Hello Phi 1. I think using existing log data is critical in the intrusion detection response, however, whether you rely solely on the native logging systems is another question. Unfortunately even if the tell-tale signs of intrusion are in the logs, it can be an extremely timely/tedious process of reviewing logs. This problem was supposedly solved by IDS systems whose goal was to provide data reduction by automating the process of finding the "interesting" stuff. However, IDS themselves produce lots of data which can also lead to data overload. Hence the introduction off Security Event Management solutions that strive to automate the process or correlating multiple events into higher quality events, reducing the noise. Back to your question, I think the answer is a definate yes but you will need tools to make the process of analyzing this data more efficient. Furthermore, if you can combine log data with IDS events (e.g., Snort) I think you have a much higher quality intrusion detection solution where the IDS serves as the alarming system and the log data provides the information required to effectively analyze the alarm. 2. Most of the SEM's are pretty pricey and target the larger enterprises, six figure deals. However, some providers have begun to target the middle market. Our company is one of these. Other companies that have sub $20K solutions (I believe) are LogLogic, Network Intelligence, and perhaps TriGeo. However these companies vary in the ability to collect logs and/or events, what they can do with them in regards to intrusion detection. 3. Rolling your own is definately possible though non-trivial. The most common home grown solution I'm familier with is using a (e.g., Kiwi) syslog server to collect Unix/Device syslog events and using an agent (e.g., Snare) to forward Windows events logs via syslog. This type of solution has the benefit if being inexpensive in software licenses but can be expensive in development and support. You may end up having to build a lot of your own tools for analysis purposes. If you have a few specific types of log sources then homegrown can make sense but as you start bringing in more diverse sets of log data, this is where you might want to consider a commercial product. Commercial vendors have had to figure out how to deal with the vast differences in logging formats for reporting/analysis/intrusion detection purposes. Cheers, Chris Petersen, CTO LogRhythm www.LogRhythm.com _____ From: loganalysis-bounces+chris=security-conscious.com@private [mailto:loganalysis-bounces+chris=security-conscious.com@private] On Behalf Of Phi Phu Sent: Wednesday, April 13, 2005 1:38 AM To: loganalysis@private Subject: [logs] About the logging infrastructure Dear all, I am a new person in this mailling list. I have some following questions that i really want they will be aswered: 1. Should we try to use effectively the existing log data (from OS and applications) for the security purpose, in stead of using IDS or other monitoring tools that also producing log data in the flooded-by-log world today? 2. (If question #1 is "yes") is there any existing solution or product that manages the log data for a small and medium enterpise (with the standard computer network including: user workstations, file server, web server, mail server, gateway to Internet, firewall, db server) for the intrusion detection purpose? 3. (if question #2 is "no") do you think that building a solution like that is possible? Thank you, and best regards, Phi _____ Do you Yahoo!? Yahoo! Small Business - Try <http://us.rd.yahoo.com/evt=31637/*http://smallbusiness.yahoo.com/resources/ > our new resources site! _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Apr 13 2005 - 09:28:55 PDT