Firewall Wizards mailing list archives

Re: analyzing firewall logs in a database

From: "Matt McClung" <mmcclung () ndwcorp com>
Date: Thu, 18 Feb 1999 09:35:29 -0700

I have used a program call XaCCT which takes a firewall log file and
simultaneously enters the data to a SQL or Oracle db.  The program has a gui
interface that lets you build queries on the dataset which is realy nice.
Also, the program has a report generator and scheduler that allows you to
set a report to be generated at a given time.  I have the scheduler send me
a daily report (done nightly ) about traffic statistics, etc.  VERY NICE.

The only downfall is the cost.  The application was expensive and required
significant hardware for the DB Server and mgt workstation.


Matt McClung, CCSA/CCSE
Net.Works Security Engineer
mmcclung () ndwcorp com

-----Original Message-----
From: Csiri <Csiri () katherine nepszabadsag hu>
To: Firewall-Wizards <firewall-wizards () nfr net>
Date: Wednesday, February 17, 1999 5:30 PM
Subject: Re: analyzing firewall logs in a database


-----Original Message-----
From: Don Turnbull <donturn () fis utoronto ca>
To: Firewall-wizards <firewall-wizards () nfr net>
Date: 1999. február 16. 4:22
Subject: analyzing firewall logs in a database

Hi,

Being relatively new to working with firewalls (but learning a lot by
listening to posts!), I'd like to ask if anyone has experience importing
log files into a database for more sophisticated querying than current

analysis programs (I'm thinking WebTrends, HitList, and Telemate). I

know Raptor has a "flatten" utility, but am looking for battle stories
about it or other tools that might be around.

thanks,


--
-------------------------
Don Turnbull
donturn () fis utoronto ca
http://donturn.fis.utoronto.ca/




Logging to file is much better (so faster) than logging to a database
(directly).
If you have a good analyzer program it's no matter how the data stored, but
if you don't have unnecessary free disk space it's not a good idea to keep
logfiles in their original form.
If you have free capacity for that, I suggest to make your own querying
tool,
based on your own designed database where only the wanted data get into.
Don't forget to store the data as briefly as you can.
(E.g. You can store the request type as "GET", "POST", "HEAD", but you
can store as 0, 1, 2 too.)
I know only WebTrends from the above analyzers, it's really stupid and very-
very slow.
Bye

Csiri

Current thread:

analyzing firewall logs in a database Don Turnbull (Feb 15)
- <Possible follow-ups>
- Re: analyzing firewall logs in a database Csiri (Feb 17)
- Re: analyzing firewall logs in a database Matt McClung (Feb 18)