[logs] Re: Which reports are most important?

From: Darren Reed (avalon@private)
Date: Thu May 18 2006 - 01:59:41 PDT

In some mail from Chris Brenton, sie said:
> Hey all,
> I'm involved with helping SANS organize the logging summit this July. As
> part of that, I was hit with a question that I thought could be best
> answered via feedback from the group.
> What do you feel are the top 5 reports a centralized log management
> system should provide?

1) One that tells you when your web server has been defaced
2) One that tells you when someone has successfully used a new buffer
   overflow against your systems
3) When a hacker gets root
4) When one of your systems gets rootkit'd
5) How often a password is used in clear text

> For example, a few I came up with:
> Authentication failures (Web, system access, VPNs, etc.)
> Access failures (HTTP scripts, recursion requests, etc.)
> Initialization of new/unknown processes
> Unexpected outbound traffic through the firewall (IRC, TFTP, SMTP, etc.)

I suppose they're statistically interesting but otherwise dull.

How about it tells me when there's an authentication failure
for the secretary from a computer in Bolivia?  I'm not really
interested in the 10 times a day she gets her password wrong,
at her desk because she's doing her nails and trying to login.

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Thu May 18 2006 - 11:29:17 PDT