Squid: Optimising Web Delivery #web #logs #analyzer

#

By Martin Gleeson includes support for Squid’s native log format. In particular squid2common.pl will convert it to the common httpd log format.

S.L.A.E. is a platform, developed using C# and the .NET Framework 1.1 (and Mono), for analyze the Squid’s log file. The project’s aims are: be an OpenSource project, support for Windows and Linux (using Mono), support for rich and web client, support for SQl, MySQl and Access database, provide a rich class’s sets for database’s access and manage, provide OLTP and OLAP database, analyze and import “BIG” access.log file, manage multiple server and log’s file

By Pedro Lineu Orso Squid Analysis Report Generator is a tool that allows you to view “where” your users are going to on the Internet.

SCALAR (Squid Cache Advanced Log Analyzer Reporter) produces many detailed reports, such as: Time Based Load Statistic, Extensions Report, Content Report, Object Sizes Report, Request Methods Report, Squid HTTP Result Codes Report and Cache Hierarchy Reports – most of reports are splitted on Requests, Traffic, Timeouts and Denies statistic. SCALAR is highly customizable tool/script written on AWK – all setting can be defined inside script header. SCALAR developed by Yuri N. Fominov.

Screen squid is web-based interface for viewing reports based on Squid proxy server log files. It can be accessed from web-browser through more than 20 reports. No extra files, only DB. All reports generated “on-the-fly”. Free.

by Maciej Kozinski, gathers information abount Squid’s internal performance and eficiency of relationship, finds bottlenecks, shows data transfer speed from particular sources.

by Andrew Fresh is derived from Squeezer, but with more features, including running from a chroot environment.

Squid Efficiency Analyzer interprets a Squid log (native) to determine how much traffic can be retrieved from the cache and how much comes from the webservers in the internet. Tested with log files from Squid 2.5 STABLE 5 for Windows NT 4.0/2000/XP/2003.

STSRG (Squid Top-Site Report Generator) is a Perl script to analyze the previous days squid access.log log file and produce a report of the most frequently visited URLs. It

Rs reasonably quick processing about 100,000 lines of log file in 12 seconds.

Squid-Log-Analyzer is a small Perl script that analyses Squid’s access.log.

squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C CSS2-based HTML reports; run-time configurable languages; native DNS support (Windows Linux);

Surftrackr is a log file analyser for squid and Dan’s Guardian. The program allows a non-technical user to extract information about Web usage patterns, the type of information downloaded, the sites visited by users, and the amount of information (per-byte or per-file) accessed. Surftrackr runs via a web browser.

Its a fast, free web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser.





Auditing Mailbox Access Using Exchange System Manager and Event Viewer #event #viewer

#

Auditing Mailbox Access Using Exchange System Manager and Event Viewer

Introduction

Sometimes it may be necessary to track who is accessing other mailboxes and when they are doing it. You can determine a certain amount of basic information via Exchange System Manager and the Event Viewer and that s what I ll cover in this article. I ll also show you how to use PFDAVAdmin to determine which folders have been accessed.

In Exchange System Manager, the Mailboxes and Logons objects are found under each mailbox store that you create on an Exchange 2000 or Exchange 2003 server. Both of these objects can be used to display the Last Logged on By column, which shows you which account last accessed a particular mailbox. A sample screen of this scenario is shown in Figure 1, where the Mailboxes object underneath the default mailbox store has been selected. In the right-hand pane, you can see a list of mailboxes that are contained on this mailbox store, together with the Last Logged on By and Size columns. For the highlighted mailbox belonging to User1, you can clearly see that User1 s mailbox was last logged onto by User3 from the domain NGH.

It s very common for anxious administrators to post security-related queries to newsgroups, forums or mailing lists when they see that the Last Logged on By column references a Windows account different to the one that actually owns the mailbox. For example, Figure 1 above may prompt questions such as Why is User3 logging onto User1 s account? or Is User3 reading User1 s email?

Logging What s Going On

Typically, there is no need to worry here. The Last Logged on By column can be updated in several different ways during normal Exchange operations. It s important to note that this column will update frequently because it can update when a user queries one of the folders belonging to another user. Perhaps the most common event of this variety is where someone s calendar folder is queried, perhaps to see what appointments they have or when their free/busy information is accessed when scheduling an appointment.

In the case highlighted above, unless User1 has granted User3 specific access to their mailbox, or for example the administrator has specifically given User3 the Full Mailbox Access right to User1 s mailbox, it s unlikely that User3 has managed to gain access to User1 s mailbox. A lot of administrators assume that, if they are members of groups such as Domain Admins, they will be able to open anyone s mailbox. However, this isn t the case as Administrators are explicitly denied access to all mailboxes by default in Exchange 2000 and Exchange 2003. For more information on this, please see Microsoft Knowledgebase article 821897 .

Of course, unless you manage all aspects of Exchange by yourself, you are going to have to delegate some administrative tasks and therefore trust those responsible for these tasks. However, if access rights are giving you cause for concern, one thing you can do is to temporarily increase diagnostics logging for the Logons and Access Control categories for mailboxes. To do this, run Exchange System Manager and keep expanding the tree until you locate your server object. Once you ve located the server object, right-click it and bring up the properties. On the Diagnostics Logging tab, expand MSExchangeIS and then click the Mailboxes object. Select the Logons and Access Control categories and set them to Maximum. This is shown in Figure 2. You can then scan the application event log for more detailed logon information as and when logon events occur.

