Penetration Testing mailing list archives
Re: [PEN-TEST] Analyzing Audit Log Data (incl. syslog)
From: Fred Mobach <fred () MOBACH NL>
Date: Fri, 29 Sep 2000 22:50:50 +0200
Shaggy wrote:
I've seen a particularly useful way of handling this. One Company I've seen downloads syslog, sulog and other log data to a syslog server on an exported file system. An NT server with an NFS client accesses this data, which then serves as input into an Excel pivot table that massages the data into an easy-to-analyze format for the sys admin. A VB script is executed on the data and any unusual activity these scripts are configured to identify appears in a formatted report, which then gets emailed to the appropriate person automatically.
Perhaps that Company is very happy with that solution but my milage varies. First, a syslog server might recieve syslog messages from a defined range of computers. Better were to use the secure syslog protocol. Second, that syslog server might accept SSH connections. Third, any other IP traffic is disgarded. And with this policy many security-aware people are flaming me because I trust this construction. The use of NFS -which is insecure by default- should not be encouraged on a log server. I don't want to speak of NT, Excel or VB. First I don't want to use those in a secured environment. Second, I don't work in not-secured environments.
A minor pain to get set up, but a snap to analyze the data.
And a snap for the cracker ;-). Regards, Fred Mobach
Current thread:
- Re: [PEN-TEST] Analyzing Audit Log Data (incl. syslog) Shaggy (Sep 28)
- Re: [PEN-TEST] Analyzing Audit Log Data (incl. syslog) Fred Mobach (Sep 29)