Educause Security Discussion mailing list archives
Re: Log / Security Event Management
From: John Kristoff <jtk () NORTHWESTERN EDU>
Date: Wed, 16 Jun 2004 20:25:12 -0500
On Wed, 16 Jun 2004 16:12:33 -0500 "Barros, Jacob" <jkbarros () GRACE EDU> wrote:
My supervisor is asking for a log management solution. I've found a number of different options online but am not sure which way to turn.
If you've not already visited the following page, you might do so: <http://www.loganalysis.org/>
Most solutions I've researched will handle all devices I would be interested in managing. To be specific, Microsoft servers (and possibly clients), Cisco Catalyst (IOS) switches, and Cisco PIX firewall... Pretty simple.
Heh, hardly in my opinion. For the Cisco gear probably your only option is going to have to be a syslog server to minimally collect the log files. syslog is a relatively simple, if not too simple system. In it's familiar implementation it runs over UDP. A syslog server takes properly formatted messages on the syslog port (514) and if configured, delivers them to an appropriate file. There is work being done in the IETF to enhance syslog to provide integrity, authentication and sequencing support, but I don't expect to see devices like your current Cisco switches supporting something like that soon. It would have been nice if vendors added a simple MD5 authentication mechanism that used shared passwords on the syslog collector and authorized syslog clients. Unless you were to setup a complex system of IPsec tunnels between your Cisco logging devices, one of the next best things you can do is authenticate based on IP or in-addr.arpa of the received IP. There are specialized implementations of syslog, one in particular that I'm familiar with is called syslog-ng can be found here: <http://www.balabit.com/products/syslog_ng/> This is a relatively decent package that offers a number of features such as being able to send messages to log files based on a regex of the log message. If both the syslog sender and collector implement syslog-ng, you can enable some additional functionality such using TCP instead of UDP. If you're comfortable with unix you're probably looking at running a syslog server, which just delivers the log messages into text files. Then you will probably want some tools to manage, search, summarize and in general report on log events you want to know about. There are a number of simple tools for this. I have one for Cisco devices that I just quickly put the most recent version online for you here: <http://aharp.ittns.northwestern.edu/software/> If Windows support and ease of implementation are important a commercial vendor's offering may suit you better. I don't have any experience with them however. Other tools and a mailing list for those interested in log management can be found at loganalysis site above.
Does anyone have experience with this type of solution and can tell me what I should avoid? Any recommendations? Cost will be a factor in our decision but I don't know what kind of budget we're looking at yet.
Generally speaking, you probably want to ensure you have lots of disk. Unless you buy a package commercial log management system, CPU and memory are less important unless you're doing a lot of repoting or doing something interesting by putting logs into a database back end. For a typical University, you could probably get away with a single 1U rack mount server for a few thousand dollars if you don't mind putting a little effort into doing it yourself with Unix-based tools. If you compress your log files regularly and you don't have hundreds of devices you can probably make do with most any typical low-end server box that comes with a good amount of disk these days. John ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Log / Security Event Management Barros, Jacob (Jun 16)
- <Possible follow-ups>
- Re: Log / Security Event Management John Kristoff (Jun 16)