RE: [logs] Centralizing Audit Logging and Reporting

From: Bill Hill (Bill_Hillat_private)
Date: Fri May 03 2002 - 13:48:41 PDT

  • Next message: Steve Wray: "RE: [logs] Windows logrotation tool?"

    I don't mean to belabor the point, but my experience with the new NFR
    product shows that:
    
    1) It does handle firewall logs, as well as routers and switches, NT Event
    logs, AIX, HP-UX, and Solaris logs, in  anything you can point at it.
    2) It does a fine job of alerting via a variety of means
    3) It indeed does signature analysis
    4) I can easily write my own signatures, as well as custom audit, collection
    and detection criteria
    5) It works with Oracle or SQL Server
    6) It can export in nearly any form you like, including HTML, XML, RTF,
    Word, Excel etc.
    7) Is very flexible and open and can be customized to a fare-thee-well.
    8) The folks at NFR were excellent helping me implement my Pilot in my Test
    Lab.
    
    Until you've had a look at it, don't assume you know it's limitations. (It's
    not the product on the website...)
    
    FYI
    
    "Accurate measurement is the beginning of all wisdom."
                           - Imhotep 2650 B.C
    
    Bill Hill with disclaimer
    Hawaii Medical Service Association
    Tel:  (808) 948-6356, Fax: (808) 948-6799
    email = bill_hillat_private
    
    This electronic message is intended only for the individual or entity to
    which it is addressed and may contain information that is confidential
    and protected by law.  If you are not the intended recipient of this
    e-mail, you are cautioned that use of its contents in any way is
    prohibited and may be unlawful.  If you have received this communication
    in error, please notify the sender immediately by e-mail or telephone
    and return the original message by e-mail to the sender or to
    postmasterat_private  We will reimburse you for any cost you incur in
    notifying us of the errant e-mail.  Thank you.
    
    
    
    
    
    -----Original Message-----
    From: Lubomir.Nistor@star-21.de [mailto:Lubomir.Nistor@star-21.de]
    Sent: Thursday, May 02, 2002 10:49 PM
    To: brian_anonat_private; loganalysisat_private
    Subject: RE: [logs] Centralizing Audit Logging and Reporting
    
    
    well I just do my own design as NFR and LMS are commercial products and
    can't be so flexible as I need..
    and they don't do any signature identification or automatic alerting upon
    them..
    
    I handle many many more devices out there and I put all in a big SQL
    database.
    one thing is syslog messages the other is firewall alerts and there are also
    eventlog possibilities.
    but unfortunatelly it takes a loooong time to code and implement all the
    logs and devices.
    but at the end I have a system on my own and I'm able to do signature
    identification and alerting as I wish to.
    
    The hardest thing is to get the logs in the same format into a SQL.. the
    rest is easy..
    
    
    anyway you're right.. syslogd is the ultimate answer, as you can't install
    software agents on ciscos or other equipment..
    then some devices talk only SNMP and then there's that microsoft stuff, that
    has its own log system..
    
    now if you're lazy you can buy the NFR secure loging facility and wait till
    they implement all the devices/software that you want or doit yourself.
    
    I chose the second way as I need some coding practice badly..
    
    
    lubo
    
    
    -----Original Message-----
    From: Brian Anon [mailto:brian_anonat_private]
    Sent: Donnerstag, 2. Mai 2002 22:40
    To: loganalysisat_private
    Subject: [logs] Centralizing Audit Logging and Reporting
    
    
    I am in the process of creating a business case that may involve logging 
    system and application events to a central audit log database.  Once this is
    
    done, I expect to be able to query the database to generate reports.
    
    I expect the most standard approach would be to implement SYSLOGD that logs 
    to a RDBMS (MS SQL or Oracle).
    
    Some of the systems and applications I may like to do this with are:
    Windows 2000 Servers
    CheckPoint Firewall-1
    IIS RealSecure Sensors
    McAfee NetShield
    McAfee VirusShield
    Microsoft IIS
    Microsoft Exchange
    Microsoft SQL
    Oracle
    Microsoft DNS
    Citrix MetaFrame
    Cisco PIX
    Cisco Routers
    Cisco Switches
    
    I am prepared ro create scripts/agents that can grab an application log and 
    parse the information and input it into the database at scheduled intervals 
    or on-demand.  I understand each application may require a different table 
    structure.
    
    Has anyone tried to accomplish this?  Any suggestions or comments?
    
    Regards,
    Brian, CISSP
    
    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Fri May 03 2002 - 19:49:06 PDT