IntelliTactics released a good front and syslog correlation engine a while back. The new release should cover some of the concerns you mentioned in your email.. /mark At 06:50 AM 9/25/2003, Safier, Adam * wrote: >I'm a Newbie to logging, expecting to get into a centralization project in >the future. We want to capture UNIX, Windows 2000, Windows NT and _Oracle_ >logs. I'm not looking from a developer view point but a system integrator / >customer needs list. > >One reason to centralize logging is to reduce the ability of local sysadmins >being able to modify the log and cover tracks. That is also why I would >want to make remote logging as real time as reasonable. Lost log records are >naturally a big concern so I want to ask the following questions. > >- Can't Windows and UNIX logging be done over TCP? (The recent High Network >Load discussion mentioned it once but focuses on UDP. Why in the world >would you use UDP for critical data?) > >- If not, can't the logs be redirected to an agent process that transfers >each new record ASAP to a central server via TCP/IP (and leaves a startup >and shutdown record)? > >- I'm under the impression that programs like NetIQ use an agent, nu? > >- I expect to be looking for a log analysis program that has the ability to >do some intelligent digestion and issue security alerts (statistics would be >nice but not the prime focus). The products on the Logging web site seem to >have limited security analysis features, at least from what I gather from >the on-line glossies. What products would you recommend for evaluation for >an Intelligent Log _Security_ Analyzer? (I have on my list to look at the >NFR logging program but will not start for a while yet. Any others?) > >BTW, the organization already bought NetIQ. I'm considering the specter of >having to develop our own scripts in NetIQ programming language. > >Marcus and Tina - A canned Intelligent Log _Security_ Analyzer (ILSA ?) >service with regular script updates would be a nice option. Seems IDS is >headed in that direction to some degree. Maybe you can start another >company.... > >Adam >_______________________________________________ >LogAnalysis mailing list >LogAnalysis@private >http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Sep 29 2003 - 12:54:59 PDT