Yea, although MS does have its advantages. We have toyed with the idea of porting the log management and message processing layer to Linux/MySQL which would be very cool and very cheap. Some of the things we are doing at the event management/analysis layer would be a lot tougher without MS SQL or other full-blown RDBMS. We are also relying on some of the new .NET capabilities in our client to achieve very fast analysis of large datasets, namely the ability to create in-memory RDBMS structures which is extremely powerful. Sometimes you gotta take the good with the bad ;) Chris Petersen CTO, Security Conscious, Inc. chris@security-conscious.com www.logrhythym.com www.security-conscious.com > -----Original Message----- > From: Alan Sparks [mailto:asparks@private] > Sent: Thursday, April 08, 2004 10:52 AM > To: chris@security-conscious.com > Cc: loganalysis@private > Subject: RE: [logs] Products for log correlation > > > Interesting product. Would be a lot more interesting if the > guts didn't require Windows Server and MS SQL Server. :-) -Alan > > On Thu, 2004-04-08 at 08:46, Chris Petersen wrote: > > *** WARNING *** I am the CTO of a log management/analysis company. > > > > We recently released a product designed to do exactly this. > LogRhythm > > can collect log data in agent (Windows, Linux) and > agent-less (e.g., > > syslog, > > snmp) deployment architectures. Log data is stored in a > horizontally > > scalable, distributed log management architecture. Logs > can be transformed > > to events via a rule builder that uses Perl regex combined > with a tagging > > notation for extracting normal fields (e.g., IP addresses, > login). Logs > > transformed to events are forwarded to an event manager for > real-time > > monitoring. Log data is also automatically aged and > archived/destroyed > > based on user configuration. > > > > I like to refer to our architecture as "Push-Pull" where > based on user > > configuration, high-priority logs are transformed and forwarded as > > events but raw log data can be "pulled" on demand for analysis. > > > > Example: > > - Web server attack detected by snort > > - Snort log transformed to event and forwarded to event manager > > - Event monitored in real-time by user > > - User queries LogRhythm for additional logs from web server > > surrounding attack to make more accurate and timely > decision on what > > really occurred. > > > > This last example is what initially got us motivated to build > > LogRhythm, adding context to IDS alarms. However, as we have > > progressed we have found LogRhythm to provide value in the area of > > auditing/forensics, operations monitoring, and soon - the > ability to > > perform data-mining misuse/intrusion/fraud detection against many > > different types of log data (e.g., ERP logs, database logs). > > > > The other products I am familiar with are primarily focused on > > security event management with the exception of Addamark > that is log > > management/analysis focused. The SEM guys will all say > they do logs > > but I'm not sure if they are really architected to do so. > These other > > products include NetForensics. Intellitectics, eSecurity, > NeuSecure, > > and ArcSight. While some of these products are pretty > impressive, they > > are also pretty costly. > > > > If you'd like additional information on LogRhythm please > check us out > > at http://www.logrhythm.com. > > > > Chris Petersen > > Security Conscious, Inc. > > chris@security-conscious.com > > www.security-conscious.com > > > > > > -----Original Message----- > > From: > loganalysis-bounces+chris=security-conscious.com@private > > > [mailto:loganalysis-bounces+chris=security-conscious.com@private > > om] On Behalf Of Anthony Butler > > Sent: Wednesday, April 07, 2004 10:48 PM > > To: loganalysis@private > > Subject: [logs] Products for log correlation > > > > > > Hi everyone, > > > > I was wondering if anyone knows of a tool for log-file > correlation and > > analysis. By that I mean being able to see in a unified form and > > arranged chronologically log entries from a variety of > disparate and > > distributed systems. For example, web servers, application > servers, > > operating systems and database servers. > > > > Thanks for any pointers that you can provide. > > > > Best Regards, > > > > Anthony Butler > > Amcor > > > > > > > > > ********************************************************************** > > ** > > CAUTION - This message may contain privileged and confidential > > information intended only for the use of the addressee named above. > > If you are not the intended recipient of this message you are hereby > > notified that any use, dissemination, distribution or > reproduction of > > this message is prohibited. If you have received this > message in error > > please notify AMCOR immediately. > > Any views expressed in this message are those of the > individual sender > > and may not necessarily reflect the views of AMCOR. > > > ************************************************************** > ********** > > > > _______________________________________________ > > LogAnalysis mailing list > > LogAnalysis@private > > http://lists.shmoo.com/mailman/listinfo/loganalysis > -- > Alan Sparks, Sr. UNIX Administrator asparks@private > Quris, Inc. (720) 836-2058 > > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 10:56:43 PDT