Printable View
hi
what are some of the ways you collect logs of the various machines in your working environment
to a central location for correlation? Any solutions out there in the market that deals with centralise logging and correlation ? My wish is to collect all the logs , whether they are Windows event logs, application logs or Unix syslogs, i want them to go to one place for logs correlation purposes.
thanks
NetForensics and CA commandcentr dose this work.
I have used netforensics to collect logs from firewalls, IDS.. various other devices.
may be some senior members might knowing much more... pl. share
Try this.
for central logging i use syslog-ng along with the stunnel for secure transmission of log events over the network.
http://www.balabit.com/products/syslog_ng/
There are plenty of different products out there that gather this data to a central location. We looked at doing that, but the cost was a bit prohibitive to us during the research phase (about two years ago).
instead we just set up scheduler jobs, and cron jobs, to copy the pertinent logs via SCP to a central server. We then wrote up a pretty basic perl program that parses the logs and creates an email with the information we request. Then we modified the parser program to allow ad hoc searches of single or multiple logs.
This is only good for viewing of logs the day after though, and no real time auditing happens with this. We have other watcher scripts running on the servers that create SNMP traps that trigger alerts for real time log watching :)
This has worked very well for us over the past two years, and we have over 200 servers that we collect logs from at this point. From time to time we do have issues with servers not copying their logs though, but that is easy enough to catch.
Tiger Shark has a nice write up but his tools are a little old.
Actually you can replace all those with PureSecure's replacement Sentarus
Theres a free HomeAdmin edition but it does require a dedicated box.
When used with the host agents you can parse out text logs on any *nix of Win32 system, monitor Win32 event logs and a ton of other stuff.
Im not sure about log correlation though. I know it correalates logs to network attacks but it doesnt correlate log files between log files on other hosts. That would take some manual work but at least all you can parse all your log files from different hosts and display it all on one page and set threshold for occurences.
Heres a link to HomeAdmin:
http://www.demarc.com/downloads/sentarus_fm/
I'd have to pay for Sentarus at work.... Can't do that.... Money is tight....
...and how configuarble is it? I can change my script any time I like for almost anything I like. Can Sentarus?
Thanks for the props though.... It took a while to scribble and I needed 3 different crayons.... ;)
Yeah licenses sure can be a main but it was the same with PureSecure I believe.
I havent used all the functionality but I have a host agent on a server I have across country and for example I set it up to look for "failed root logins" in the syslog. I could very easliy change that to whatever I want or the file or the threshold so its very configurable.Maybe even too configurable,it would be nice if there was a policy feature where I could click a button to monitor the basic stuff but it does require you to know your server and put in certain parameters.
hi
so now, after some thinking, i decide to use syslog as the mechanism for logs collection.
I installed winsyslog on a windows machine which i am using for collection of syslog logs from my Unix machines and as well as windows machines(using eventreporter)
now i need to do something with these logs collected, like doing a report or doing some analysis.
can recommend some tools (free or cheap ones) that can help to analyse those syslog entries ?
thanks