Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Analyzing Audit Log Data (incl. syslog)
From: Fred Mobach <fred () MOBACH NL>
Date: Fri, 29 Sep 2000 22:50:50 +0200

Shaggy wrote:

I've seen a particularly useful way of handling this.
One Company I've seen downloads syslog, sulog and
other
log data to a syslog server on an exported file
system.  An NT server with an NFS client accesses this
data, which then serves as input into an Excel pivot
table that massages the data into an easy-to-analyze
format for the sys admin.  A VB script is executed on
the data and any unusual activity these scripts are
configured to identify appears in a formatted report,
which then gets emailed to the appropriate person
automatically.

Perhaps that Company is very happy with that solution but my milage varies.

First, a syslog server might recieve syslog messages from a defined range of
computers. Better were to use the secure syslog protocol.

Second, that syslog server might accept SSH connections.

Third, any other IP traffic is disgarded.

And with this policy many security-aware people are flaming me because I
trust this construction.

The use of NFS -which is insecure by default- should not be encouraged on a
log server.

I don't want to speak of NT, Excel or VB. First I don't want to use those in
a secured environment. Second, I don't work in not-secured environments.


A minor pain to get set up, but a snap to analyze the
data.

And a snap for the cracker ;-).

Regards,

Fred Mobach


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]