[c-nsp] Providing 3rd party access to logs (syslog)
Kris Price
cisco-nsp at punk.co.nz
Thu Aug 16 08:06:04 EDT 2007
Joy of security logs
You don't make much mention about what monitoring/alerting/reporting
you're needing to do or what the scale of this is, but I'm guessing
small...?
For a "managed security service" of lots of firewalls with more
customers coming online, some sort of SEM might be nice that'll take
care of all of this (and it's a selling point to your customers).
I've done a lot of SEM both on Unix using custom scripts/logsurfer/etc.,
some custom SQL databases with simple front ends, and more recently a
lot using ArcSight (unfortunately with a lot of database customisation
for reporting). It really does make life easier to have it all in one
place and be able to query it.
If this is a one off then maybe something free like OSSIM might fit the
bill (but I've never used it). If all they need is plain log files for
occasional audit purposes, give them a mechanism to securely fetch them,
or provide them once a month on cd with your report. And be careful not
to go overboard splitting it up too much, you can use grep to break out
just the severities/days/etc. If you want searching, throw it in a
database each night.
Also, might want to think about whether you really want to give
customers real-time views of logs as opposed to reports, this will
depend on what they're like and how you've sold the service to them. (If
they have a picky internal security department that thinks they could do
a better job than you it can get annoying.)
Other links: http://www.loganalysis.org/ and of course
http://www.sans.org/reading_room/
Cheers
Kris
Dale Shaw wrote:
> Hi all,
>
> This may be a bit off topic, but I figure the cisco-nsp brains trust
> will have "been there, done that" already.
>
> Has anyone had a requirement to provide 3rd parties with access to log
> files? I have a requirement to provide access to firewall log files
> (syslogged) to a security group within an enterprise.
>
> Logs held on the logging server will be sorted into a directory
> hierarchy based on the logging device's name, year, date, day and then
> severity (or something similar). They will likely be compressed.
>
> I figure this could be as simple as setting up a web server on the log
> server and enabling directory listings / browsing on the virtual
> directories.
>
> Has anyone come across a "nicer" solution? Perhaps something that
> provides (for example) search capabilities and results filtering, and
> real time log watching (ala "tail") through a web interface?
>
> The log server OS has not been decided yet. It's likely to be Linux or
> Windows Server.
>
> cheers,
> Dale
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list