[logs] RE: Newbie questions - remote logging integration

• Previous message: Safier, Adam *: "[logs] Newbie questions - remote logging integration"
• Next in thread: Tina Bird: "Re: [logs] RE: Newbie questions - remote logging integration"
• Reply: Tina Bird: "Re: [logs] RE: Newbie questions - remote logging integration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OK, I just found Tinas Resource list on
http://www.counterpane.com/log-analysis.html#infrastructure

Should have read it all before posting the question below.  For some reason
I did not spot it during my search a few weeks ago (not enough sleep?)

Adam

-----Original Message-----
From: Safier, Adam * 
Sent: Thursday, September 25, 2003 8:51 AM
To: loganalysis@private
Subject: Newbie questions - remote logging integration


I'm a Newbie to logging, expecting to get into a centralization project in
the future.  We want to capture UNIX, Windows 2000, Windows NT and _Oracle_
logs.  I'm not looking from a developer view point but a system integrator /
customer needs list.

One reason to centralize logging is to reduce the ability of local sysadmins
being able to modify the log and cover tracks.  That is also why I would
want to make remote logging as real time as reasonable. Lost log records are
naturally a big concern so I want to ask the following questions.

- Can't Windows and UNIX logging be done over TCP?  (The recent High Network
Load discussion mentioned it once but focuses on UDP.  Why in the world
would you use UDP for critical data?)

- If not, can't the logs be redirected to an agent process that transfers
each new record ASAP to a central server via TCP/IP (and leaves a startup
and shutdown record)?

- I'm under the impression that programs like NetIQ use an agent, nu?

- I expect to be looking for a log analysis program that has the ability to
do some intelligent digestion and issue security alerts (statistics would be
nice but not the prime focus).  The products on the Logging web site seem to
have limited security analysis features, at least from what I gather from
the on-line glossies.  What products would you recommend for evaluation for
an Intelligent Log _Security_ Analyzer?   (I have on my list to look at the
NFR logging program but will not start for a while yet.  Any others?)

BTW, the organization already bought NetIQ.  I'm considering the specter of
having to develop our own scripts in NetIQ programming language.  

Marcus and Tina - A canned Intelligent Log _Security_ Analyzer (ILSA ?)
service with regular script updates would be a nice option.  Seems IDS is
headed in that direction to some degree.  Maybe you can start another
company....

Adam
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Rainer Gerhards: "[logs] Seeking advise on syslogd features"
• Previous message: Safier, Adam *: "[logs] Newbie questions - remote logging integration"
• Next in thread: Tina Bird: "Re: [logs] RE: Newbie questions - remote logging integration"
• Reply: Tina Bird: "Re: [logs] RE: Newbie questions - remote logging integration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 25 2003 - 18:58:34 PDT