Re: Event correlation engine?

[Rich Adamson <radamson () routers com>]

> We're doing that here. You do have to have everything logging in one
> network-enabled format so that you can centralize. And some things such as
> IIS web logs really aren't appropriate due to their volume. 
>
> i.e. you need syslog
>
> For all the knocking it gets, syslog is still 'Da Man! :-)

I agree 100%, been doing that for a number of years.

> We have all our routers, firewalls, switches, PRINTERS ;-), Unix and Windows
> boxes logging via syslog to central syslog-ng servers, and use swatch to
> trigger real-time alerts. I wrote a generalized alert interface in PHP with
> which we manage what we want to trigger alerts on, and a "pager" app which
> sends alerts via e-mail/TAP/SMS. Oh yeah - and it's timezone aware too, and
> you can understands concepts such as "work time" [9-5 weekdays], "awake
> time" [7-10 any day], "other time" [anything not already matched]. This
> allows us to do follow-the-sun alerting over our world-wide network...
>
> All doable :-)

Doing that... in fact we wrote a syslog app (called NetLogger) that is the
repository for all logging, and it includes a rules-based notification
system in addition to multiple "infrastructure" monitoring tools (eg, are
your dns servers truly functional and handing out correct responses, are 
key web servers responding with correct (or unmodified) pages). It also 
forwards user-selected messages to other copies of NetLogger (eg, one copy 
at security manager's desk, another at help desk, another at some distant
location, another for group managers, etc, etc). Plus, it handles 2-way
pager notification, cell phone text messages, email, PDA alerts, etc.

What it doesn't handle (today) is the correlation piece. If event "A" and
event "B" and event "C" happen within some predetermined amount of time,
then generate an alert that contains an understandable message of less
then 135 characters (as one example).

Since all logging records are being kept in a common location (regardless 
of whether the data is in a database, flat file, or whatever), it would
seem to be relatively easy to run some form of engine against that data
to seek out certain relationships or sequences that have significantly
more meaning then what each message might contain. That's the piece I'm
looking for.

Rich




-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users