[c-nsp] Providing 3rd party access to logs (syslog)

Kris Price cisco-nsp at punk.co.nz
Thu Aug 16 08:06:04 EDT 2007


Joy of security logs

You don't make much mention about what monitoring/alerting/reporting 
you're needing to do or what the scale of this is, but I'm guessing 
small...?

For a "managed security service" of lots of firewalls with more 
customers coming online, some sort of SEM might be nice that'll take 
care of all of this (and it's a selling point to your customers).

I've done a lot of SEM both on Unix using custom scripts/logsurfer/etc., 
some custom SQL databases with simple front ends, and more recently a 
lot using ArcSight (unfortunately with a lot of database customisation 
for reporting). It really does make life easier to have it all in one 
place and be able to query it.

If this is a one off then maybe something free like OSSIM might fit the 
bill (but I've never used it). If all they need is plain log files for 
occasional audit purposes, give them a mechanism to securely fetch them, 
or provide them once a month on cd with your report. And be careful not 
to go overboard splitting it up too much, you can use grep to break out 
just the severities/days/etc. If you want searching, throw it in a 
database each night.

Also, might want to think about whether you really want to give 
customers real-time views of logs as opposed to reports, this will 
depend on what they're like and how you've sold the service to them. (If 
they have a picky internal security department that thinks they could do 
a better job than you it can get annoying.)

Other links: http://www.loganalysis.org/ and of course 
http://www.sans.org/reading_room/

Cheers
Kris

Dale Shaw wrote:
> Hi all,
> 
> This may be a bit off topic, but I figure the cisco-nsp brains trust
> will have "been there, done that" already.
> 
> Has anyone had a requirement to provide 3rd parties with access to log
> files? I have a requirement to provide access to firewall log files
> (syslogged) to a security group within an enterprise.
> 
> Logs held on the logging server will be sorted into a directory
> hierarchy based on the logging device's name, year, date, day and then
> severity (or something similar). They will likely be compressed.
> 
> I figure this could be as simple as setting up a web server on the log
> server and enabling directory listings / browsing on the virtual
> directories.
> 
> Has anyone come across a "nicer" solution? Perhaps something that
> provides (for example) search capabilities and results filtering, and
> real time log watching (ala "tail") through a web interface?
> 
> The log server OS has not been decided yet. It's likely to be Linux or
> Windows Server.
> 
> cheers,
> Dale
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list