RE: [logs] Products for log correlation

From: Alan Sparks (asparks@private)
Date: Thu Apr 08 2004 - 09:51:38 PDT

  • Next message: Allan Liska: "[logs] Session Tracking"

    Interesting product.  Would be a lot more interesting if the guts didn't
    require Windows Server and MS SQL Server.  :-)
    On Thu, 2004-04-08 at 08:46, Chris Petersen wrote:
    > *** WARNING *** I am the CTO of a log management/analysis company.
    > We recently released a product designed to do exactly this.  LogRhythm can
    > collect log data in agent (Windows, Linux) and agent-less (e.g., syslog,
    > snmp) deployment architectures.  Log data is stored in a horizontally
    > scalable, distributed log management architecture.  Logs can be transformed
    > to events via a rule builder that uses Perl regex combined with a tagging
    > notation for extracting normal fields (e.g., IP addresses, login).  Logs
    > transformed to events are forwarded to an event manager for real-time
    > monitoring.  Log data is also automatically aged and archived/destroyed
    > based on user configuration.
    > I like to refer to our architecture as "Push-Pull" where based on user
    > configuration, high-priority logs are transformed and forwarded as events
    > but raw log data can be "pulled" on demand for analysis.
    > Example:
    > - Web server attack detected by snort
    > - Snort log transformed to event and forwarded to event manager
    > - Event monitored in real-time by user
    > - User queries LogRhythm for additional logs from web server surrounding
    > attack to make more accurate and timely decision on what really occurred.
    > This last example is what initially got us motivated to build LogRhythm,
    > adding context to IDS alarms.  However, as we have progressed we have found
    > LogRhythm to provide value in the area of auditing/forensics, operations
    > monitoring, and soon - the ability to perform data-mining
    > misuse/intrusion/fraud detection against many different types of log data
    > (e.g., ERP logs, database logs).
    > The other products I am familiar with are primarily focused on security
    > event management with the exception of Addamark that is log
    > management/analysis focused.  The SEM guys will all say they do logs but I'm
    > not sure if they are really architected to do so.  These other products
    > include NetForensics. Intellitectics, eSecurity, NeuSecure, and ArcSight.
    > While some of these products are pretty impressive, they are also pretty
    > costly.
    > If you'd like additional information on LogRhythm please check us out at
    > Chris Petersen
    > Security Conscious, Inc.
    >   -----Original Message-----
    > From:
    > [] On
    > Behalf Of Anthony Butler
    > Sent: Wednesday, April 07, 2004 10:48 PM
    > To: loganalysis@private
    > Subject: [logs] Products for log correlation
    > Hi everyone,
    > I was wondering if anyone knows of a tool for log-file correlation and
    > analysis.  By that I mean being able to see in a unified form and arranged
    > chronologically log entries from a variety of disparate and distributed
    > systems.  For example, web servers, application servers, operating systems
    > and database servers. 
    > Thanks for any pointers that you can provide.
    > Best Regards,
    > Anthony Butler
    > Amcor 
    > ************************************************************************
    > CAUTION - This message may contain privileged and confidential
    > information intended only for the use of the addressee named above. 
    > If you are not the intended recipient of this message you are hereby
    > notified that any use, dissemination, distribution or reproduction of
    > this message is prohibited. If you have received this message in error
    > please notify AMCOR immediately.
    > Any views expressed in this message are those of the individual sender
    > and may not necessarily reflect the views of AMCOR.
    > ************************************************************************
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysis@private
    Alan Sparks, Sr. UNIX Administrator	asparks@private
    Quris, Inc.				(720) 836-2058
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 10:07:17 PDT