[Dshield] slightly off-topic Logs- anyone using sawmill?

Mark Rowlands mark.rowlands at minmail.net
Tue Aug 27 14:10:08 GMT 2002


As part of an ongoing story of treachery, intrigue and an insatiable lust for 
power, I have been looking for a method of centralising my logs (Apache logs 
/ iis logs / windows event logs / ipfw /  sendmail / squid / Snort even..  in  
a single location and accessing them with a single tool.  

I have looked at Sawmill  http://www.sawmill.net  which shows promise but as 
it is not easily extensible yourself, you are dependent upon the goodwill of 
the sawmill folks (which so far has not seemed lacking)

Anybody out there got any good ideas.........  ps if it involves both huge 
license fees and closed source code it is not a good idea!

Basic Premises

1) Cheapish
2) Consistent UI
3) Access Control Lists
4) Most likely database driven
5) Easily extend to new formats
6) Windows and unix  ( not just Linux) friendly
7) Ability to log access and confirm that an alert has been viewed. Perhaps 
even with the option to add notes to an alert.
8) Scalable

The why :-  

It is a lot easier to get your sysadmins to check the logs if they are in one 
easily accessible place, especially when they cannot claim...."I didn't see 
that big flashing red log that said the exchange database was at 15.99999gb." 




More information about the list mailing list