Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Syslog'n with the best of 'em;

Published: 2005-04-19
Last Updated: 2005-04-20 00:08:15 UTC
by Tony Carothers (Version: 1)
0 comment(s)

Syslog - What's your flavor?




(1654GMT)**I would like to point out this is a platform-independent discussion today; we'd like to hear from Windows, *nix, and network administrators**


To 'borrow' from the Great One's format yesterday, we are having an ongoing discussion about syslog'ing. We thought we'd open it up to you, get your feedback, and see what is working in the world today. (We will not be disclosing company names to help protect infrastructure). Submit your ideas to us on our 'Contact' page and we'll get it added in




Rafael Hashimoto mentions one thing I'd like to get up front: "The most important decision about syslogging is what are you going to do with all the fine data that you gathered. Logging without monitoring is useless, so a proper policy, procedures and tools to manage them is essential." While some would disagree, policies and procedures are critical to a solid information security implementation. If, for nothing else, historical data is there for review and inspection purposes.


(1526GMT)
While Christopher uses Syslog's to keep up with what's going on in his world, Ketih primarily uses Kiwi to help gather it for analysis. Whatever method is used to gather the information, it is best to be reviewed on a regular basis, as Rafael mentioned :-)



Jean-Francois has been using syslog-ng for better than 4 years now, and it works great. He mentioned also "playing with php-syslog-ng with added functionalities developped by my good friend Jason Taylor (http://deathstar.com/PhpSyslogNG/)"



One reader, who requested remain anonymous, submitted an excellent site, well worth the visit
-
-VB.NET - (http://scaleovenstove.blogspot.com/2005/04/how-to-make-your-own-syslog-sever-in.html)



(1725GMT) Nathan Bates wrote in with some good ideas, as well as a great tool for parsing, correlating, and notifying for events. Using syslogd, and Logic, (the tool mentioned in the link below) he runs two syslogd servers to stay on top of what's going on.


https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys




(1958GMT) Dean De Beer writes "We use Eventsentry from Netikus. We are a Windows only shop (we have a few Linux Snort IDSes though). Eventsentry installs a service on the servers and/or workstations and logs all events or only specified events back to a MySQL database. It has an .asp or .php web front-end that allows for reading and querying the databases. It's pretty easy to configure too."





Cornelius Bartke writes "it is of paramount importance that syslog entries are made with the correct time stamp. If no ntp service is available, GPS- or radio-controlled clocks ("DCF77") are alternatives to keep the hosts synchronized." Good point, log analysis with accurate and synchronized times is critical.




(2115GMT) Another reader submits that they "use syslogd and have it rolled into our SSL-secured MRTG front-end, which gives us a one stop place to view all of our gathered network statistics." Event correlation for reviewing purposes(one-stop reviewing, so to speak) makes life much easier in determing what's going on in the world.

(2359GMT)



Summary of the days activities




To say the least it has been an interesting day, with some great input from you, the readers. First off, I'd like to send a big "Thank you" out to all those who submitted today. I hope that I have conveyed your messages accurately. Second, it is the hope of all the Handlers that we have passed on some good information to give you some new ideas, tools, and processes to better protect your network and systems. Last, I'd like to say "Thank you" to my co-Handlers for keeping me on my toes.



Have a great night/day!

Tony Carothers

Information Systems Support, Inc.

Handler on Duty

tony dot carothers at gmail dot com
Keywords:
0 comment(s)
Diary Archives