[logs] Summary: Exchange Logging

Daniel Cid dcid at ossec.net
Fri May 16 10:03:58 PDT 2008 

Hi Phil,

I am a bit late too, but don't forget of OSSEC, which can analyze MS
Exchange logs, IIS, Windows
Event log, etc (actually, most logs from Windows). It is open source too...

For a list of all the logs we currently support, take a look at:
http://www.ossec.net/wiki/index.php/Supported-Logs

*btw, I am the developer of ossec.


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net




On Tue, May 13, 2008 at 5:21 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> [I am with the vendor/OS project]
>
> Hi Phil,
>
> due to a holiday I'am a bit late. I'd still like to add Adiscon's
> MonitorWare Agent, who can convert any text files (and lots of other
> sources) to syslog.
>
> There now is a guide available for Exchange:
>
> http://www.monitorware.com/Common/en/Articles/monitoring_exchange_messag
> e_tracking_logfiles.php
>
> On the receiver side, you can run GPLed rsyslog, which in turn can send
> the logs to a file or database. Then, you may even review it online via
> phpLogCon[1]. Obviously, good analysis on them is a different topic, but
> we are looking into options inside phpLogCon. PhpLogCon and rsyslog are
> GPL, the MonitorWare Agent sensor on Windows is commercial software.
>
> I hope this still is useful.
>
> Rainer
>
> [1] http://www.phplogcon.org
>
>
>> -----Original Message-----
>> From: loganalysis-bounces at loganalysis.org [mailto:loganalysis-
>> bounces at loganalysis.org] On Behalf Of Philip Webster
>> Sent: Monday, May 12, 2008 3:49 AM
>> To: loganalysis at loganalysis.org
>> Subject: [logs] Summary: Exchange Logging
>>
>> Most of the replies went to the list, but a brief summary:
>>
>> Philip Webster wrote on 09/05/2008 09:14 :
>> > Just wondering how people handle Exchange logs ...
>>
>> [ snip ]
>>
>> > So do you centralise your logs?  Use message tracking?  Or ...?  Is
>> > there third-party (free/open?) software which you use for analysing
>> the
>> > logs?
>>
>> Snare Epilog for Windows
>>
>>
> http://www.intersectalliance.com/projects/EpilogWindows/index.html
>>      Free, open source, can send to a syslog or Snare server.
>>
>> Splunk
>>
>>      http://www.splunk.com/
>>      Commercial, appears to be licensed per volume, provides more
>>      than just log collection.
>>
>> EventTracker
>>
>>      http://www.prismmicrosys.com/eventTracker.php
>>      Commercial, licensed per logging device, provides more than just
>>      log collection.
>>
>> Splunk and EventTracker look like they're firmly in the SIEM space.
>>
>> Snare Epilog is more analogous to a syslog daemon for Windows, with
>> built-in Exchange support.  (And it is developed in Australia!)
>>
>>
>> Thanks to all who replied.  I'll try to provide an update when we're
> up
>> and running - particularly once we've begun to analyse the logs.
>>
>> Cheers
>> Phil
>>
>> --
>>
>> Philip Webster, IT Security Engineer
>> Queensland University of Technology
>> _______________________________________________
>> LogAnalysis mailing list
>> LogAnalysis at loganalysis.org
>> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

More information about the LogAnalysis mailing list