RE: Event log monitoring

[Julen C <julenc () spymac com>]

Take a look on Computer Associates eTrust Audit.
http://www3.ca.com/Files/DataSheets/etrust_audit_pd.pdf

It centralizes logs from SO(windows, unix...), applications(apache, IIS...), BBDD 
(oracle, sql server...). 

You could configure alerts, for example if this log appears(failed log on, time 
change...) send an alert (email, sms...).


 
Julen Cordon. 

On Fri Oct 15 12:53 , Ryan Murphy <RMurphy () irvinecompany com> sent:



I am in a similar situation as the original poster in that I am looking for
consolidated server event logging for our Windows server farms. The options
provided on this list so far provide a good base for windows syslog
servers/clients. The real question I need answered is, which of these
products provide correlation/analyzation/reporting on the log data
collected? That is the real value in having a centralized logging system.
Which of these products will let me answer questions like:

How many failed logins occured between a certain time period? Which logins
and on which servers?
What are repeated application failures, and are they correlated in some way
to the security or system logs?
Creation of new administrator accounts correlated with a series of failed
login attempts followed by a single successful attempt.

Basically, which log server analyzer will provide reports for suspicious
activity, or other activity possibly indicative of someone trying to fiddle
with things they shouldn't be? Does this kind of thing exist, or are we
still at the point where the vigilant sys admin has to pour through these
logs himself, or with a series of scripts in hand?

Thanks,

Ryan



-----Original Message-----
From: Kurt [kurtbuff () spro net','','','')">kurtbuff () spro net]
Sent: Wednesday, October 13, 2004 3:42 PM
To: 'Stephane Auger'; security-basics () securityfocus com
Subject: RE: Event log monitoring


http://ntsyslog.sourceforge.net or http://intersectalliance.com/snare -
will send your eventlogs to a syslog server in realtime

http://kiwisyslog.com - a very good syslog server for Windows, and if
you pay for it (it's very inexpensive for the impressive quality), it'll
even log to an ODBC DSN

http://mysql.com - A free SQL database server, with an ODBC interface,
both Windows and *nix.

Pretty much all you need.

| -----Original Message-----
| From: Stephane Auger 
[stephaneauger () pre2post com','','','')">stephaneauger () pre2post com]
| Sent: Tuesday, October 12, 2004 13:26
| To: security-basics () securityfocus com
| Subject: Event log monitoring
| 
| 
| Hey everyone,
| 
| I'm looking for a practical way to monitor event logs on multiple
| servers. There are multiple subnets at multiple sites, and I have one
| main LAN to monitor everything. Is there some kind of software/batch
| file that could be installed on the servers so that the events be sent
| on my monitoring lan (a little bit like SNMP sending to a listening
| server)? Thanks!!
| 
| Stephane Auger, MCP



============================= 
Notice to recipient: This e-mail is meant for only the intended recipient
of the transmission, and may be a confidential communication or a
communication privileged by law. If you received this e-mail in error, any
review, use, dissemination, distribution, or copying of this e-mail is
strictly prohibited. Please notify us immediately of the error by return
e-mail and please delete this message from your system. Thank you in
advance for your cooperation. 


---- Get Urchin 6 On Demand web analytics. Because you can't wait to be found.
http://www.urchin.com/?utm_campaign=U6OD&utm_medium=email&source=spymac.com&content=cantwait