Educause Security Discussion mailing list archives
Re: Syslog parsing
From: Greg Vickers <g.vickers () QUT EDU AU>
Date: Wed, 26 Apr 2006 13:27:56 +1000
Hi all, Penn, Blake wrote:
We are in the process of engineering more robust and centralized logging to central syslog servers. Problem is, once you have gigs and gigs of data, how do you parse it effectively and efficiently? We've looked at a lot of the common open-source parsers out there and haven't been too impressed. Anyone know of a good syslog (or syslog-ng) parser (free or commercial), or developed one in-house? The features that we care most about are: * Robust slicing of information across different categories (machine name, IP, event ID, etc.) * Correlation capabilities * Easy of use (preferably a web GUI, etc. for use by the lowest common denominator) * Low FTE requirements!!!
We have recently completed an investigation into SEM/SIM technology and shortlisted the following products: (In no particular order) Security Information Manager by Openservice Huntsman by Tier-3 Enterprise Security Analytics by Sensage Security Manager by Intellitactics They all have good correlation abilities and can slice and dice your data however you like. Their list price is megabucks (i.e. >100k) but generally you will be able to bring value to the deal to use as negotiation. We ran a pilot of the above products and have made a recommendation to the steering committee on which product to implement. Once it is ratified, I will let you know which one we are going ahead with :) -- Greg Vickers Project Manager, IT Security Information Technology Services Queensland University of Technology L12, 126 Margaret St, Brisbane Phone: +61 7 3864 9536 Mobile: 0410 434 734 Fax: +61 7 3864 2921 Email: g.vickers () qut edu au IT Security web site: http://www.its.qut.edu.au/itsecurity/ CRICOS No. 00213J
Current thread:
- Syslog parsing Penn, Blake (Apr 25)
- <Possible follow-ups>
- Re: Syslog parsing Justin Dover (Apr 25)
- Re: Syslog parsing Steve Lovaas (Apr 25)
- Re: Syslog parsing Jenkins, Matthew (Apr 25)
- Re: Syslog parsing Keith Schoenefeld (Apr 25)
- Re: Syslog parsing Justin Dover (Apr 25)
- Re: Syslog parsing Christopher Arnold (Apr 25)
- Re: Syslog parsing Greg Vickers (Apr 25)