Re: [PEN-TEST] Analyzing Audit Log Data (incl. syslog)

[Fred Mobach <fred () MOBACH NL>]

Shaggy wrote:

> I've seen a particularly useful way of handling this.
> One Company I've seen downloads syslog, sulog and
> other
> log data to a syslog server on an exported file
> system.  An NT server with an NFS client accesses this
> data, which then serves as input into an Excel pivot
> table that massages the data into an easy-to-analyze
> format for the sys admin.  A VB script is executed on
> the data and any unusual activity these scripts are
> configured to identify appears in a formatted report,
> which then gets emailed to the appropriate person
> automatically.

Perhaps that Company is very happy with that solution but my milage varies.

First, a syslog server might recieve syslog messages from a defined range of
computers. Better were to use the secure syslog protocol.

Second, that syslog server might accept SSH connections.

Third, any other IP traffic is disgarded.

And with this policy many security-aware people are flaming me because I
trust this construction.

The use of NFS -which is insecure by default- should not be encouraged on a
log server.

I don't want to speak of NT, Excel or VB. First I don't want to use those in
a secured environment. Second, I don't work in not-secured environments.


> A minor pain to get set up, but a snap to analyze the
> data.

And a snap for the cracker ;-).

Regards,

Fred Mobach