How To
Contact Us
SourceForge Resources


SRLM | NFR HID | SWATCH | LogWatch | Snort | SHADOW | SAFEsuite SLM | Echelog

Secure Remote Log Monitor from SAIC

  • Client Utilities: utilities to identify and collect log files, encrypt them with the server's public key, sign them, and forward them on a periodic schedule to the log server over a possibly untrusted network
  • Server Utilities: utilities to collect, authenticate, decrypt, analyze, and store/archive logs from client systems
  • Key Management Utilities: keys used by monitored systems and the log server must be generates and distributed in a secure and controlled manner
  • Administrator's Guide: a document describing how to setup a system, create and place the keys, collect logs and analyze them on the server
  • Demonstration Guide: a document describing how a demonstration system can be created using a single computer to simulate a network of monitored systems and a log server
  • Compatability: created to enhance the open source security of the Linux OS
  • Availability: Open Source
  • Comments: Log files are gathered on a client system using logrotate. At a specified time, the log files are encrypted with the server's public key, signed, and forwarded to the server (possibly over an untrusted network). All copies of logs that remain on the client systems are deleted for performance and security. The server contains the main software to collect the logs, authenticate the signature of the client system, decrypt the file using the public key, parse and analyze the log files for any information of concern (that information matching pre-specified patterns and constraints), take any action deemed necessary by the SRLM (alerts, beep, email, etc.), and archive all log files received for future referencing.

Host Intrusion Detection (HID v2.0) from NFR

  • Client Utilities: kernel log files and text-based log files are collected in one of two administrator-defined methods (real-time or batch), and sent either immediately or by periodic schedule to the log server HID Console
  • Server Utilities: administrator-defined Console properties to change functional emphasis; collect, analyze, and store/archive log files from clients; Crystal Reports; Tripwire® scans
  • Compatability: Windows NT/2000/XP, Sun Solaris, IBM AIX, HP-UX
  • Availability: Commercial
  • Comments: This software has two options for log file collection. In batch-mode, the log files are stored for periodic collection. In real-time, log files are sent immediately and directly to the NFR HID Server Console. This systme allows administrators to minimize CPU load by choosing which method best suits their systems and networks. The software monitors both kernel and text-based logs for activity such as who is logging on and what files and applications are being accessed. The log files are sent to the server where they are analyzed for matching patterns of concern. If a problem/concern is located, the system sends an alert to the systems administrator via an alert message, sound, or email. Appropriate action is then taken by the system. If Tripwire® software is installed, the system will activate the software and scan to determine what file changes have occurred - file integrity checking. This feature is dependent on the user-installed Tripwire® software.


  • Client Utilities: software to identify and collect logs, and to forward logs to a central server; daemon running in the background to always be checking for new logs and changes to old logs
  • Server Utilities: program is designed to analyze log files for pattern matches, and to alert the administrator if any problems arise; archive the logs for future analysis or evidence; any problems trigger an audio or visual alert; framework allows for administrator specification of program
  • Compatability: Unix-based systems; Linux
  • Availability: Open Source
  • Comments: Swatch is a log watcher that observes log files and alerts the security administrator about predefined strings found in the log file. It is a simple (basic) program to monitor the information in the log files and inform the administrator of possible unwanted actions of a client system. There are predefined (administrator-defined) expressions for which Swatch checks the incoming log files.


  • Client Utilities: identify log files; program is mostly administrator driven including what files to check
  • Server Utilities: analyze log files; program receives input from the administrator who tells the program what files to search through; will not monitor network systems - all logs must be on one system, and the program does not retrieve the files automatically.
  • Compatability: Unix-based; Linux
  • Availability: Open Source
  • Comments: LogWatch is a log analysis program that analyzes the log files of a computer. It has to be run on seperate computers for any computer you want to "watch." Otherwise, you have to have a separate program that moves the log files from client computers to a server, at which point the LogWatch program could be installed solely on the server to look at the logs. This program will produce a report for all the information specified by the user/administrator. LogWatch does not handle moving, encrypting, authenticating, decrypting, or archiving log files. The program is used only to analyze log files that are already in a given area on one system.


  • Client Utilities: utility to identify log files for analysis; daemon - a sniffer, always looking for a suspicious file
  • Server Utilities: utility to analyze log files and trigger an alert when there is a pattern match
  • Compatability: Linux, HP-UX, Sun Solaris, MacOS
  • Availability: Open Source
  • Comments: Snort is somewhat like a mini-version of NFR's HID software. It is built as a sniffer, but it works only on small networks. It would not work well in large, commercial network use. In analysis, Snort only scans the headers of log files. It does not scan through the entire body of each file. This could cause some concerns as the body of a file may contain information that would trigger an alert, even though the header may be totally benign. The creators wanted to build a cross-platform application, so this application is compatible with Linux, Sun, Mac, and HP operating systems.


  • Compatability: Unix-based; Linux
  • Availability: Open Source
  • Comments: Developed by the Naval Surface Warfare Center, SHADOW (Secondary Heuristic Analysis system for Defensive Online Warfare) is an open source program designed to detect network intrusion. A part of the system is recording a log of all activity detected by the sensor outside of a network's firewall. This information is periodically analyzed and output to provide the administrator with necessary information on the security of the network and systems. The program handles all transfers, and the logs are authenticated and decrypted on the server. If there are security concerts, the program alerts the administrator to those security concerns. The log archiving/analysis portion of the software is only a small portion of the program. The rest of the program is devoted to monitoring the traffic on the network lines insltead of analyzing system logs.


  • Client Utilities: identify, collect, encrypt, sign, and forward logs to the server
  • Server Utilities: collect, authenticate, decrypt, analyze, and archive all log files received from clients
  • Compatability: Windows 9x/NT/2000/XP
  • Availability: Commercial
  • Comments: The Secure Log Manager is a part of the SAFEsuite security management platform developed by ISS. This system collects and analyzes log files for security concern patterns - certain words or groups of words that will raise security issues. This program is configured by the administrator and conforms to the administrator's needs. When a problem is found, the administrator is notified through sound, visual message, or email, and the administrator can immediately generate a graphical reporting of what was found. Additional software, besides teh daemon for locating log files, is requried on each system.


  • Client Utilities: daemon "Echelogd" used to identify, collect, encrypt, sign, and forward logs to the server; data spooling
  • Server Utilities: collect, authenticate, decrypt, and archive all log files received from client systems
  • Compatability: Linux, BSD, Sun Solaris
  • Availability: Open Source
  • Comments: Echelog gathers log files on client systems, encrypts and sends the logs over a network using SSL. Applications on the client system must be linked with the code of the Echelog program. Once on the server, the files are authenticated and decrypted. Echelog attempts to counter the effects of network interruptions by implementing data spooling. If the network goes down, the client will hold the data until the network comes back up and the client can continue the transfer. This program is used to provide a secure passage of information from a client system to a server over an untrusted network.
SAIC : An Employee-Owned Company
Advanced Technologies and Solutions Group
7120 Columbia Gateway Dr
Columbia, MD 21046
Site Hosted By: Logo