[logs] open source artificial ignorance-like systems
Chris Buechler
loganalysis at chrisbuechler.com
Wed Apr 18 16:13:30 PDT 2007
Wow, thanks for all the responses everyone.
I should have clarified my intentions for such a system. I'm not looking
at this as a be all, end all, perfect log management system for an
entire network. I have a commercial SIM product that handles my
security-related needs well enough, and has correlation capabilities and
all that, but ignores all logging data that isn't security-related. I
can't customize it to act on this non-security related logging
information, hence my request. What I described would solve all my
remaining log analysis requirements, which are admittedly dead simple
compared to the security logging requirements of any moderately complex
network. So yes, I really do want to completely ignore a whole lot of
stuff on this side, and no, I'm not oversimplifying things, my
requirements really are that simple. :)
Some of the more complex options mentioned (OSSIM, OSSEC) are overkill
in the first environment I'm looking to implement this, given the
existing security infrastructure I have in place. They are options I am
considering in other network environments though, those are two I've
looked at already.
The problem with `grep -v` is it alone doesn't come close to my
requirements, until you start adding other Unix tools one by one, and it
quickly becomes more and more work. Some of these options mentioned
should net better results with less effort.
To summarize, here are the open source options suggested that do at
least somewhat similar things to what I'm after, listed in alphabetical
order:
Logcheck - http://sourceforge.net/projects/sentrytools/ acquired by
Cisco, info here: *http://tinyurl.com/2tmvbd*
LogSurfer - http://www.crypt.gen.nz/logsurfer/
NBS, retail, logbayes, etc. - Not a "system", per se, but tools
potentially very helpful to someone who wanted to hack together their
own solution.
http://www.ranum.com/security/computer_security/code/index.html
SEC - http://www.estpak.ee/~risto/sec/
SELMS - not online at the moment, documentation and info posted by
Russell Fulton in this thread.
Swatch - http://swatch.sourceforge.net/
http://sial.org/howto/logging/swatch/
OSSEC - http://www.ossec.net/
OSSIM - http://www.ossim.net/
Hopefully I didn't miss any.
Haven't had a chance to thoroughly look at all of the above projects
yet, but at a glance, it definitely looks like there are multiple things
there that will be suitable.
Thanks very much!
Chris
More information about the LogAnalysis
mailing list