|
|
LogAnalysis
[logs] SIM solution - Objectives ? May 24 2007 05:52AM saudi sans (saudisans gmail com) (3 replies) Re: [logs] SIM solution - Objectives ? May 24 2007 12:58PM Ron Gula (rgula tenablesecurity com) (1 replies) Re: [logs] SIM solution - Objectives ? May 25 2007 01:29PM saudi sans (saudisans gmail com) (3 replies) RE: [logs] SIM solution - Objectives ? May 25 2007 06:47PM Tina Bird (tbird precision-guesswork com) (1 replies) RE: [logs] SIM solution - Objectives ? May 28 2007 01:00AM Marcus J. Ranum (mjr ranum com) (1 replies) |
|
Privacy Statement |
> Thanks.
>
> We have Windows , Unix hosts and Checkpoint Firewalls being monitored.
>
> Does anyone have list of items [ standalone or co-related ] which
> merit being monitored and alerted on these devices?
>
> What I think I need is , a qualified list of events-of-interest, on
> these platforms? Events which are not declared by the event-source
> vendor but those which from experience merits attention by us.
I have a blog post about Windows events & SIM that you should check out:
http://pmelson.blogspot.com/2007/04/guilty-pleasures-social-networks-and
.html
The problem with firewall data is that, generally speaking, no one
single event is likely to be really important. I find that firewall
events are far more useful in the context of investigation, like what
other traffic corresponds to this host that triggered an IDS event,
and so on.
UNIX syslog sucks because there's lots to look at, but the really
useful stuff probably isn't getting logged. You can look at sudo
commands or failed logins or su attempts, but you're not getting cool
stuff like what commands root actually executes or SELinux alerts by
default. My advice is figure out what you want to analyze and go get
into syslog.
PaulM
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
[ reply ]