<![CDATA[[SecurityRatty] tag: dimitri]]> http://securityratty.com/tag/dimitri Mon, 21 Apr 2008 16:59:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Fun Reading on Logs and Log Management - 2]]> http://securityratty.com/article/dac0b52428267c699e6e37706f29fb2a http://securityratty.com/article/dac0b52428267c699e6e37706f29fb2a I am amazed (no, AMAZED!) about how many people now write about logs; it is definitely not "the original logging evangelist" anymore :-) Here is a bunch of good log-related reading, useful for those struggling with logs (aka "everybody" :-))

  1. Our brilliant field engineer Dimitri McKay talks about the eternal topic of converting Windows event logs to syslog. Yes, Eric, we ALL know it is ugly, but that is the only way that actually works well across all systems ...
  2. More on Windows and syslog: "Syslog ... 20 Years Later."  BTW, this is really not about syslog, but about Vista/2k8 finally getting an ability to natively centralize the event logs via event subscriptions ("It's only about twenty years behind schedule, if you're counting.")
  3. Two fun pieces on correlation: 1 and 2. What often kills "a log correlation project"? "Whoever had worked on it had not had much time available to learn the way to properly configure the software" (from this)  and "correlation only really works when backed up by real data about what is the biggest problem in your environment, and how that problem manifests itself in the event logs." (from this) None of this is new, but a useful reminder nonetheless
  4. Fun LogLogic podcast is here. The topic of this high-level discussion (CEO) is related to operational use for logs. I did one with them too; on logs and virtualization (will be up soon)
  5. A couple of good posts on logging from Nemertes Research: "Sharpening Stones and Walking on Coals",  "Search or Destroy"
  6. Reminder about a few useful Windows Vista and 2k8 events: 4802 (screensaver engaged) and 4803 (screensaver dismissed)
  7. One person is wondering about the usefulness of logging after "experiencing" Linux auditd logging (kernel audit): "Logs are like a warm blanket; verbose logging means you can know what's happening on your systems if you keep up with the logs.  At the same time, logs become a burden very very easily, and they are easy to ignore." This post is a must read for us logging afficionados; producing too much log data is a sure way to make people hate you...
  8. This also follows the same theme: people doubting the god-like power of logs :-) "So for an administrator to not care about logs was a shock." But would I argue that "log management is NOT a pain?" Now, would I? :-)
  9. A classic about logging for application developers: "Building Secure Applications: Consistent Logging."  I am noticing a lot more discussions about logging in a developer community, e.g. see this and this (the latter, BTW, contains a lot of info on "why log" for developers). Overall, "getting logging right" is important (and will get more important in the future) and people need something NOW and cannot wait for the standards.  BTW, I am planning a mini-crusade on how to train application developers to include useful logging in their applications...
  10. Finally, the "Is SIEM dead?" theme is continued in this fun post "Life after SIEM. Situational Awareness is next." Indeed, context is key for logs. BTW, if somebody mentions that I have "vendor bias", I will kick your ass! :-)

Enjoy!

About me: http://www.chuvakin.org
]]> Mon, 15 Sep 2008 04:03:00 +0000 logs windows event logs event logs log management log developers train application developers log correlation project application developers Fun Reading on Logs and Log Management - 2 <![CDATA[Links for 2008-05-14 [del.icio.us]]]> http://securityratty.com/article/97efd7aa78e9d1aad8d73d1488b06061 http://securityratty.com/article/97efd7aa78e9d1aad8d73d1488b06061
  • Nerd News: Dimitri SIEM vs LMI
  • GRC, Average Deal Size, And The Dangers Of Venture Capital | securosis.com
  • The Security Roundtable » Security Roundtable for May 2008 | RSA Conference - Beyond the Hype
  • Smart Business Leaders Support Effective Log Management Practices and Necessary Resources - Realtime IT Compliance
    • ]]>     Wed, 14 May 2008 20:00:00 +0000 nerd news dimitri siem rsa conference average deal venture capital compliance resources hype grc Links for 2008-05-14 [del.icio.us]     <![CDATA[More on "Enterprise-Class" (or Enterprise-Quality)]]> http://securityratty.com/article/4dd8d6f3042eeb6f2a40f6962bf79777 http://securityratty.com/article/4dd8d6f3042eeb6f2a40f6962bf79777 here: "... How can Baracuda sell an anti-spam gateway for $3000 and other vendors sell a similar product for $50,000? Is the other product 15 times better? Of course not. But the enteprise customers in an early market can afford $50K per box, so that's what you charge them. "

    Honestly, I am not sure about the anti-spam gateways, they might be all the same indeed (and so Mike might actually be right about that specific type of a product...), but I can tell you that in log management the answer "Yes, it is that much better in features that actually make it 'enterprise'" - see this five-part treatise on that very subject by our enlightened System Engineer Dimitri McKay.

    You can get Sawmill for $0, you can get whatever other product for $5k - or you can get LogLogic. The difference in what you will get will be about the same as the price factor!

    All this debate is BTW inspired by this RSA-related piece.
    About me: http://www.chuvakin.org
    ]]>     Mon, 21 Apr 2008 16:59:00 +0000 product similar product log management afford 50k mike price factor anti-spam gateway enterprise anti-spam gateways More on "Enterprise-Class" (or Enterprise-Quality)