[logs] Re: Which reports are most important?

From: Marcus J. Ranum (mjr@private)
Date: Thu May 18 2006 - 05:37:13 PDT


Chris Brenton wrote:
>What do you feel are the top 5 reports a centralized log management
>system should provide?


There was a thread about this back a zillion years ago...

 From my SANS tutorial on logging:
       Top N machines sending/receiving traffic through the firewall
       Top N machines sending/receiving traffic on the network segment
       Same as above but inward-looking
       Top N machines being accessed behind the firewall
       Breakdown of traffic through firewall by service (%-age)
       This is popular as a pie chart
       Breakdown of traffic on the network segment by service (%-age)
       Same as above but inward-looking
       Top N email address(es) sending Email messages
       Top N email address(es) receiving Email messages
       Top N machines accessing web
       Top N targets identified in IDS alerts
       Top N IDS attacks identified
       %age of Email that is identified as spam
       %age of Email that contains blocked attachments
       %age of web traffic aimed at sites on porn blacklist
       %age of traffic aimed at sites on spy/adware blacklist
       Top N porn-surfers
       Top N most-ad/spyware infected systems
       New machines that have served WWW/FTP/SMTP today

mjr.

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Thu May 18 2006 - 11:30:24 PDT