Security log parser

 

Hi all

Im looking for a good security event log parser for linux/unix systems. All logs are in syslog format. Just want to be able to point the tool at a bunch of logs and drag out what is usefull.... Already use some cutom written scripts but could do with something a little more proffesional....


cheers

On Thu, 14 Feb 2008 09:16:17 GMT, Jason Alexander said:
> Im looking for a good security event log parser for linux/unix systems.

It's not strictly "security event", but I use "logwatch" for my systems.
Available in Fedora and Redhat, probably in Debian and Ubuntu as well,
or if all else fails, http://www.logwatch.org/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

 : Im looking for a good security event log parser for linux/unix
 : systems. All logs are in syslog format. Just want to be able to
 : point the tool at a bunch of logs and drag out what is
 : usefull.... Already use some cutom written scripts but could do
 : with something a little more proffesional....

I'm sure you'll get quite a few suggestions, but I'll start off with
a few nexthops you should consider.

  * splunk (commercial) [0]; very nifty, large volumes of data can
    be searchable/accessible quite quickly
  * log analysis list/site [1]
  * sec, simple event correlator [2]

These are either tools or discussion lists which deal with the above
question in more detail than this list.  Amazing what you discover
sometimes when you go for a romp through the logs.

Good luck!

- -Martin

 [0] http://www.splunk.com/
 [1] http://www.loganalysis.org/
     http://www.loganalysis.org/sections/parsing/generic-log-parsers/index.html
     http://www.loganalysis.org/mailman/listinfo/loganalysis
     http://www.loganalysis.org/pipermail/loganalysis/
 [2] http://www.estpak.ee/~risto/sec/

- --
Martin A. Brown
http://linux-ip.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/)

iD8DBQFHtHh0HEoZD1iZ+YcRAsPZAKCbfRAVhXIshzHU84syQC/M+YR0FACeKi6O
EwzO3lLue4fufDW5t+eM6/Y=
=fEOf
-----END PGP SIGNATURE-----

BY professional do you mean commercial, as in $$$$?

Im not familiar with solutions that collect the logs. But, Enterasys
Dragon Security Command Console in a Security Information Manager
Plus.

It will do way more that what you looking for.

IMO, you should providing the level of monitoring nad correlation that
this solution provides, at a minimum. <- again at a minimum.

signature detection/protection, syslog, NBAD(google if you are not
familiar), NetFlow, etc.


But if you are only interested in what can be monitored on a linux/unix system,

check this guy out. Marcus Ranum.
His site:

http://www.ranum.com/security/computer_security/index.html

Click on 'Papers' and then click ' Artificial Ignorance' for an
enlightning and insightful method of thinning the log pile to entries
of interest.

Good luck and I think you will enjoy the link provided.

p1g out.

On 2/14/08, Jason Alexander <jalexander@...> wrote:

--
-p1g
SnortCP, C|HFI, TNCP, TECP, NACP, A+
  ,,__
o"     )~  oink oink
   ' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

    |
    | Hi all

Hello Jason

    |
    | Im looking for a good security event log parser for linux/unix systems. All
    | logs are in syslog format. Just want to be able to point the tool at a
bunch
    | of logs and drag out what is usefull.... Already use some cutom written
    | scripts but could do with something a little more proffesional....
    |
    |

I'd recommend two solutions, depending on your needs:
* OSSEC HIDS (www.ossec.net), where you can easily write rulesets including
the regular expression for the pattern you are looking for.
* Prelude LML (www.prelude-ids.org), where writing a ruleset is a little more
complicated than for OSSEC, but you can give more details regarding the IDMEF
(rfc 4765) format.

Both solutions can be integrated in the Prelude framework where you can gather
alerts in a single console and do your analysis.


Regards,
Sebastien.

I find the Open Source Logcheck program to be the best.  (The only thing
that logwatch does that logcheck does not is to tell the number and
details of brute-force password guessing.)

Also, I've enhanced it to be even better by causing it to list any
given event only once in the highest-priority category that applies.
I've also enhanced it to accept a second set of emails that only get
the high-priority events, not "Unusual events".  (Anyone is welcome to
email me and I'll send the tarball of my enhanced version.)

Best regards,

Bob Toxen, CTO
Horizon Network Security
"Your expert in Spam and Virus Filters, Linux server hardening, Firewalls,
Network Monitoring, Linux System Administration, VPNs, local and remote
backup software, and Network Security consulting, in business for
18 years."

www.VerySecureLinux.com        [Network & Linux/Unix Security Consulting]
www.RealWorldLinuxSecurity.com [Our 5* book: "Real World Linux Security"]
bob@... (e-mail)

My article on "The Seven Deadly Sins of Linux Security" was
published in the May/June 2007 issue of ACM's QUEUE Magazine.

On Thu, Feb 14, 2008 at 09:16:17AM +0000, Jason Alexander wrote:
> Hi all

> Im looking for a good security event log parser for linux/unix
> systems. All logs are in syslog format. Just want to be able to point
> the tool at a bunch of logs and drag out what is usefull.... Already
> use some cutom written scripts but could do with something a little
> more proffesional....

> cheers