For what its worth, Tenable shipped a Splunk agent this week so you can feed logs into our system and do anomaly detection, user tracking and other types of correlation.
I also really like the Mandiant Highlighter. We run our tools at a lot of gov't agencies and universities. I've been able to do things like see that there was an anomaly on a certain host and then do a query for that host's DNS records through our logging solution, and then drop this file into Highlighter. You can add more and more complex negative filters to strip away logs you don't care about. In this case I was looking for odd DNS requests and was able to globally remove *gmail.com, *facebook.com, .etc. Ron Gula Tenable Network Security On 6/5/2009 1:51 PM, Paul Asadoorian wrote: > Splunk was one of those tools that got popular after I left the > university. I think we need to do a tech segment on it as its been > highly recommended by many. > > Cheers, > Paul > > Russell Butturini wrote: > >> Commercial or open source? For commercial we like Cisco’s CS-MARS, but >> that’s a big investment. Free tools, Splunk is pretty darn good. >> >> >> >> *From:* [email protected] >> [mailto:[email protected]] *On Behalf Of *Andrew >> Anderson >> *Sent:* Friday, June 05, 2009 10:20 AM >> *To:* PaulDotCom Security Weekly Mailing List >> *Subject:* [Pauldotcom] your log management tools of choice? >> >> >> >> Just trying to wade though the choices... >> >> Looking for recommendations for syslog parsing and management tools. >> (post gathering). >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
