> Just curious, how do you determine the stuff that you are *not* interested in? > It seems to be a fairly subjective exercise and may result in losing > important data. (genuine question, not flame bait :) Just a quick answer to this: "determining stuff that is *not* interesting" should not mean that you completely get rid of it. Keep it in the system and have it run through the correlation engine and all those neat things, but don't look at them. You would basically use a filter to keep certain events from being shown to you. Coming up with this filter (which can turn out to be massive) is a matter of looking at events and figuring out, one by one, what their root cause is. You will realize that there are many of them! -raffy -- Raffael Marty, CISSP raffael.marty@private Senior Security Engineer Content Team @ ArcSight Inc. 5 Results Way Cupertino, CA 95014 (408) 864-2662 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 14:51:54 PDT