Re: [logs] a small reminder

From: Darren Reed (avalonat_private)
Date: Thu Aug 29 2002 - 05:42:46 PDT

  • Next message: Anton Chuvakin: "[logs] what to log/what to look for: stateful log analysis?"

    In some mail from Tom Perrine, sie said:
    [...]
    > OK, so we break it down into:
    > 
    > * events to be logged (what is currently logged?  What are we
    >   missing?)
    [...]
    
    I think that's jumping the gun, unless the question of what do you
    want to do with log information has already been answered.
    
    What do we need log information for?
    
    - detect hack attempts ?
    - detect hardware failures  (maybe pre-empt hardware failure) ?
    - capacity planning ?
    - ...
    
    and so on.  If that list is already drawn up, sorry for this email
    but I think having a list like that lets us get a better list of
    what we want to see logged. e.g. to list the log information for
    "detect hack attempts", we need to enumerate what might be an
    indication of a hack attempt.  e.g.
    
    - detect hack attempts
       - record all authentication failures
       - record all inbound connections
       - record all successful logins
       - record all core dumps
       - ...
    
    This might even be a good way to classify messages?
    
    Darren
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 09:13:39 PDT