Re: [fw-wiz] Firewall Log Analysis - Computer vs. Human
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 07/06/05
- Previous message: Paul D. Robertson: "[fw-wiz] Watchguard update"
- In reply to: Adrian Grigorof: "[fw-wiz] Firewall Log Analysis - Computer vs. Human"
- Next in thread: Paul Melson: "RE: [fw-wiz] Firewall Log Analysis - Computer vs. Human"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Thu, 7 Jul 2005 01:31:24 +0530
On 05/07/05 12:23 -0400, Adrian Grigorof wrote:
> Hi all,
>
> We are trying to develop a log analyzer that would "replicate" a human's
> approach to log analysis - by that I mean the fact that a human can
> correlate information in the log with other factors (like - "hmm, the log
Hmmm, Marcus had a thread on the loganalysis[1] list, asking what
information could be gleaned from the logs. That thread would be a good
starting point for a correlation engine of this type.
In general, if it gets logged, it can be correlated to some extent. The
problem most often is that there is no logging infrastructure for such
correlation.
> says that the firewall was restarted at 12:03 PM"... oh, yeah, it was that
> UPS failure yesterday around noon). For this particular example, the log
> analyzer could say in the report: "12:03 PM - Firewall restarted - Possible
> power failure, power disconnection or manual restart" - a bit vague I agree
> but it is better than nothing - and in fact, this is what the firewall
> admin would go through, right? Thinking, "Why would there be a restart? I
And there could be any other reason, which would be extremely
misleading. IMHO, it is better not to attempt to correlate with vague
information which leads the administrator down the wrong track.
Humans are good at ignoring things that cry wolf too often.
> did not restart it.. anything happened at noon? The UPS failure!". Or for
What happens if the failure was due to something else, like someone
tripping over the power cable, or just a system failure and none of your
possibilities were correct?
If you log more data and then filter, then you can do useful correlations.
"Show me all events that happened in this time range relating to the
firewall", with a predefined dependency for the firewall on the UPS.
The complex problem is getting the human being to define the dependency
of the firewall on the UPS in the first place.
Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul D. Robertson: "[fw-wiz] Watchguard update"
- In reply to: Adrian Grigorof: "[fw-wiz] Firewall Log Analysis - Computer vs. Human"
- Next in thread: Paul Melson: "RE: [fw-wiz] Firewall Log Analysis - Computer vs. Human"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
