Security Basics mailing list archives
Re: log monitoring/analysis/correlation systems
From: Jon Hart <jhart () spoofed org>
Date: Tue, 21 Nov 2006 16:38:26 -0800
On Mon, Nov 20, 2006 at 08:21:18PM +0100, sami seclist wrote:
Hi list, a client of our is looking for a log monitoring solution for it's network security infrastructure. Logs are to be collected from routers, firewalls, IDS and antivirus. The only product I found to be applicable in this situation is cisco's Security Monitoring Analysis and Response Systems (In fact it does much than what is needed !). Other products I found exaprotect (seems to be the best option) hp openview and IBM tivoli manager (I think they are too heavy for this company and also very expensive) does anybody know of other log monitoring systems, and what do you think of the above ? Syslog is not an option as log files have heterogeneous formats and is somewhat tricky to obtain a practical usage
CS MARS, IMO, is too Cisco centric. Even at that, it isn't particularly good at working with Cisco devices and their respective logs. If you need an event correlation / monitoring system simply for the sake of having one, CS MARS is an option. The problem with many of the commercial solutions is that they generally only support a subset of various products (as far as generic log processing goes). With some vendors you can pay extra and they'll write a custom parser for you. Give Sensage and Symantec SSIM a look too. On the free side of the house, I highly recommend you take a look at SEC (http://www.estpak.ee/~risto/sec/). There is a lot of manual work that must be done up front to get a log monitoring / correlation system using SEC off the ground, but you'll learn a lot about your logs in doing so. We've deployed it in our production environment which generates 10-15G of logs per day. There are a number of things that SEC lacks, but none of which (IMO) are show stoppers. Plus, for the price... -jon --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- log monitoring/analysis/correlation systems sami seclist (Nov 20)
- Re: log monitoring/analysis/correlation systems Emilio Casbas (Nov 21)
- RE: log monitoring/analysis/correlation systems Smith, Maurice (Nov 22)
- Re: log monitoring/analysis/correlation systems Seyhan Tekelioglu (Nov 21)
- Re: log monitoring/analysis/correlation systems Florencio Cano (Nov 21)
- Re: log monitoring/analysis/correlation systems sami seclist (Nov 23)
- RE: log monitoring/analysis/correlation systems Erin Carroll (Nov 21)
- RE: log monitoring/analysis/correlation systems Matt Davis (Nov 21)
- Audit Windows Machine, IRM (Nov 21)
- Re: Audit Windows Machine, Ansgar -59cobalt- Wiechers (Nov 22)
- Re: log monitoring/analysis/correlation systems Jon Hart (Nov 22)
- Re: log monitoring/analysis/correlation systems Kurt Buff (Nov 22)
- <Possible follow-ups>
- Re: log monitoring/analysis/correlation systems q (Nov 21)
- Re: log monitoring/analysis/correlation systems a . lagana (Nov 21)
- Re: log monitoring/analysis/correlation systems vachanta (Nov 22)
- Re: log monitoring/analysis/correlation systems vameg (Nov 22)
- Re: log monitoring/analysis/correlation systems Joseph Jenkins (Nov 23)
- Re: Re: log monitoring/analysis/correlation systems jlehman (Nov 22)
- Re: log monitoring/analysis/correlation systems Emilio Casbas (Nov 21)