I have compiled a list of all the suggestions from this quite interesting thread: http://www.eventid.net/firewalls/MostPopularReports.asp All the comments are shown in the order they have been posted and they were edited to only include the actual report suggestion. I might've missed some so feel free to notify me it that's the case. Here are also some 3 additional reports that might be useful: - Firewall management sessions (successes and failures) - Comparison between 2 time intervals (i.e. ability to generate a report comparing "today" with "yesterday" or "June" with "July"). The report should compare all the relevant statistics for the 2 intervals - Port scans from IP addresses in the "neighbourhood" - always an indication of a worm roaming through your ISP network - Internal computers using a large number of protocols (may indicate some internal user performing network scans) As a log analysis product developer, I will make this list a blueprint for all the product that we develop. Depending on what type of log you analyze, some of the information needed for these reports is not there but if the information IS in the log you should report it. I have seen so many products discarding "good" information from the logs just because it was hard to develop an algorithm for it or it would affect the performance of the analysis. Maybe Marcus can compile the reports list as he suggested and improve it by adding another table with checkmarks to show if that report can be obtained from the logs of a specific device. Of course, this would be too much work for just on person but maybe the people on this list can help. For example, from the logs of a Cisco Pix firewall, one cannot obtain "Top N email address(es) sending or receiving email messages". An example using Marcus list of most popular reports is here: http://www.eventid.net/firewalls/LogInformation.asp (the actual information may not be accurate as I've just wanted to provide a template). Regards, Adrian Grigorof www.firegen.com ----- Original Message ----- From: "Marcus J. Ranum" <mjr@private> To: <loganalysis@private> Sent: Tuesday, August 17, 2004 8:27 PM Subject: [logs] most popular reports...? > Hi - > I'm trying to build a list of the "most popular reports" that > people pull from their system logs. This is mostly for my curiousity, > but also to see if log analysts tend to share common goals, or > whether we're all over the spectrum. I'm also hoping to be able to > maybe assemble a "top ten" list that people can look/ask for > from log analysis vendors. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sun Aug 22 2004 - 10:41:19 PDT