[logs] Analyzing tons of logs

[Bamm Visscher]

I am always interested in feedback on how Sguil scales (both good and
bad).  I am aware of a few implementations with sensors in high speed
environments and in my experience, those environments require more
care and feeding, but people seem to be doing it. As far as total
number of sensors, the largest implementation I am aware of is ~25
sensors.  I personally have seven sensors reporting to a central Sguil
server. The sensors are at ingress/egress points on the network the
most utilized being a 40MB internet link. The sensor has 650GB
dedicated to pcap logging and I can keep around ten days worth of raw
pcap on it. The Sguil server currently has around 11 million rows of
Snort alerts and close to 1 billion rows of SANCP (flow/session) data.

I wouldn't say Sguil is focused on Snort as much as it is on NSM. NSM
a network centric way to do security monitoring and Snort is the Sguil
supported way to gather event/alert data. I am getting ready to
release a new version and it will have the ability to receive generic
events from other data sources (it's not perfect, but should be
usable).

Always glad to hear there are fans :)

Bammkkkk

On 3/29/07, James Turnbull <james at lovedthanlost.net> wrote:
> On Fri, 30 Mar 2007 08:57:33 +0530, "Chetan Gupta" <chetangupta01 at gmail.com> wrote:
>
> > How about sguil? Thats an NSM tool I guess. Has any one tried it?
>
> I am a fan of sguil - it's powerful and well designed (IMHO) but I am not sure it will scale to meet your requirements.  It's also primarily focussed on IDS (principally Snort) data.  You'd need to customize it to deal with some other kinds of data.
>
> Regards
>
> James Turnbull
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net