[logs] Newbie Query

From: Vandana Chopra (vandylog@private)
Date: Wed Feb 04 2004 - 11:10:03 PST

  • Next message: Tina Bird: "[logs] New Apache module improves logging!"

    Hi,
    I am trying to do system log analysis.
     
    Please let me explain what I did. I have these logs which are collected in the central database from Unix machines, Windows machines (including all Windows workstations and Windows servers) and logs from CISCO firewall. 
     
    Every log message has a LogSeqNo, Machine-Name, Date,Time,Facility,Priority and the Message Text which looks something like this:
     
     570770:Tue Dec 30 10:27:53 2003: LSV/F-Secure Anti-Virus (103) - "2123 2003-12-30 10:27:53-04:00 lsv SYSTEM F-Secure Anti-Virus Malicious code found in file
     C:\LISTSERV\TMP\DO-NOT-RUN-ME-1484.EXE.
     Infection: I-Worm.Mimail.txt Action: The file was deleted. "
     
     
    Right now I am only trying to deal with Messages which have higher priority like CRITICAL, ALERT, EMERGENCY etc. I have not considered Warnings although I should.
     
     
    There are like 100s of messages from these machines in a minute which are stored in this database. 
     
    For CISCO firewall I tried to identify critical and alert messages by using the below site and creating a flat file database for it.
    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a00801582af.html#1009233
     
    For Unix machines. I picked up a couple of keywords which are present in the message when it is attacked. 
     
    I don't know how I should collect the messages which are critical for Windows machines.
     
    I also don't understand how to tackle so many different messages which are critical but not included in the flat file database of mine. Should I write something which will interactively allow the System Administrator to identify the critical messages and put in the database. But again there are so many that it is practically impossible for anybody to sit and put it in the database. 
     
    I wrote a perl script which matches this initial database of mine with the messages coming in.  But again I am stuck how to proceed. Please can you guide me.
     
    Thanks,
    Vandana Chopra
    
    
    ---------------------------------
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free web site building tool. Try it!
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Feb 04 2004 - 12:42:12 PST