Re: [logs] Newbie questions - remote logging integration

From: Mark Teicher (mht3@private)
Date: Mon Sep 29 2003 - 00:18:52 PDT

  • Next message: Tina Bird: "[logs] tbird Teaching in the UK"

    IntelliTactics released a good front and syslog correlation engine a while 
    back.  The new release should cover some of the concerns you mentioned in 
    your email..
    
    /mark
    
    At 06:50 AM 9/25/2003, Safier, Adam * wrote:
    
    >I'm a Newbie to logging, expecting to get into a centralization project in
    >the future. We want to capture UNIX, Windows 2000, Windows NT and _Oracle_
    >logs. I'm not looking from a developer view point but a system integrator /
    >customer needs list.
    >
    >One reason to centralize logging is to reduce the ability of local sysadmins
    >being able to modify the log and cover tracks. That is also why I would
    >want to make remote logging as real time as reasonable. Lost log records are
    >naturally a big concern so I want to ask the following questions.
    >
    >- Can't Windows and UNIX logging be done over TCP? (The recent High Network
    >Load discussion mentioned it once but focuses on UDP. Why in the world
    >would you use UDP for critical data?)
    >
    >- If not, can't the logs be redirected to an agent process that transfers
    >each new record ASAP to a central server via TCP/IP (and leaves a startup
    >and shutdown record)?
    >
    >- I'm under the impression that programs like NetIQ use an agent, nu?
    >
    >- I expect to be looking for a log analysis program that has the ability to
    >do some intelligent digestion and issue security alerts (statistics would be
    >nice but not the prime focus). The products on the Logging web site seem to
    >have limited security analysis features, at least from what I gather from
    >the on-line glossies. What products would you recommend for evaluation for
    >an Intelligent Log _Security_ Analyzer?  (I have on my list to look at the
    >NFR logging program but will not start for a while yet. Any others?)
    >
    >BTW, the organization already bought NetIQ. I'm considering the specter of
    >having to develop our own scripts in NetIQ programming language.
    >
    >Marcus and Tina - A canned Intelligent Log _Security_ Analyzer (ILSA ?)
    >service with regular script updates would be a nice option. Seems IDS is
    >headed in that direction to some degree. Maybe you can start another
    >company....
    >
    >Adam
    >_______________________________________________
    >LogAnalysis mailing list
    >LogAnalysis@private
    >http://lists.shmoo.com/mailman/listinfo/loganalysis
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Sep 29 2003 - 12:54:59 PDT