I was doing this before. I saw frequent ODBC errors that resulted in lost messages. At the time, I thought dumping to a text file would help, and it did get rid of the ODBC errors. Of course, they later returned as import errors... I can't seem to find a way to control the format of syslog messages. Many of the programs I'm logging output from (snort, iptables, etc) don't have a great deal of flexibility in their syslog formats. On the other hand, they generally do offer db logging to compensate. This circumvents formatting by writing data directly into fields. Of course, for those programs that don't offer writing to a db, writing syslog instead is exactly what I'll be doing. Bob -----Original Message----- From: Rainer Gerhards [mailto:rgerhards@private] Sent: Monday, February 09, 2004 9:13 AM To: Bob McDowell; loganalysis@private Subject: RE: [logs] Logging in the DMZ Bob, from the security point of view I do not really like the idea of having the devices writing directly to the database. Maybe a slow start to optimization would be helpful. How about considering just to have the (still non-dmz, thus secured) syslogd write directly to the database. I think many current syslogd's will alow you to do this. Rainer > -----Original Message----- > From: bmcdowell@private > [mailto:bmcdowell@private] > Sent: Friday, February 06, 2004 8:26 PM > To: loganalysis@private > Subject: [logs] Logging in the DMZ > > > Hello list. I'd first like to say that I thought I was alone > out there in the world of Logging, or at least ahead of where > a reasonable person would go with it. I'm glad to see there > is a such a great resource such as this. Now, on to my issue: > > How should I handle logging for the devices in my DMZ? > > Big question right? Well, I'm presently using syslog > forwarding and database analysis which works pretty well, but > I'm really tired of sinking so much time and effort into it. > The devices and services I'm collecting data off of can all > write directly to a database, in one form of another, and the > feeling that I didn't approach this correctly grows stronger > every day. For example, after seeing the library item about > 'artificial ignorance' it occurs to me that I'm doing > something similar with my db scripts, except I'm suffering a > performance hit each time I do a query. It would seem better > to just put the data into the fields it belongs in natively, > rather than by a scripting process after the fact. > > Here's what I've got today: > > Internet <-Firewalls-> DMZ <-Firewall with syslog > forwarding-> Syslog Server, writing text logs, database > scripts doing parsing > > I see basically two possible improvement approaches here: > > 1) Use database logging, where possible, and forward that to > an internal server. > 2) Put a db and syslog server in the DMZ and do my best to secure it. > > Has anyone on the list dealt with this same issue? I'd > really appreciate a dialogue here, meanwhile I'm going to > continue checking out this cool new site. > > > Thanks, > > Bob > > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis >
This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 11:01:30 PST