We're using snare on the windows side, and syslog on the *nix side. We have a 3 tiered model, tier 1 has the most machines, and those machines get *everything*, and roll up the log files on an hourly basis (we have about 3000 machines logging at times) for archiving. All the machines are running syslog-ng, so we filter out the junk we don't really care about on tier1, and send the rest onto tier2, which is simply 2 machines, one for *nix logs, and one for Win logs. We further distill what we want to see, and then forward that onto the tier3, a very big and fasst machine that does alerts, sql logging, reports, event correlation. We have a Crisco PIX 535, which generates 1G log files each hour, so we're not throwing that into the mix, yet. Logsurfer+ is runnign on tier1 and tier3 machines to do alerts and perform actions based o what it sees (like on tier1, I/O errors page the registered admin of that machine to let them know they are having disk problems). This is still a startup operation, and things change daily, but this seems to be working for us. The reports have to be developed inhouse, unless you want to use something canned like wflogs or logwatch. Tim On Fri, Feb 27, 2004 at 08:29:06AM -0700, Rudy, Ian # PHX wrote: > Kevin, > > I'm slighty one step ahead.. I've figured out how to get the IIS logs and > Event logs to the syslog facility (SNARE > http://www.intersectalliance.com/projects/SnareWindows/index.html > <http://www.intersectalliance.com/projects/SnareWindows/index.html> ).. now > I want to be able to crunch those events into higher level html reports for > trending and correlation. I too am using syslog-ng with a mysql backend but > I also process the raw log files for PIX events and ACL events into high > level html reports. I'm looking to identify a solution similiar to fwanalog > (http://tud.at/programm/fwanalog/) <http://tud.at/programm/fwanalog/)> for > the IIS and Windows Event logs. I'd love to try the SNARE server portion > but alas I'm not located in the Asia Pacific region where they are currently > offering it. I've checked out a couple of other cheap commercial (around > $100-200 US) but most of the Windows based analysis ones run on Windows and > I was hoping to find something that could run on my Linux based central log > server. I don't mind even doing the grunt work of having to figure out what > trends and events I want to analyze just looking for a good log parsing > engine with html output capabilities. > > Thanks, > Ian > > -----Original Message----- > From: Maute Kevin Contr AFIT/SCBS [mailto:Kevin.Maute@private] > Sent: Friday, February 27, 2004 9:07 AM > To: Rudy, Ian # PHX; loganalysis@private > Subject: RE: [logs] IIS and Windows Event log parser to generate reports > > > > Ian, > > > > You are somewhat ahead of me... I have been looking at syslog-ng with a > mysql backend to do enterprise logging. My specifics are: > > > > IDS - Snort running ACID & Cisco 4235 appliance > > FW - Symantic Enterprise Firewall (formerly Raptor) > > > Various unix and M$ devices as well... > > > > I can copy the FW logs with supplied client(s) which is fairly close to > syslog format. The Cisco IDS is the only one I have not conceptually > figured out yet. > > > > Like you I am also looking for a IIS and Event Log parser or syslog hook... > > > > > > > > Kevin Maute (RCF System/Security Admin) > > mailto:kevin.maute@private > > (937) 255-6565 x4250 > > > > -----Original Message----- > From: loganalysis-bounces+kevin.maute=afit.edu@private > [mailto:loganalysis-bounces+kevin.maute=afit.edu@private] On Behalf > Of Rudy, Ian # PHX > Sent: Thursday, February 26, 2004 6:01 PM > To: 'loganalysis@private' > Subject: [logs] IIS and Windows Event log parser to generate reports > > > > All, > > I currently have a central syslog server (running Linux) that records events > from IDS, firewalls, routers, etc., and now Windows IIS logs and Windows > Event log messages. I've been able to handle the current logs pretty well > but need some suggestions for dealing with the additional Windows event > information. Does anybody know of any good scripts or parsing tools to > analyze the Windows IIS and Event Log information and generate reports > (preferably html)? > > Thanks in advance, > > Ian > This E-mail message is for the sole use of the intended recipient(s) and may > contain confidential and privileged information. Any unauthorized review, > use, disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply E-mail, and destroy all copies > of the original message. > > This E-mail message is for the sole use of the intended recipient(s) and may > contain confidential and privileged information. Any unauthorized review, > use, disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply E-mail, and destroy all copies > of the original message. > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis -- Tim Sailer <sailer@private> Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Feb 27 2004 - 10:08:46 PST