RE: [logs] NetIQ Vigilant Log Analyzer?

From: Todd E. Tucker (Todd.Tuckerat_private)
Date: Tue Apr 01 2003 - 12:15:44 PST

  • Next message: Moyer, Shawn: "RE: [logs] NetIQ Vigilant Log Analyzer?"

    Paul:
    
    I certainly agree with your comments. However, I can also say that from many
    conversations I've had with customers and prospects, the perception is that
    syslog isn't good enough (for the many reasons noted). But they're not just
    coming from a trial standpoint, they're also being driven by regulations and
    standards as well as business drivers. More than just a collection
    mechanism, a solution must provide the capability to analyze the immense
    amount of data that's collected. That's always been the biggest challenge
    for us.
    
    I'd love to hear what you and the rest of the forum think about these other
    drivers. I think there's still a lot of fud on those as well, and some
    reality, too, and I'd like to understand these better to develop a better
    product.
    
    Todd x85260
    
    
    -----Original Message-----
    From: Paul Robertson [mailto:probertsat_private] 
    Sent: Tuesday, April 01, 2003 11:12 AM
    To: Todd E. Tucker
    Cc: loganalysisat_private
    Subject: RE: [logs] NetIQ Vigilant Log Analyzer?
    
    
    On Tue, 1 Apr 2003, Todd E. Tucker wrote:
    
    > What I am saying is that the syslog data would be easy to attack by 
    > the defense.
    
    What Im saying is that it's about as attackable as any other evidence, and 
    the non-repudiation and reliability issues really don't impact that very 
    much at all.  Admissibility is the *primary* "attackability" vector in 
    this instance, since once admitted as a machine record, the defense is in 
    an uphill battle to argue that while it's admissable, it's flawed- and 
    they'd pretty much need supporting evidence of the flaw or a mistake in 
    the investigation to make any serious headway.  
    
    If you ever have a lawyer who doesn't challenge admissibility, but then 
    tries to challenge veracity, I'd say it's time to switch lawyers.
    
    Think of it in terms of footprints on the scene, because that's about the 
    same standard- a defense lawyer can *try* to argue that the prints which 
    happen to match his client's shoe size were placed there by some third 
    party, just as you could try to argue that the log entries were- that 
    doesn't mean they're not submitted, and it doesn't mean that the client is 
    going to get off because "anyone could have left size 12 Athena prints 
    there."  You'd not rely on footprints as primary evidence either, but if 
    they stand up enough to get the warrant -and trust me, that's the goal 
    with logs, getting the warrant(s) or subpoena(s)- then they "stand up in 
    court."  If it "wouldn't stand up in court," we'd see successful 
    challenges of warrants and subpoenas under the 4th wouldn't we?
    
    There's all too much fear-mongering about admissibility and defense 
    tactics going on in this arena.  I've yet to have a judge turn down 
    producing an order based on syslog-based logs- civil or criminal suits.    
    
    Even in criminal cases, the prosecution has to draw the picture, and when 
    you take things like logs, disk images, network access, and mix it all 
    together, "the logs *can* be forged, so they *must be*" isn't as effective 
    as "My PC was trojaned!," which is generally what last-ditch defense 
    arguments have tried more of lately (right before their clients go to meet 
    their new husbands.)
    
    > What my investigation and legal sources tell me is that they would 
    > rarely use log data as the primary evidence, only as supporting. It's 
    > too easy to
    
    (I'm my investigation source) That's my point- you wouldn't use a log 
    as primary evidence *even if it had none of syslog's downsides*.  So to 
    suggest that replacing syslog is prosecutorially necessary isn't true 
    under current caselaw.  While it certainly doesn't hurt to do it, it's not 
    a necessity for admission or to stand up against a defense challenge.
    
    
    Paul
    ----------------------------------------------------------------------------
    -
    Paul D. Robertson      "My statements in this message are personal opinions
    probertsat_private      which may have no basis whatsoever in fact."
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 18:45:19 PST