Firewall Wizards mailing list archives
Re: Firewall Log Analysis - Computer vs. Human
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 7 Jul 2005 01:31:24 +0530
On 05/07/05 12:23 -0400, Adrian Grigorof wrote:
Hi all, We are trying to develop a log analyzer that would "replicate" a human's approach to log analysis - by that I mean the fact that a human can correlate information in the log with other factors (like - "hmm, the log
Hmmm, Marcus had a thread on the loganalysis[1] list, asking what information could be gleaned from the logs. That thread would be a good starting point for a correlation engine of this type. In general, if it gets logged, it can be correlated to some extent. The problem most often is that there is no logging infrastructure for such correlation.
says that the firewall was restarted at 12:03 PM"... oh, yeah, it was that UPS failure yesterday around noon). For this particular example, the log analyzer could say in the report: "12:03 PM - Firewall restarted - Possible power failure, power disconnection or manual restart" - a bit vague I agree but it is better than nothing - and in fact, this is what the firewall admin would go through, right? Thinking, "Why would there be a restart? I
And there could be any other reason, which would be extremely misleading. IMHO, it is better not to attempt to correlate with vague information which leads the administrator down the wrong track. Humans are good at ignoring things that cry wolf too often.
did not restart it.. anything happened at noon? The UPS failure!". Or for
What happens if the failure was due to something else, like someone tripping over the power cable, or just a system failure and none of your possibilities were correct? If you log more data and then filter, then you can do useful correlations. "Show me all events that happened in this time range relating to the firewall", with a predefined dependency for the firewall on the UPS. The complex problem is getting the human being to define the dependency of the firewall on the UPS in the first place. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Opinion: Worst interface ever., (continued)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Jan Tietze (Jul 06)
- Re: Opinion: Worst interface ever. Dave Piscitello (Jul 18)
- Re: Opinion: Worst interface ever. sin (Jul 21)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- RE: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Firewall Log Analysis - Computer vs. Human Adrian Grigorof (Jul 06)
- Re: Firewall Log Analysis - Computer vs. Human Kevin (Jul 06)
- Re: Firewall Log Analysis - Computer vs. Human Devdas Bhagat (Jul 06)
- RE: Firewall Log Analysis - Computer vs. Human Paul Melson (Jul 19)
- RE: Opinion: Worst interface ever. Mark Teicher (Jul 06)
- RE: Opinion: Worst interface ever. Eugene Kuznetsov (Jul 06)
- RE: Opinion: Worst interface ever. Paul D. Robertson (Jul 06)
- Re: Opinion: Worst interface ever. Ian Rae (Jul 06)