Re: Log / Security Event Management

[John Kristoff <jtk () NORTHWESTERN EDU>]

On Wed, 16 Jun 2004 16:12:33 -0500
"Barros, Jacob" <jkbarros () GRACE EDU> wrote:

> My supervisor is asking for a log management solution.  I've found a
> number of different options online but am not sure which way to turn.

If you've not already visited the following page, you might do so:

  <http://www.loganalysis.org/>

> Most solutions I've researched will handle all devices I would be
> interested in managing. To be specific, Microsoft servers (and possibly
> clients), Cisco Catalyst (IOS) switches, and Cisco PIX firewall...
> Pretty simple.

Heh, hardly in my opinion.  For the Cisco gear probably your only
option is going to have to be a syslog server to minimally collect
the log files.  syslog is a relatively simple, if not too simple
system.  In it's familiar implementation it runs over UDP.  A syslog
server takes properly formatted messages on the syslog port (514)
and if configured, delivers them to an appropriate file.  There is
work being done in the IETF to enhance syslog to provide integrity,
authentication and sequencing support, but I don't expect to see
devices like your current Cisco switches supporting something like
that soon.  It would have been nice if vendors added a simple MD5
authentication mechanism that used shared passwords on the syslog
collector and authorized syslog clients.

Unless you were to setup a complex system of IPsec tunnels between
your Cisco logging devices, one of the next best things you can do
is authenticate based on IP or in-addr.arpa of the received IP.

There are specialized implementations of syslog, one in particular
that I'm familiar with is called syslog-ng can be found here:

  <http://www.balabit.com/products/syslog_ng/>

This is a relatively decent package that offers a number of features
such as being able to send messages to log files based on a regex of
the log message.  If both the syslog sender and collector implement
syslog-ng, you can enable some additional functionality such using
TCP instead of UDP.

If you're comfortable with unix you're probably looking at running
a syslog server, which just delivers the log messages into text files.
Then you will probably want some tools to manage, search, summarize
and in general report on log events you want to know about.  There are
a number of simple tools for this.  I have one for Cisco devices that
I just quickly put the most recent version online for you here:

  <http://aharp.ittns.northwestern.edu/software/>

If Windows support and ease of implementation are important a
commercial vendor's offering may suit you better.  I don't have
any experience with them however.  Other tools and a mailing list for
those interested in log management can be found at loganalysis site
above.

> Does anyone have experience with this type of solution and can tell me
> what I should avoid?  Any recommendations?  Cost will be a factor in our
> decision but I don't know what kind of budget we're looking at yet.

Generally speaking, you probably want to ensure you have lots of disk.
Unless you buy a package commercial log management system, CPU and
memory are less important unless you're doing a lot of repoting or
doing something interesting by putting logs into a database back end.
For a typical University, you could probably get away with a single 1U
rack mount server for a few thousand dollars if you don't mind putting
a little effort into doing it yourself with Unix-based tools.  If you
compress your log files regularly and you don't have hundreds of devices
you can probably make do with most any typical low-end server box that
comes with a good amount of disk these days.

John

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.