I don't mean to belabor the point, but my experience with the new NFR
product shows that:
1) It does handle firewall logs, as well as routers and switches, NT Event
logs, AIX, HP-UX, and Solaris logs, in anything you can point at it.
2) It does a fine job of alerting via a variety of means
3) It indeed does signature analysis
4) I can easily write my own signatures, as well as custom audit, collection
and detection criteria
5) It works with Oracle or SQL Server
6) It can export in nearly any form you like, including HTML, XML, RTF,
Word, Excel etc.
7) Is very flexible and open and can be customized to a fare-thee-well.
8) The folks at NFR were excellent helping me implement my Pilot in my Test
Lab.
Until you've had a look at it, don't assume you know it's limitations. (It's
not the product on the website...)
FYI
"Accurate measurement is the beginning of all wisdom."
- Imhotep 2650 B.C
Bill Hill with disclaimer
Hawaii Medical Service Association
Tel: (808) 948-6356, Fax: (808) 948-6799
email = bill_hillat_private
This electronic message is intended only for the individual or entity to
which it is addressed and may contain information that is confidential
and protected by law. If you are not the intended recipient of this
e-mail, you are cautioned that use of its contents in any way is
prohibited and may be unlawful. If you have received this communication
in error, please notify the sender immediately by e-mail or telephone
and return the original message by e-mail to the sender or to
postmasterat_private We will reimburse you for any cost you incur in
notifying us of the errant e-mail. Thank you.
-----Original Message-----
From: Lubomir.Nistor@star-21.de [mailto:Lubomir.Nistor@star-21.de]
Sent: Thursday, May 02, 2002 10:49 PM
To: brian_anonat_private; loganalysisat_private
Subject: RE: [logs] Centralizing Audit Logging and Reporting
well I just do my own design as NFR and LMS are commercial products and
can't be so flexible as I need..
and they don't do any signature identification or automatic alerting upon
them..
I handle many many more devices out there and I put all in a big SQL
database.
one thing is syslog messages the other is firewall alerts and there are also
eventlog possibilities.
but unfortunatelly it takes a loooong time to code and implement all the
logs and devices.
but at the end I have a system on my own and I'm able to do signature
identification and alerting as I wish to.
The hardest thing is to get the logs in the same format into a SQL.. the
rest is easy..
anyway you're right.. syslogd is the ultimate answer, as you can't install
software agents on ciscos or other equipment..
then some devices talk only SNMP and then there's that microsoft stuff, that
has its own log system..
now if you're lazy you can buy the NFR secure loging facility and wait till
they implement all the devices/software that you want or doit yourself.
I chose the second way as I need some coding practice badly..
lubo
-----Original Message-----
From: Brian Anon [mailto:brian_anonat_private]
Sent: Donnerstag, 2. Mai 2002 22:40
To: loganalysisat_private
Subject: [logs] Centralizing Audit Logging and Reporting
I am in the process of creating a business case that may involve logging
system and application events to a central audit log database. Once this is
done, I expect to be able to query the database to generate reports.
I expect the most standard approach would be to implement SYSLOGD that logs
to a RDBMS (MS SQL or Oracle).
Some of the systems and applications I may like to do this with are:
Windows 2000 Servers
CheckPoint Firewall-1
IIS RealSecure Sensors
McAfee NetShield
McAfee VirusShield
Microsoft IIS
Microsoft Exchange
Microsoft SQL
Oracle
Microsoft DNS
Citrix MetaFrame
Cisco PIX
Cisco Routers
Cisco Switches
I am prepared ro create scripts/agents that can grab an application log and
parse the information and input it into the database at scheduled intervals
or on-demand. I understand each application may require a different table
structure.
Has anyone tried to accomplish this? Any suggestions or comments?
Regards,
Brian, CISSP
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private
---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 19:49:06 PDT