Re: [Fed-Talk] Syslog, SIEMs, and Laptops
Re: [Fed-Talk] Syslog, SIEMs, and Laptops
- Subject: Re: [Fed-Talk] Syslog, SIEMs, and Laptops
- From: Boyd Fletcher <email@hidden>
- Date: Mon, 02 Apr 2012 23:46:15 -0400
I'm funding the development of the next generation in auditing and logging protocols. Its called the Journaling, Auditing, and Logging Protocol (JALoP). you can get the source from https://github.com/jalop-tresys
it designed for high confidentiality, high integrity, performance, reliability, and guaranteed delivery. we developed a C/C++ API, Java is in the works, and we have data taps for Linux Auditd, GNU Tee, GNU Tail, rsyslog, and Apache Log4Cxx.
Syslog can't be fixed. it has major structural issues that only be solved with a complete redesign.
if interested drop me an email at email@hidden
boyd
On Apr 2, 2012, at 12:25 PM, Todd Heberlein wrote:
> What are people using to aggregate log messages from the Macs in their organization? And in particular, security-relevant logs? And how do you handle it when laptops are connected at the local Starbucks? Do you still send security-relevant log messages (unencrypted?) over the public Wi-Fi?
>
> I want to plug my live analysis directly into an appropriate existing and widely-used log aggregation infrastructure (at least for Macs), but I'm having troubles identifying the right beast to use. Any pointers or suggestions would be appreciated.
>
> Todd
>
> ----------------
>
> (some observations so far)
>
> The classic syslog seems problematic for security. It has no reliability (UDP-based), no encryption for confidentiality, and no integrity and authentication mechanisms. An updated RFC 5424 seems to address these issues, but I'm not finding anyone using it, especially on the Mac.
>
> Apple System Log (ASL) appears to add more power via searchable structured data, but I can't find anything on the confidentiality, integrity, or authentication issues. Are people using ASL in an enterprise fashion?
>
> There is syslog-ng by Balabit that addresses the reliability and security concerns, but it doesn't support Macs natively. I could port the code myself and maintain it, but I'd rather not be responsible for maintaining a big chunk of someone else's code.
>
> Years ago I tracked the DARPA Common Intrusion Detection Framework (CIDF) effort, which morphed into the IEEE Intrusion Detection Message Exchange Format (IDMEF). But I think these efforts died a long time ago. These would have been ideal :(
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden