RE: [Loganalysis] [logs] Logging in the DMZ

From: Remko Lodder (remko@private)
Date: Sat Feb 07 2004 - 03:06:27 PST

  • Next message: Remko Lodder: "[logs] Question"

    Hi,
    
    We (multinational company which i don't mention), use logging servers in the
    DMZ it self on a seperated
    network..
    
    So every machine has at least 3 interfaces, incoming -> management (incl
    logs) -> fetchdatafrominternalhosts.
    
    And ofcourse you should secure your machines, even if they are not in the
    dmz (:
    
    Cheers
    
    --
    
    Kind regards,
    
    Remko Lodder
    Elvandar.org/DSINet.org
    www.mostly-harmless.nl Dutch community for helping newcomers on the
    hackerscene
    
    -----Oorspronkelijk bericht-----
    Van: loganalysis-bounces@private
    [mailto:loganalysis-bounces@private]Namens
    bmcdowell@private
    Verzonden: vrijdag 6 februari 2004 20:26
    Aan: loganalysis@private
    Onderwerp: [Loganalysis] [logs] Logging in the DMZ
    
    
    
    Hello list.  I'd first like to say that I thought I was alone out there in
    the world of Logging, or at least ahead of where a reasonable person would
    go with it.  I'm glad to see there is a such a great resource such as this.
    Now, on to my issue:
    
    How should I handle logging for the devices in my DMZ?
    
    Big question right?  Well, I'm presently using syslog forwarding and
    database analysis which works pretty well, but I'm really tired of sinking
    so much time and effort into it.  The devices and services I'm collecting
    data off of can all write directly to a database, in one form of another,
    and the feeling that I didn't approach this correctly grows stronger every
    day.  For example, after seeing the library item about 'artificial
    ignorance' it occurs to me that I'm doing something similar with my db
    scripts, except I'm suffering a performance hit each time I do a query.  It
    would seem better to just put the data into the fields it belongs in
    natively, rather than by a scripting process after the fact.
    
    Here's what I've got today:
    
    Internet <-Firewalls-> DMZ <-Firewall with syslog forwarding-> Syslog
    Server, writing text logs, database scripts doing parsing
    
    I see basically two possible improvement approaches here:
    
    1)  Use database logging, where possible, and forward that to an internal
    server.
    2)  Put a db and syslog server in the DMZ and do my best to secure it.
    
    Has anyone on the list dealt with this same issue?  I'd really appreciate a
    dialogue here, meanwhile I'm going to continue checking out this cool new
    site.
    
    
    Thanks,
    
    Bob
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    _______________________________________________
    Loganalysis mailing list
    Loganalysis@private
    http://lists.elvandar.org/mailman/listinfo/loganalysis
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Sat Feb 07 2004 - 10:50:50 PST