| Log Event Survey Analysis |
|
|
|
|
|
|
|
|
|
|
|
| Item |
Name |
Area |
Description |
Candidate for Study |
Next Steps |
opensource |
platforms |
Packaging (tar,
configure?) |
Ease of
Installation and Configuration |
If opensouce, what about development details? (libs, languages?) |
Pros |
Cons |
Notes |
| 1 |
EIQ Networks |
Commercial |
SyslogAnalyzer is an easy-to-use, Web-based analysis and
reporting solution that can analyze event logs generated by Windows and UNIX
networks and provide valuable information about the health and security of
networks. This in turn, can help avert crisis. SyslogAnalyzer enables
administrators to view, filter, and report on these events - those that are
vital to the health and security of businesses. These easy-to-use reports can
also produce a record to provide to law enforcement agencies in case of a security
breach.
|
Yes- High
Priority |
Read more
docs, contact vendor to see about an evaluation period |
No |
UNIX,
Windows 2000 |
Binaries |
No
data |
NA |
|
|
|
| 2 |
GFI LANGuard |
Commercial |
Besides analyzing security event logs, GFI LANguard S.E.L.M. can
analyze application, system and other event logs too. You can back up and
clear event logs on all remote machines in your network automatically; and
view, report and filter events network-wide, instead of just per machine.
Because GFI LANguard S.E.L.M. collects all events in one central database, it
is easy to create network-wide reports and custom filters. Using the custom
rules, you can create your own event alerts based on event ID, condition and
event contents. GFI LANguard S.E.L.M. is the only event log management
product that can analyze the contents of the event properties. In addition,
GFI LANguard S.E.L.M. enables you to create reports to get a more in-depth
understanding of your network. |
Yes- High
Priority |
Read more
docs, contact vendor to see about an evaluation period |
No |
Windows |
Binaries |
No
data |
NA |
|
|
|
| 3 |
Counterpane: Log Analysis
Resources |
Information
Resource |
Making use of the information in your system logs is a task
doomed by two things: analysis is unexpectedly complicated, and predictably
tedious. The goal of this Web site is to supplement conversations on the
LogAnalysis mailing list with more information. |
Yes - Track
it |
Read as
time/priorities permit |
NA |
NA |
NA |
NA |
NA |
|
|
Lots
of useful links here, most methodological in nature |
| 4 |
OpenService |
Commercial |
OpenService
has developed the most scalable and affordable event system management
software for distributed UNIX and NT environments. SystemWatch provides
real-time monitoring and management for mission-critical operations - When
failure is not an option. OpenService is integrated within OPSEC via the LEA
(Log Export API) interface that enables tight and secure communication with
the Check Point security infrastructure with scalability and ease of
management. SystemWatch builds on the depth of scalable systems event
management to filter, analyze, monitor and act on the flood of real-time
activity in complex environments. |
Yes - Track
it |
Read more
docs as time permits |
No |
UNIX,
Windows 2000 |
Windows
Binary |
No
data |
NA |
NA |
NA |
|
| 5 |
Addamark Log Management System |
Commercial |
The Addamark Log Management System is a scalable software
solution optimized for managing and analyzing high-volume log data.
Addamark's LMS delivers unprecedented scalability, performance, efficiency,
and ease-of-use. It provides information security, marketing, and operations
management organizations rapid and flexible reporting, and permanent and
cost-effective storage and access to log data, the fastest-growing and least
manageable dataset in today's enterprise. |
Yes - Track
it |
Read more
docs as time permits |
No |
Linux
cluster |
NA |
No
data |
NA |
NA |
NA |
Reporting |
| 6 |
VigilENT Log Analyzer |
Commercial |
VigilEnt Log Analyzer provides a complete enterprise solution for
log archival and consolidation, security event analysis and log forensics. It
enables security officers and administrators to truly analyze and understand
the security events from a wide variety of operating systems, firewalls,
intrusion detection systems and other devices. VigilEnt Log Analyzer also
provides business intelligence capabilities for performing advanced security
trend analysis at an enterprise level. |
Yes- High
Priority |
Read more
docs, contact vendor to see about an evaluation period |
No |
Windows
Server |
Windows
Binary |
No
data |
NA |
Collects
and analyzes lots of information |
Windows
only, proprietary |
Discovery,
Network |
| 7 |
Bibliography on Event and Audit
log Analysis |
Information
Resource |
A
bibliography of journal articles that relate to log analysis techniques. |
No |
None |
NA |
NA |
NA |
NA |
NA |
NA |
NA |
Really
fits under all 3 categories. No hyperlinks - just bibliographic information |
| 8 |
Lucent VitalEvent |
Commercial |
Using data collected by Lucent VitalNet™ Network Performance
Management software, VitalEvent system tools compare the live network
situation against intelligent thresholds you configure and prioritize. When a
network-wide or device-specific problem causes performance to cross a
threshold, you are immediately notified. Real-time graphical displays and
powerful analysis tools combine to quickly pinpoint the sources of problems.
