Results 1 to 9 of 9

Thread: central logs collection

  1. #1

    central logs collection

    hi
    what are some of the ways you collect logs of the various machines in your working environment
    to a central location for correlation? Any solutions out there in the market that deals with centralise logging and correlation ? My wish is to collect all the logs , whether they are Windows event logs, application logs or Unix syslogs, i want them to go to one place for logs correlation purposes.
    thanks

  2. #2
    Member
    Join Date
    Aug 2004
    Posts
    95
    NetForensics and CA commandcentr dose this work.
    I have used netforensics to collect logs from firewalls, IDS.. various other devices.

    may be some senior members might knowing much more... pl. share

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Try this.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member
    Join Date
    May 2004
    Posts
    274
    for central logging i use syslog-ng along with the stunnel for secure transmission of log events over the network.
    http://www.balabit.com/products/syslog_ng/
    Excuse me, is there an airport nearby large enough for a private jet to land?

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    There are plenty of different products out there that gather this data to a central location. We looked at doing that, but the cost was a bit prohibitive to us during the research phase (about two years ago).

    instead we just set up scheduler jobs, and cron jobs, to copy the pertinent logs via SCP to a central server. We then wrote up a pretty basic perl program that parses the logs and creates an email with the information we request. Then we modified the parser program to allow ad hoc searches of single or multiple logs.

    This is only good for viewing of logs the day after though, and no real time auditing happens with this. We have other watcher scripts running on the servers that create SNMP traps that trigger alerts for real time log watching

    This has worked very well for us over the past two years, and we have over 200 servers that we collect logs from at this point. From time to time we do have issues with servers not copying their logs though, but that is easy enough to catch.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Tiger Shark has a nice write up but his tools are a little old.
    Actually you can replace all those with PureSecure's replacement Sentarus
    Theres a free HomeAdmin edition but it does require a dedicated box.
    When used with the host agents you can parse out text logs on any *nix of Win32 system, monitor Win32 event logs and a ton of other stuff.

    Im not sure about log correlation though. I know it correalates logs to network attacks but it doesnt correlate log files between log files on other hosts. That would take some manual work but at least all you can parse all your log files from different hosts and display it all on one page and set threshold for occurences.

    Heres a link to HomeAdmin:
    http://www.demarc.com/downloads/sentarus_fm/
    That which does not kill me makes me stronger -- Friedrich Nietzche

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'd have to pay for Sentarus at work.... Can't do that.... Money is tight....

    ...and how configuarble is it? I can change my script any time I like for almost anything I like. Can Sentarus?

    Thanks for the props though.... It took a while to scribble and I needed 3 different crayons....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Yeah licenses sure can be a main but it was the same with PureSecure I believe.

    I havent used all the functionality but I have a host agent on a server I have across country and for example I set it up to look for "failed root logins" in the syslog. I could very easliy change that to whatever I want or the file or the threshold so its very configurable.Maybe even too configurable,it would be nice if there was a policy feature where I could click a button to monitor the basic stuff but it does require you to know your server and put in certain parameters.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  9. #9
    hi
    so now, after some thinking, i decide to use syslog as the mechanism for logs collection.
    I installed winsyslog on a windows machine which i am using for collection of syslog logs from my Unix machines and as well as windows machines(using eventreporter)
    now i need to do something with these logs collected, like doing a report or doing some analysis.
    can recommend some tools (free or cheap ones) that can help to analyse those syslog entries ?
    thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •