Tuesday, September 6, 2011

A question on creating a log management program

At one of the establishments where I donate my services, the need for log management and security incident management has been discussed.  To put it in a nutshell, the establishment wants to open up the wi-fi to "partially" vetted users.  The wi-fi is locked down pretty good.  I think the question that wants to be answered is "who logged into the network, from where?"  Also, should there some kind of incident, they want to know when and where it occurred.

Here's a mini-description of the network.  Broadband comes into the building, and DHCP addresses are given out from this router.  The router is an Actiontec MI424WR.  There is a scope of the first 50 hosts reserved for static IPs and the static IPs are used for the central file server, access points, an internal HVAC computer, and part of the HVAC/solar system to broadcast results (like how much electricity has been generated.)

Down the line, I have plans to add a commercial firewall and a router, in order to create VLANs.  However, as the infrastructure is improved, I want to add log management and incident management into the network.

So, for right now, I'm looking for ideas on how to capture:
firewall logs from the Actiontec
DHCP logs from the Actiontec
Windows logs from the file server (Windows 2000)
maybe wireless access logs

I found a great page here:  http://www.securitywarriorconsulting.com/logtools/ 

My question is:  what's a good recommendation? How to best capture the information?  Open source would be great as I'm sure money is going to be an issue.

As this project progresses, I'll post updates.


  1. Look at my other materials, e.g this deck http://www.slideshare.net/anton_chuvakin/choosing-your-log-management-approach-buy-build-or-outsource

  2. I know, it sounds spammy, but it's not. I'm glad I found your blog. Like the plans for data capture and log management. Would like to see how it turns out. *Go see what Anton's done, he's brilliant if you haven't heard his name in this space before. Best of luck.