Hi, We (multinational company which i don't mention), use logging servers in the DMZ it self on a seperated network.. So every machine has at least 3 interfaces, incoming -> management (incl logs) -> fetchdatafrominternalhosts. And ofcourse you should secure your machines, even if they are not in the dmz (: Cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: loganalysis-bounces@private [mailto:loganalysis-bounces@private]Namens bmcdowell@private Verzonden: vrijdag 6 februari 2004 20:26 Aan: loganalysis@private Onderwerp: [Loganalysis] [logs] Logging in the DMZ Hello list. I'd first like to say that I thought I was alone out there in the world of Logging, or at least ahead of where a reasonable person would go with it. I'm glad to see there is a such a great resource such as this. Now, on to my issue: How should I handle logging for the devices in my DMZ? Big question right? Well, I'm presently using syslog forwarding and database analysis which works pretty well, but I'm really tired of sinking so much time and effort into it. The devices and services I'm collecting data off of can all write directly to a database, in one form of another, and the feeling that I didn't approach this correctly grows stronger every day. For example, after seeing the library item about 'artificial ignorance' it occurs to me that I'm doing something similar with my db scripts, except I'm suffering a performance hit each time I do a query. It would seem better to just put the data into the fields it belongs in natively, rather than by a scripting process after the fact. Here's what I've got today: Internet <-Firewalls-> DMZ <-Firewall with syslog forwarding-> Syslog Server, writing text logs, database scripts doing parsing I see basically two possible improvement approaches here: 1) Use database logging, where possible, and forward that to an internal server. 2) Put a db and syslog server in the DMZ and do my best to secure it. Has anyone on the list dealt with this same issue? I'd really appreciate a dialogue here, meanwhile I'm going to continue checking out this cool new site. Thanks, Bob _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ Loganalysis mailing list Loganalysis@private http://lists.elvandar.org/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sat Feb 07 2004 - 10:50:50 PST