AW: [logs] About log files forensics

From: Lubomir.Nistorat_private
Date: Mon Jul 08 2002 - 01:30:44 PDT

Next message: Alexandre Dulaunoy: "Re: AW: [logs] About log files forensics"

Previous message: Allan Liska: "Re: [logs] About log files forensics"
Next in thread: Alexandre Dulaunoy: "Re: AW: [logs] About log files forensics"
Reply: Alexandre Dulaunoy: "Re: AW: [logs] About log files forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

another of my ideas is to have a mysql syslog and put data into that..
of course account should be write only (no delete, no read)

I'm just working on a centralized log analysis system (with reporting and alerting capabilities).
the automatic log analysis would be difficult (with sql data..) as with large DB it'll get slower and slower.. (I already have several bilions of entries).

any ideas?

lubo

-----Ursprüngliche Nachricht-----
Von: Allan Liska [mailto:allanat_private]
Gesendet: Samstag, 6. Juli 2002 13:49
An: loganalysisat_private
Betreff: Re: [logs] About log files forensics

Hello Tony,

Saturday, July 06, 2002, 2:44:29 AM, you wrote:

> hi all,
>      I have read the mailing list for a year.It is well-known that
> log files is one of the importance of e-evidence in computer
> forensics.But a few people focus on them. Let us discuss how to
> collect,protect and parse the log files in different systems
> including windows,IDS,firewall,applications etc.I appreciate any who
> can provide suggestions,idea or paper.

CERT has two really good papers on log file protection:

http://www.cert.org/security-improvement/practices/p092.html
http://www.cert.org/security-improvement/practices/p048.html

Basically, what it boils down to is:

1. Use syslog (there are syslog daemons available for Windows
machines).
2. Encrypt log functions.
3. Make the syslog server difficult to access -- use a serial line if
possible, otherwise run some sort of firewall system (like ipfilter)
on the firewall to control access.
4. Use a write once, read many (WORM) disk -- a CDR or Tape Drive, or
configure the logs so that they can be appended to, but not
overwritten (only some os'es support this).

I'm sure there are a lot of things I am missing, but its a start :).

allan
-- 
allan
allanat_private
http://www.allan.org

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Alexandre Dulaunoy: "Re: AW: [logs] About log files forensics"
Previous message: Allan Liska: "Re: [logs] About log files forensics"
Next in thread: Alexandre Dulaunoy: "Re: AW: [logs] About log files forensics"
Reply: Alexandre Dulaunoy: "Re: AW: [logs] About log files forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 08 2002 - 05:31:38 PDT