[logs] Log analysis case studies sought

• Previous message: Daniel Cid: "Re: [logs] OSHids 0.3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

All,

As some of you know, a comprehensive book on log analysis is being written
:-)  For that, we're looking for real-world case studies to be included.
We have a few of our own, but here's some of the things we'd like more of:

* found a system/hardware/software failure in logs before it was noticed
elsewhere

* discovered things running on our network (possibly that should have
been) by using logs for audit information

* detected an intrusion via logs v.s. NIDS, or those two together

* showed an intrusion *didn't* happen, refuting an accusation, or claim
by the IT guys that a system crash must have been an intrusion

* refuted or substantiated a claim (e.g. "I didn't get that email,
it must not have been sent")

* measured system or application utilization

* used baselining and thresholding to detect problems

* discovered log data missing due to attacker, esp. on the central loghost

* showed inside user malfeasance, e.g. someone trying to steal money
or information

* cases where log information was useful to non-IT people, e.g.
marketing, management, etc.

* general cases of experiences building a logging infrastructure -- what
you did, what you learned, how the company benefitted

Please make sure that you have whatever permission you need to give
us the examples, we need to make sure there are no copyright problems
nor violations of user or company privacy.  You must be able to assign
the rights to use the information you provide to us.

Please include actual log entries where appropriate.  Those examples
that we choose to include will be sanitized to avoid identifying any
person or network. Stories will be edited as necessary.  The submitter
(you) will be given credit unless you ask not to.  Please provide your
name as you would like to see it in print so that we get it right.

Best,
-- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.info-secure.org
   http://www.securitywarrior.com

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Daniel Cid: "Re: [logs] OSHids 0.3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue May 17 2005 - 03:12:02 PDT