Penetration Testing mailing list archives

Re: [PEN-TEST] Analyzing Audit Log Data (incl. syslog)

From: Shaggy <mailtech2 () YAHOO COM>
Date: Thu, 28 Sep 2000 12:55:38 -0700

I've seen a particularly useful way of handling this.
One Company I've seen downloads syslog, sulog and
other
log data to a syslog server on an exported file
system.  An NT server with an NFS client accesses this
data, which then serves as input into an Excel pivot
table that massages the data into an easy-to-analyze
format for the sys admin.  A VB script is executed on
the data and any unusual activity these scripts are
configured to identify appears in a formatted report,
which then gets emailed to the appropriate person
automatically.

A minor pain to get set up, but a snap to analyze the
data.


--- Richard Hutchinson
<Richard.Hutchinson () OAG STATE TX US> wrote:

Michael:

I have been using a program for the last year or two
to analyze data, to include audit log programs.  It
will take a text file, ODBC compliant database file,
ASCII, PCASCII, EBCDIC, etc. and read the data into
a format you can filter in any manner you want, such
as a particular userID.  It is a really
sophisticated query program built specifically for
auditing large data files.  The name is Audit
Command Language.  They have a demo version that
will take a small file (48k) and do all the things
the full blown program will.  You can check it out
at www.acl.com, if your are interested.



_______________________________
Richard Hutchinson, CISA, CIA
IS Audit Manager
Internal Audit Division
Texas Office of the Attorney General
512-475-4927
E-Mail:  richard.hutchinson () oag state tx us

graham_michael () HOTMAIL COM 27 September, 2000

I hope this is the right sort of question.

Does anyone know of a package/application that uses
the info created in the
Audit log of say NT or UNIX and enables
administrators to drill down and get
info about users' movements like if someone is
accessing loads of sensitive
files/directories on a given day etc.

The reason I ask is this, the Audit log doles out
loads of info however I
want to be able to interrogate it and apply
particular search routines to
it, to get that salient info only.

cheers

Mike

_________________________________________________________________________

Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com.

Share information about yourself, create your own
public profile at
http://profiles.msn.com.



__________________________________________________
Do You Yahoo!?
Yahoo! Photos - 35mm Quality Prints, Now Get 15 Free!
http://photos.yahoo.com/

Current thread:

Re: [PEN-TEST] Analyzing Audit Log Data (incl. syslog) Shaggy (Sep 28)
- Re: [PEN-TEST] Analyzing Audit Log Data (incl. syslog) Fred Mobach (Sep 29)