RE: Automated analysis of logs?

["Trevor Cushen" <Trevor.Cushen () sysnet ie>]

PERL is the answer to all your log questions.  I sent on stuff before to
members of this list to parse IIS logs and isolate good traffic from
attacks based on known signatures such as "cmd.exe" etc and
"....\....\..." type stuff.  It could all be logged into a database and
reports generated to your hearts content.  Flashy web front ends are
also possible and also the ability to graph the whole thing with
GD::Graph routines.

So again PERL is your answer.  Well worth a look as it was built with
log analysis and reporting in mind.

OR 

Look at 'FastStats Analyzer' , 'http://www.10-strike.com/', and there
are more via search engines.  But for customised solutions I'm afraid
you have to do it yourself.  But it is worth it.


-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com] 
Sent: 09 April 2003 13:03
To: security-basics () securityfocus com
Subject: Re: Automated analysis of logs?


In-Reply-To: <001d01c2fdf4$2c403c50$b600000a@alderon>



> Are there any open-source applications that I can drop

various kinds of =

> logs

> into (especially IIS logs) and get not only

statistics, but information

> and/or "warnings" about various kind of known activity?



I've written Perl scripts to do exactly this sort of

thing.  The big issue is that not everyone clicks on

all of the check boxes when they configure IIS logging.

 When I worked at a telecomm company, we had an ISP

that had a lot of IIS servers...it seemed as if no two

had the same items checked!  



What I generally do is get an idea of what is the

'normal' activity.  For example, on systems running

OWA, one would expect to see queries that begin w/

"exchange".  Then I start filtering out all normal

traffic from the logs, narrowing that down.  



Hope that helps,



Harlan

-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection. http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free
technical support. Stop SPAM before it stops you.
-------------------------------------------------------------------


******************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

******************************************************************************


-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------