[logs] SIM solution - Objectives ?
Paul Melson
pmelson at gmail.com
Fri May 25 10:50:06 PDT 2007
On 5/25/07, saudi sans <saudisans at gmail.com> wrote:
> Thanks.
>
> We have Windows , Unix hosts and Checkpoint Firewalls being monitored.
>
> Does anyone have list of items [ standalone or co-related ] which
> merit being monitored and alerted on these devices?
>
> What I think I need is , a qualified list of events-of-interest, on
> these platforms? Events which are not declared by the event-source
> vendor but those which from experience merits attention by us.
I have a blog post about Windows events & SIM that you should check out:
http://pmelson.blogspot.com/2007/04/guilty-pleasures-social-networks-and.html
The problem with firewall data is that, generally speaking, no one
single event is likely to be really important. I find that firewall
events are far more useful in the context of investigation, like what
other traffic corresponds to this host that triggered an IDS event,
and so on.
UNIX syslog sucks because there's lots to look at, but the really
useful stuff probably isn't getting logged. You can look at sudo
commands or failed logins or su attempts, but you're not getting cool
stuff like what commands root actually executes or SELinux alerts by
default. My advice is figure out what you want to analyze and go get
into syslog.
PaulM
More information about the LogAnalysis
mailing list