Background & Standards

• Logging and Audit Overview
• Specifications and Standards
• Archiving Secure Audit Files
• Programming syslog

Logging Infrastructure

• Centralized Logging
• syslog Replacements (UNIX)
• syslog Servers (non-UNIX)
• UNIX & related (routers, FWs) to syslog
• Windows to syslog
• Logfile Rotation Tools

Data Analysis

• Log Parsers (App Specific)
• Log Parsers (Generic)
• Regular Expressions
• Data Correlation
• Sample Log Files
• Intrusion Signatures
• Message Dictionaries
• Messages that Made Us Laugh

Resources

• Mailing Lists
• Research

Message Dictionaries

• Apache: FAQ and www.apache.org
• Suspicious Web server access logs
• Everything you ever wanted to know — and probably some stuff you didn’t want to know –about unicode. Especially useful for deciphering Web logs.
• FAQ: The Eventlog of Windows NT
• Automated Analysis of Cisco Log files — Ever wondered what you could learn from your router logs? This is a very thorough analysis of pre-processing to simplify reading Cisco router logs, with guides to tracking particular performance and security issues.
• BIND (name server)
• Cisco (high level link to all product documentation)
• Cisco document on configuring IOS to support IPsec connections. Includes good documentation on debug-level error messages.
• Cisco (error messages for IOS 12.1.x)
• Cisco ICMP log documentation. Be sure that if you’re looking for particular Cisco messages,you search the Web site liberally. You might guess from these URLs that things are pretty product specific — and that there’s a lot of information online.
• Cisco Network Monitoring & Event Correlation
• Cisco documentation for syslog output from catalyst 6000 switches
• Cisco PIX message documentation
• Cisco Catalyst switch Logging (includes great discussion of default configuration and syslog message format)
• Firewall log interpretation — what all that "stuff" in your firewall logs means.
• Firewall log messages — collected from Cisco PIX and Symantec/Raptor firewalls
• HTTP protocol documentation
• ICMP message interpretation
• Intel NetStructure VPN Gateway — debug-level syslog messages
• Intel NetStructure VPN Gateway — syslog messages generated by cert facility
• Interpreting Network Traffic
• ISS RealSecure: an explanation of false positives for the SYN flooding IDS alert
• ISS wmsg, a tool that can query a local server for configuration and application specific data associated with an Event Log message.
• Microsoft Exchange errors and Event Log messages
• Events reference: dictionary of errors produced by IIS and associated services
• Microsoft systems and applications
• Netscreen firewall Message Log Reference Guide
• sendmail: FAQ & sendmail Error Messages
• Solaris Common Messages & Troubleshooting Guide
• Windows 2000 Event & Error Messages
• What’s that Entry in My Log?: Dave Piscatello’s article on interpreting firewall logs.