Since I sent out my request for failed login data, I've had a couple of
queries about how to capture facility and level data for syslog data. It's
an annoying problem, because although it seems like it ought to be
straightforward, it's anything but.

For Linux and FreeBSD (the servers I am currentl

[ more ]  [ reply ]

I'm really hoping that the ability to capture facility and level information
in various stock *nixen has improved over the last several years. The last
time I checked, Solaris would allow me to tag syslog data with these values,
and Redhat wouldn't, no matter what I tried, leaving me to install sys

[ more ]  [ reply ]

I forgot to mention: if you are sending me data, please try to capture the
facility and priority at which your system records the failed login events.
This is not always a trivial activity, so don't waste a lot of time on it,
but if you can get at it, it will be given a very good home :-)

thanks -

[ more ]  [ reply ]

Hi all --

For those of you who have seen the logging infrastructure guide Abe Singer
and I wrote for USENIX, you'll remember the section we titled "Spelling
login in many languages." I'm making a similar collection for a new article.

I'm interested in failed login messages from as many different

[ more ]  [ reply ]

I'm looking for any gotchas on implementation/design issues regarding using log4j SyslogAppender. Currently we use flat log files for logging and are looking to use syslog to ease the pain of pulling logs into a SIM. I'd be interested in any issues surrounding message size limitations, etc.
--
of

[ more ]  [ reply ]

I apologize for replying to a late thread. I debated as to whether I
should, but given the recent tests and research that I have been
conducting for the US Gov I felt compelled to share my findings. My
research has uncovered a product, previously developed by the US
Government (as a database),

[ more ]  [ reply ]

Hi List,

I just finished an article about "Remote log
injection", that shows some methods to inject data
into SSH and vsftpd logs that can cause log analysis
tools to parse them incorrectly.

This paper also exposes some vulnerabilities on
DenyHosts, Fail2ban and BlockHosts that can lead to
arbitra

[ more ]  [ reply ]

I did some planning for our SIM installation and used a combination of
approaches. First, I used an EPS calculator I found at a SIM vendor web
site. I modified the results based on the events I knew were happening
on average per each device. Next, I developed a spreadsheet where I
multiplied the dev

[ more ]  [ reply ]

Hey Brian,

What are your log sources? Servers, routers, ids, firewalls?

I don't know of any formula, as device type and environments are the
main driver of how logs are generated. Environments and device
configurations are very dynamic so it's really hard to calculate such
numbers ahead of time.

[ more ]  [ reply ]

If you are logging all logs to one file on your central syslog server
then the facilities won't matter. If, however, you want to send all of
you router logs to say /var/log/router_logs and all of your firewall
logs to /var/log/firewall_logs, then the facilities can be used to
"flag" classes of log

[ more ]  [ reply ]

Hello all,

Long time listener, first time caller.

I am working on putting together a SIMs package and one bit of info. I need
is to calculate the events per second we expect to get. I don't know if
there is well known formula for this but I didn't find one in my research.
I was hoping the group

[ more ]  [ reply ]

Syslog has facilities and levels.

What is the "facility" in syslog ? The level concept is pretty intuitive.

As I understand "facility" field contains the source-program which
generated the log entry .

I have a central syslog server where I am aggregating logs from
several cisco routers and Unix m

[ more ]  [ reply ]