Using logs as part of security...

[Anonymous]

I believe many people are using log monitoring as part of system and network security, but how are people doing it?  what tools, and what information is sent, and how is it acted on?  We currently don't do any proactive log analysis.

[Henke]

Hi!

We have a central syslogserver which is running FreeBSD with syslog-ng and phpsyslogng.

We save logs to both mysql (For easy searching with phpsyslogng) and to file.
We rotate logs once a month and save them for a year. We do not monitor the logs all day long, but search for critical errors and so once a week maybe. And of course when the boss has some supcicions, or we just want too look at something like "who locked that account out!?"

We use NT-syslog on our windows servers, and standard syslogd on our unixes.

When the day comes that we have any problem with whatever, we will sure be glad to have the syslogs together with IDS/NIDS, firewall logs and so on. It has only happened once though, with an angry ex. employee.

Logging is an important part of security.

For system failure and things like harddrivecrashes, we have other tools.

/Henrik

[mutex]

That makes a lot of sense.  I do much the same thing, but I run devialog against the logs to provide more of a real-time alert when something out of the ordinary happens.  It's working pretty well now.