Yeah, what *he* said! :) That's what I'm doing. And yes, the filter are BIG, but with multiple tiers, you can spread it across the levels. Tim On Thu, Aug 19, 2004 at 02:43:57PM -0700, Raffael Marty wrote: > > Just curious, how do you determine the stuff that you are *not* interested in? > > It seems to be a fairly subjective exercise and may result in losing > > important data. (genuine question, not flame bait :) > > Just a quick answer to this: "determining stuff that is *not* > interesting" should not mean that you completely get rid of it. Keep it > in the system and have it run through the correlation engine and all > those neat things, but don't look at them. > > You would basically use a filter to keep certain events from being shown > to you. Coming up with this filter (which can turn out to be massive) > is a matter of looking at events and figuring out, one by one, what their > root cause is. You will realize that there are many of them! > > -raffy > > -- > > Raffael Marty, CISSP raffael.marty@private > Senior Security Engineer Content Team @ ArcSight Inc. > 5 Results Way Cupertino, CA 95014 (408) 864-2662 -- Tim Sailer <sailer@private> Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 22:05:53 PDT