RE: [logs] Products for log correlation

From: Chris Petersen (chris@security-conscious.com)
Date: Thu Apr 08 2004 - 07:46:06 PDT

  • Next message: Phil Hollows: "RE: [logs] Products for log correlation"

    *** WARNING *** I am the CTO of a log management/analysis company.
    
    We recently released a product designed to do exactly this.  LogRhythm can
    collect log data in agent (Windows, Linux) and agent-less (e.g., syslog,
    snmp) deployment architectures.  Log data is stored in a horizontally
    scalable, distributed log management architecture.  Logs can be transformed
    to events via a rule builder that uses Perl regex combined with a tagging
    notation for extracting normal fields (e.g., IP addresses, login).  Logs
    transformed to events are forwarded to an event manager for real-time
    monitoring.  Log data is also automatically aged and archived/destroyed
    based on user configuration.
     
    I like to refer to our architecture as "Push-Pull" where based on user
    configuration, high-priority logs are transformed and forwarded as events
    but raw log data can be "pulled" on demand for analysis.
    
    Example:
    - Web server attack detected by snort
    - Snort log transformed to event and forwarded to event manager
    - Event monitored in real-time by user
    - User queries LogRhythm for additional logs from web server surrounding
    attack to make more accurate and timely decision on what really occurred.
    
    This last example is what initially got us motivated to build LogRhythm,
    adding context to IDS alarms.  However, as we have progressed we have found
    LogRhythm to provide value in the area of auditing/forensics, operations
    monitoring, and soon - the ability to perform data-mining
    misuse/intrusion/fraud detection against many different types of log data
    (e.g., ERP logs, database logs).
     
    The other products I am familiar with are primarily focused on security
    event management with the exception of Addamark that is log
    management/analysis focused.  The SEM guys will all say they do logs but I'm
    not sure if they are really architected to do so.  These other products
    include NetForensics. Intellitectics, eSecurity, NeuSecure, and ArcSight.
    While some of these products are pretty impressive, they are also pretty
    costly.
     
    If you'd like additional information on LogRhythm please check us out at
    http://www.logrhythm.com. 
    
    Chris Petersen
    Security Conscious, Inc.
    chris@security-conscious.com
    www.security-conscious.com
    
      
      -----Original Message-----
    From: loganalysis-bounces+chris=security-conscious.com@private
    [mailto:loganalysis-bounces+chris=security-conscious.com@privatem] On
    Behalf Of Anthony Butler
    Sent: Wednesday, April 07, 2004 10:48 PM
    To: loganalysis@private
    Subject: [logs] Products for log correlation
    
    
    Hi everyone,
     
    I was wondering if anyone knows of a tool for log-file correlation and
    analysis.  By that I mean being able to see in a unified form and arranged
    chronologically log entries from a variety of disparate and distributed
    systems.  For example, web servers, application servers, operating systems
    and database servers. 
     
    Thanks for any pointers that you can provide.
     
    Best Regards,
     
    Anthony Butler
    Amcor 
     
    
    
    ************************************************************************
    CAUTION - This message may contain privileged and confidential
    information intended only for the use of the addressee named above. 
    If you are not the intended recipient of this message you are hereby
    notified that any use, dissemination, distribution or reproduction of
    this message is prohibited. If you have received this message in error
    please notify AMCOR immediately.
    Any views expressed in this message are those of the individual sender
    and may not necessarily reflect the views of AMCOR.
    ************************************************************************
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 09:10:41 PDT