my Pilot in my Test Lab. Until you've had a look at it, don't assume you know it's limitations. (It's not the product on the website...) FYI "Accurate measurement is the beginning of all wisdom." - Imhotep 2650 B.C Bill Hill with disclaimer Hawaii Medical Service Association Tel: (808) 948-6356, Fax: (808) 948-6799 email = bill_hillat_private This electronic message is intended only for the individual or entity to which it is addressed and may contain information that is confidential and protected by law. If you are not the intended recipient of this e-mail, you are cautioned that use of its contents in any way is prohibited and may be unlawful. If you have received this communication in error, please notify the sender immediately by e-mail or telephone and return the original message by e-mail to the sender or to postmasterat_private We will reimburse you for any cost you incur in notifying us of the errant e-mail. Thank you. -----Original Message----- From: Lubomir.Nistor@star-21.de [mailto:Lubomir.Nistor@star-21.de] Sent: Thursday, May 02, 2002 10:49 PM To: brian_anonat_private; loganalysisat_private Subject: RE: [logs] Centralizing Audit Logging and Reporting well I just do my own design as NFR and LMS are commercial products and can't be so flexible as I need.. and they don't do any signature identification or automatic alerting upon them.. I handle many many more devices out there and I put all in a big SQL database. one thing is syslog messages the other is firewall alerts and there are also eventlog possibilities. but unfortunatelly it takes a loooong time to code and implement all the logs and devices. but at the end I have a system on my own and I'm able to do signature identification and alerting as I wish to. The hardest thing is to get the logs in the same format into a SQL.. the rest is easy.. anyway you're right.. syslogd is the ultimate answer, as you can't install software agents on ciscos or other equipment.. then some devices talk only SNMP and then there's that microsoft stuff, that has its own log system.. now if you're lazy you can buy the NFR secure loging facility and wait till they implement all the devices/software that you want or doit yourself. I chose the second way as I need some coding practice badly.. lubo -----Original Message----- From: Brian Anon [mailto:brian_anonat_private] Sent: Donnerstag, 2. Mai 2002 22:40 To: loganalysisat_private Subject: [logs] Centralizing Audit Logging and Reporting I am in the process of creating a business case that may involve logging system and application events to a central audit log database. Once this is done, I expect to be able to query the database to generate reports. I expect the most standard approach would be to implement SYSLOGD that logs to a RDBMS (MS SQL or Oracle). Some of the systems and applications I may like to do this with are: Windows 2000 Servers CheckPoint Firewall-1 IIS RealSecure Sensors McAfee NetShield McAfee VirusShield Microsoft IIS Microsoft Exchange Microsoft SQL Oracle Microsoft DNS Citrix MetaFrame Cisco PIX Cisco Routers Cisco Switches I am prepared ro create scripts/agents that can grab an application log and parse the information and input it into the database at scheduled intervals or on-demand. I understand each application may require a different table structure. Has anyone tried to accomplish this? Any suggestions or comments? Regards, Brian, CISSP _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 19:49:06 PDT