RE: [suse-security] Firewall Loging
what would be the best way to centralize the loging of about 15 firewalls onto one single machine (so... maybe crontab entry moving the logs to this single machine?)
I suggest you use syslog on each machine to forward the messages to a centralized machine. If you wanna do that at all. (be aware that if you ftp them or scp, it means that the logging machine runs those services. I'm not sure if you want that.)
and... which tools could I use on this machine to analyze these log files automatically?
Good question, very good one. And a lot of people already asked about doing that. There are even research projects running for that. Okay, I can give you some ideas: If you send messages from _15_ firewalls to a centralized machine, you will end up with HUGE amounts of data. So I suggest that you install some kind of preadapter on those machines, which is filtering all your messages before they are sent. Now the thing about filter is that you say that the entry is either accepted or not. So you either have the information or loose it. My appraoch on such things is that I keep _some_ information of the logentry and try to correlate them. This is not easily done and involves quite a bit of coding. I once developed a LogAnalyer which did exactly that. You could define rules about what the Analyzer should remember. E.g. a machine's IP, which made a request on some port. If the same source would appear over and over again, I could was able to detect portscans, rangescans and so on. (also if the scan is done over a long period of time). Unfortunately this tool is not available. My former employer (IBM) does not allow me to do anything with the tool... :-( [IT SUCKS; I KNOW!] Depending on the firewall product you use, there may be some tools out there which do quite intelligent filtering and even correlation. I hope this at least gives you some input about how to approach the problem. Feel free to contact me again if _you_ have some ideas or wanna know about the LogAnalzyer... (I guess some things I am allowed to tell you :-) Thanks Raffy
participants (1)
-
Raffy