*** WARNING *** I am the CTO of a log management/analysis company. We recently released a product designed to do exactly this. LogRhythm can collect log data in agent (Windows, Linux) and agent-less (e.g., syslog, snmp) deployment architectures. Log data is stored in a horizontally scalable, distributed log management architecture. Logs can be transformed to events via a rule builder that uses Perl regex combined with a tagging notation for extracting normal fields (e.g., IP addresses, login). Logs transformed to events are forwarded to an event manager for real-time monitoring. Log data is also automatically aged and archived/destroyed based on user configuration. I like to refer to our architecture as "Push-Pull" where based on user configuration, high-priority logs are transformed and forwarded as events but raw log data can be "pulled" on demand for analysis. Example: - Web server attack detected by snort - Snort log transformed to event and forwarded to event manager - Event monitored in real-time by user - User queries LogRhythm for additional logs from web server surrounding attack to make more accurate and timely decision on what really occurred. This last example is what initially got us motivated to build LogRhythm, adding context to IDS alarms. However, as we have progressed we have found LogRhythm to provide value in the area of auditing/forensics, operations monitoring, and soon - the ability to perform data-mining misuse/intrusion/fraud detection against many different types of log data (e.g., ERP logs, database logs). The other products I am familiar with are primarily focused on security event management with the exception of Addamark that is log management/analysis focused. The SEM guys will all say they do logs but I'm not sure if they are really architected to do so. These other products include NetForensics. Intellitectics, eSecurity, NeuSecure, and ArcSight. While some of these products are pretty impressive, they are also pretty costly. If you'd like additional information on LogRhythm please check us out at http://www.logrhythm.com. Chris Petersen Security Conscious, Inc. chris@security-conscious.com www.security-conscious.com -----Original Message----- From: loganalysis-bounces+chris=security-conscious.com@private [mailto:loganalysis-bounces+chris=security-conscious.com@privatem] On Behalf Of Anthony Butler Sent: Wednesday, April 07, 2004 10:48 PM To: loganalysis@private Subject: [logs] Products for log correlation Hi everyone, I was wondering if anyone knows of a tool for log-file correlation and analysis. By that I mean being able to see in a unified form and arranged chronologically log entries from a variety of disparate and distributed systems. For example, web servers, application servers, operating systems and database servers. Thanks for any pointers that you can provide. Best Regards, Anthony Butler Amcor ************************************************************************ CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify AMCOR immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of AMCOR. ************************************************************************ _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 09:10:41 PDT