[logs] Re: logs threshold program

• Previous message: James Turnbull: "[logs] Re: logs threshold program"
• In reply to: Wen Pei (Betty) Liu: "[logs] logs threshold program"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

*********** I REPRESENT A VENDOR ***************

I can recommend our program LogRhythm - obviously I'm partial ;-) but it
does have this capability as I would hope other SIM solutions do.  However,
we are bit different than other SIM's in that we are also a true log
management product.  We can collect and manage log data written to any text
file on windows/linux, forwarded via syslog/snmp, or written to the Windows
Event Log.  We have what we can threshold alarms which allow you to create
rules like the following:

- Events classified as Failed Authentication (regardless the type of
reporting system), where 10 events occur in 1 minute from same source using
same login, send alarm.

- Events classified as Error or Warning, where 30 events occur in 1 hour
where the affected system is the same, send alarm.

- Events classified as Security or Audit Failures, where 100 events occur in
24 hours where the login is the same, send alarm

You will only find high-level info on our website for competitive reasons,
if you want more details I can send you our technology whitepaper.

Cheers,

Chris Petersen
CTO, Security Conscious, Inc
www.LogRhythm.com

> -----Original Message-----
> From: loganalysis-bounces+chris=security-conscious.com@private
> [mailto:loganalysis-bounces+chris=security-conscious.com@private]
> On Behalf Of Wen Pei (Betty) Liu
> Sent: Friday, June 03, 2005 3:04 PM
> To: loganalysis@private
> Subject: [logs] logs threshold program
> 
> Hi,
> 
> Can anyone recommend a program that would trigger on thresholds of
> certain types of log messages within a sliding window? For example I
> would like to detect if a user/source IP has attempted 10 or more
> logins within 1 minute.
> 
> I am looking into the Simple Event Correlator as a possible solution.
> Does anyone have comments from personal experience working with it?
> 
> Kind regards,
> Wen(Betty) Liu
> NASA Advanced Supercomputing Division
> NASA Ames Research Center
> M/S 258-5
> Moffett Field, CA 94035-1000
> (650) 604-4628
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: James Turnbull: "[logs] Re: logs threshold program"
• In reply to: Wen Pei (Betty) Liu: "[logs] logs threshold program"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Sat Jun 04 2005 - 22:46:54 PDT