[logs] Re: Which reports are most important?

From: Fenwick, Wynn (wynn.fenwick@private)
Date: Wed May 24 2006 - 12:01:46 PDT


Lurking for awhile, and this was a timely thread. 

I suggest something even more basic, like penetration rate type metrics:

- # of unique devices any syslogs today
- volume per device
- which unique daemons or unique applications reporting (across the
organization)
	- or some count
- # of unique daemons or unique applications reporting (per device)

Most of the rest of the stuff I would have said are in everyone else's
wishlist.

I have to agree that depending on your perspective, requirements are
different, and using system logs is simply the common technology.

I see the following differing security goals...

1 - debuggers- people looking to diagnose a condition and are
unable/unwilling to turn on logging during the diagnosis phase
                      (take an ITIL "problem" to "known error" to
"change"). (ie: copious details)

2 - health event monitors - agents/people looking for exceptional events
indicating errors that might generate outage or performance related
incidents. (ie: failures or status)

3 - security event monitors - agents/people looking for initial
indication & warnings of a confidentiality incident OR for supporting
correlative data on an confidentiality existing incident (ie:
signatures)
                          - agents/people looking for exceptional event
_frequencies_ indicating how often a specific set of events occurs (ie:
statistical anomalies)

4 - post-mortem investigators - agents/people looking to put together a
sequence of events using whatever information is available (ie: audit
trail and chain of custody)

These are diverse if not mutually exclusive requirements for reports.

The biggest trouble is the same system can be used to generate those
reports and the techs tend to jumble them all into "system log reports".

SysAdmins want 1,2,3. Sec Analysts want 2,3,4. CSOs should want the
penetration numbers... plus some effectiveness rating of how well it
delivers 1,2,3 or 4. 

Wynn
--
Wynn Fenwick, GCIH, GCIA



-----Original Message-----
From: loganalysis-bounces+wynn.fenwick=cgi.com@private
[mailto:loganalysis-bounces+wynn.fenwick=cgi.com@private] On
Behalf Of Chris Brenton
Sent: Wednesday, May 17, 2006 10:32 PM
To: LogAnalysis@private
Subject: [logs] Which reports are most important?

Hey all,

I'm involved with helping SANS organize the logging summit this July. As
part of that, I was hit with a question that I thought could be best
answered via feedback from the group.

What do you feel are the top 5 reports a centralized log management
system should provide?

For example, a few I came up with:

Authentication failures (Web, system access, VPNs, etc.) Access failures
(HTTP scripts, recursion requests, etc.) Initialization of new/unknown
processes Unexpected outbound traffic through the firewall (IRC, TFTP,
SMTP, etc.)

I would love to see a similar list from other folks on the list.

Cheers,
Chris


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Wed May 24 2006 - 12:16:45 PDT