Re: [logs] most popular reports...?

From: Jim Prewett (download@private)
Date: Thu Aug 19 2004 - 13:49:23 PDT


 
I agree!  I used to consider my hourly cron job messages to be "not 
interesting" until I realized that I could use them to find NTP problems!  
(if the hourly cron job fires at an odd time, there is most likely an NTP 
problem on that host or on the syslog host, or a serious load on the host 
thats preventing it from running the cron job on time).  Now i'm very 
interested in my regular cron job messages.

I basically look for uninteresting messages in the set of messages that 
have no interesting variables.  Eg. if the time is not something I find 
interesting (eg. a message that could happen at any time of the day), then 
that field can be ignored for that message type.  If you can say that none 
of the fields could be interesting, then the message is uninteresting.

I also like to tell myself that my log analysis configs represent what I
am currently interested in.  I expect that the set of interesting messages
will change depending on what problem i'm trying to solve.  So, i'm not 
filtering because there is no value in the message, but rather because I 
don't need any of the potential value of that message to solve the problem 
i'm working on.

Jim

On Thu, 19 Aug 2004, Jian Zhen wrote:

> Just curious, how do you determine the stuff that you are *not* interested in?
> It seems to be a fairly subjective exercise and may result in losing 
> important data. (genuine question, not flame bait :)
> 
> As an example, deciding all accepts on a firewall are *not* interesting
> may not be valid. 
> 
> I do agree that some process of elimination is necessary for log analysis,
> where this happens is the question.
> 
> <RandomThougths>
> 
> It seems like in most real-world cases, log analysis is triggered by some
> stimuli, e.g. an alert (IDS, SIM, human) or a log report (text or graphical 
> format) showing something interesting. Most sysadmins are probably too busy
> to consciously go and review logs unless something happens.
> 
> It also seems like most of the time, the process of correlation is in 
> reverse chronological (temporal) order, as in, you go backwards in order 
> to find out what happened (when did the attack occur, where did it come from,
> how did it occur). Sometimes you will go forward in time to find out if other 
> similar incidents has happened or if the attacker used the host for other
> attacks.
> 
> There's also a spatial component to the process of correlation as well.
> We generally look at logs from multiple hosts/devices across the network
> in order to figure out the root cause.
> 
> Almost all of the SIM vendors are implementing their systems based on
> forward temporal correlation, this is probably useful in detecting some
> of the more well known scenarios. If the scenario is not known, most 
> likely the attack will be missed.
> 
> For most investigations, it seems like reverse spatial & temporal analysis
> is more useful.  Pro'ly less processor and memory intensive. However, 
> (hey! STRACE = Spatial & Temporal Reverse Analytics & Correlation Engine)
> 
> The question is can something like that built to perform the reverse
> correlation automatically (or if it's useful at all). There probably has 
> to be some rules to tell the engine what to look at next (in reverse).
> 
> </RandomThougths>
> 
> Tim Sailer (sailer@private) [040819 12:30]:
> > The way I've approached it, in my own worthless way, is to tell the tools
> > the stuff that I'm *not* interested in. Data reduction is a must in a
> > large centrally logging environment. You then pick through the rest
> > to find the good nuggets. Approaching logs looking at *all* the data is
> > simply a way to lose sleep/hair/braincells. You can then apply the
> > fancy tools to visualize the important stuff, and, by default, the 
> > stuff you never expected to see, since you didn't way you didn't care
> > about it.
> > 
> > Tim
> > 
> > -- 
> > Tim Sailer <sailer@private> 
> > Information and Special Technologies Program
> > Office of CounterIntelligence 
> > Brookhaven National Laboratory  (631) 344-3001
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis@private
> > http://lists.shmoo.com/mailman/listinfo/loganalysis
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 

-- 
James E. Prewett                 "everything that is, that was, was not enough"
Systems Team Leader                                                505.277.8210
Designated Security Officer                download@private Jim@private
HPC Systems Engineer III @ HPC@UNM             OpenPGP key: pub  1024D/31816D93

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 14:44:03 PDT