Hi Kai,
On Sun, Mar 14, 2010 at 09:31:35AM +0000, Kai Hendry wrote:
If you run a service where I can check my logs through
a Web page on a
central server, I see some value. Especially if you add some
functionality like filtering and alerts and stuff.
OK, thanks.
Surely there must be commercial services like this
already?
I hear things like Splunk are good but really expensive.
People get compromised or a machine goes down. Are the
logs really
useful? What are you hoping to do? See where the attack originated
came from? Then what?
I'd be hoping for several things:
- Provide a means for the customer to investigate the compromise
with known-good logs, without them having to have an additional
VPS at BitFolk or elsewhere to send logs to
- Give me additional options when I have to decide what to do about
turning the customer's network back on
- Provide a value-add service that will set BitFolk apart from
competitors
If the customer can't work out how the attack happened then I'm in a
difficult position with regard to turning their service back on,
because there's no reason why it won't happen again almost
immediately. Sometimes it means I have to make the decision not to
turn it back on, and refund them.
In cases of compromise by SSH scanning alone, it will appear in the
logs because there'll be an SSH log in from somewhere unexpected. If
they get in as root they can remove that evidence after the fact,
but they can't remove it from a server they don't have access to. So
in that case, yes, it's useful.
In other cases where some other service has been compromised,
sometimes not so much. But this is rare.
It also gives me more options; maybe I insist that customer makes
use of remote syslog before turning the network back on. Maybe I
decide to use the remote syslogs to investigate it myself (though I
usually can't spare the time to provide such free consultancy).
Those are my thoughts on it at the moment anyway.
Cheers,
Andy