You get a clear, detailed picture of exactly what is happening and where
intervention is required. |
Yes- High
Priority |
Read more
docs, contact vendor to see about an evaluation period |
No |
Windows
2000 |
Windows
Binary |
No
data |
NA |
Very
powerful program, integrates nicely into other tools |
Windows
only, proprietary |
|
| 9 |
Advanced Log Processing |
Information
Resource |
Article describing methods of log collection and analysis with
various unix tools. |
No |
None |
NA |
NA |
NA |
NA |
NA |
NA |
NA |
|
| 10 |
Aelita InTrust |
Commercial |
InTrust uses intelligent mechanisms to optimize the data
consolidation process. Powerful compression technology and a unique two-tier
storage system allow event and performance data to be efficiently archived
for extended periods of time, providing a precise record of network activity.
Modern analysis and reporting technologies improve knowledge management and
administration |
Yes - Track
it |
Read more
docs as time permits |
No |
Windows
2000 |
Windows
Binary |
No
data |
NA |
NA |
Just
got bought by a different company |
Lots
of published papers. For archival data - not real-time. |
| 11 |
Snort |
Open
Source |
Sophisticated
open source Intrusion Detection System based on a rules approach, detecting
patterns of known attack methods. |
Yes- High
Priority |
Read more
docs, download source, install it and read over code |
Yes |
Linux,Unix,
Windows |
Tar, autotools (configure, Make, Make install) – rpm available,
for windows, executable |
On linux/unix, easy. No
data for windows. |
Written in C, uses lots of global vars, signal-style
architecture, libs are zlib, libpcap,mysql (apache/php, etc are optional but
create better environment) |
Lots
of rules already written, good documentation, lots of people use it, works
well |
Written
in c with lots of global vars. |
As
long as we try and use it only as a piece of functionality, and don't try and
merge codebases or anything, it is definitely something we want to use. http://www.whitehats.com/ids/ has lots of
addons and rulesets for snort |
| 12 |
Protective Monitoring |
Information
Resource |
The
note provides advice on the sources of logs within a network, definition of a
common format for logs, attack patterns and their correlation. It is
based on experience gained by CESG during the development and piloting of a
proof-of-concept log analysis capability. |
Yes - Track
it |
Read as
time/priorities permit |
NA |
NA |
NA |
NA |
NA |
NA |
NA |
|
| 13 |
Autonomic Computing |
Open
Source/Research |
IBM's
vision of autonomic computing embraces the development of intelligent, open
systems capable of managing themselves, adapting to varying circumstances in
accordance with business policies and objectives, and preparing their
resources to most efficiently handle workloads. Autonomic computing is part
of IBM's e-business on demand strategy. |
Yes- High
Priority |
Read more
docs, download source, install it and read over code |
Yes |
Java2 |
Zipped
Jar, Eclipse modules |
You need Eclipse devel environment |
Written
in Java2, requires Eclipse and other IBM tools |
Nifty
to do research with |
Way too heavywieght for what we want to do |
This
is more of a research toy than something to deploy in a production
environment. Looks very close to what we're looking at doing in the pilot |
| 14 |
Throughput Monitor |
Free |
Throughput monitor is a log analyzer. In general notation it is a
event counter per timeframe - in short frequency monitor. If it detects too
high event rate, utility notifies about it. If rate drops below predefined
value, also notify with statistics gathered meanwhile. It can analyze past
logs or real-time logs. Events are distinguished per observation object. |
No |
None |
No |
Windows |
Windows
Binary |
NA |
NA |
NA |
Way
too lightweight. More of a
single-user program |
More
geared toward single systems |
| 15 |
Log Analysis Resources |
Information
Resource |
Comprehensive
set of links related to log analysis |
No |
None |
NA |
NA |
NA |
NA |
NA |
NA |
NA |
|
| 16 |
Traction Syslog Daemon |
Commercial |
Tri Action Syslog Daemon is a general purpose utility for
monitoring applications and network devices with the TCP/IP protocol. Tri
Action makes Syslog Daemon services available to the Windows 95 and Windows
NT platforms. |
No |
None |
No |
Windows |
Windows
Binary |
NA |
NA |
Analyzes syslog |
Windows-only, only reads syslog files |
|
| 17 |
Sawmill |
Commercial |
Largely
a web access database/statistical package for the enterprise |
No |
None |
No |
UNIX,
Windows, OS X, Linux |
Binaries |
Very
easy |
NA |
Handles
tons of data sources, easy to use |
Proprietary |
Risk
analysis component is unique among the surveyed efforts |
|
|
|
|
|
|
|
|
|
|
|
|
|
|