Take the case where User3 successfully accesses User1 s calendar, perhaps because User1 has the calendar default permission set to the Reviewer role. Scanning the event log, we ll see an event ID of 1016 with a category of Logons. It will look similar to the one shown in Figure 3:

Event ID 1016 is essentially self-explanatory when you read the description, in that it means that the specified Windows NT account accessed the specified mailbox but is not the primary account for that mailbox. As I said earlier, the classic case here is when someone accesses someone else s calendar. Exchange 5.5 used to log the 1016 event ID regardless of what the diagnostic logging level was set to. However, in Exchange 2000 and Exchange 2003, you need to set the diagnostics logging levels as I ve previously described in order to see this event.

What about automated processes, like antivirus or backup applications? Or perhaps Exchange s Mailbox Manager feature? Sure enough, these will also produce logon events like the 1016 event ID as shown below in Figure 4. Note that the logon account here is NT AUTHORITY\SYSTEM .

So we ve now seen that event ID 1016 is a key event to scan for when reviewing who is accessing other mailboxes. Let s now take a look at the other event IDs that you may see whilst reviewing the event log.

Other Event Log Entries

Event ID 1013 is very much a companion event for event ID 1016. Event ID 1013 informs you that the specified user account has opened an additional mailbox. Take Figure 5 below as an example. Here you can see that the domain user NGH\User1 was validated as the user whose legacyExchangeDN is listed as /o=NGH/ou =First Administrative Group/cn=Recipients/cn=User1 but then logged into the mailbox whose legacyExchangeDN is listed as /o=NGH/ou=First Administrative Group/cn=Recipients/cn=User2. In this case, it s because User1 opened User2 s calendar folder. You ll notice, though, that this event does not tell you what folders or messages User1 has opened. In other words, you may need to supplement your investigation with additional documentation of exactly what permissions are set on individual mailboxes.

Event ID 1009 is an indication that the specified user account logged into the specified mailbox. Take the example shown below in Figure 6, where it can be clearly seen that the domain user NGH\User1 successfully logged into the mailbox whose legacyExchangeDN is listed as /o=NGH/ou=First Administrative Group/cn=Recipients/cn=User1. In other words, this is normal mailbox logon activity for a user. Note that event ID 1009 also has a category of Logons.

Finally, if you ve ramped up the diagnostics logging for the Access Control category as I covered earlier, you will probably be getting quite a few event ID 1029 entries logged. This particular event log entry tells you that the specified user/mailbox was unsuccessful in its attempt to access a particular folder from another mailbox. An example of this is shown in Figure 7.

In this case, User1 has failed to access a folder belonging to the Administrator mailbox. The very last piece of text within the description field, which has just started to disappear off screen in the picture above, tells you that the folder ID is included within the data section of the event; this folder ID is the highlighted text in Figure 7. We therefore know from Figure 7 that the folder ID is effectively 1-4C. How can we determine exactly which folder User1 has tried, unsuccessfully, to access? To do this, we can use the PFDAVAdmin tool. If you re not familiar with this tool, check out my two-part article here this will tell you where to download it.

I ll now assume that you ve read the PFDAVAdmin article mentioned above as it contains full details on how to connect the tool to your mailboxes. Here s how to use PFDAVAdmin to find this folder ID:

  1. Run PFDAVAdmin and choose to connect to All Mailboxes. Obviously you can also connect to the single mailbox that you are investigating if you so desire.
  2. From the list of mailboxes now presented in the left-hand pane, expand the Administrator mailbox.
  3. Right-click the Top of Information Store object and choose Property Editor from the context menu.
  4. In the Property Editor window, choose ptagFID. 0x67480014 from the Property options field, ensure that the Display radio button is selected, and then finally ensure that the Perform this action on all subfolders of the selected folder check box is selected. This is shown in Figure 8. When you re happy, click the Execute button.
  1. Once the Execute button has been clicked, a separate window should appear containing a list of the folders within the mailbox together with their associated folder ID. An example of this is shown in Figure 9, where you can see that I ve highlighted the folder that has a folder ID of 1-4C. You can therefore see that it was the Administrator s calendar folder to which access was attempted.

Summary

Auditing mailbox access with Exchange System Manager and the Event Viewer can give you basic information on what s going on when it comes to seeing who is accessing other mailboxes. It s not a perfect solution by any means but it s another combination of tools in your toolkit when you need to track down permission issues. Using PFDAVAdmin to determine which folder has had failed access attempts could prove very useful.





Rmd Xrf Lpa-1 Lead Paint Analyzer – Buy Handheld Xrf Analyzer Product

#

RMD XRF LPA-1 Lead Paint Analyzer

  • Measures lead paint levels in seconds.
  • 2-sigma confidence.
  • Now available with optional Portable Data Recorder (PDR) System!

The LPA-1 lead paint analyzer is a fast, efficient way to quantify lead content on painted substrates, including metal, wood and other common building materials. The instrument uses state of the art XRF spectrum analysis to provide a statistically meaningful measurement of lead content in one to five seconds. The unit’s unique ‘quick Mode’ setting automatically adjusts the measurement time to the lease time needed to make a definitive measurement with a 95 percent (2-sigma) confidence level.

The RMD LPA-1 Lead Paint Analyzer with a battery charger and extra battery, data sheets, XRF stabilizer, standard sample, interface cable, software, software manual and operating manual.

LPA-1 Lead Paint Spectrum Analyzer Package

  • LPA-1 XRF Analyzer
  • (2) Rechargeable batteries – 8 hours normal use
  • Battery Charger – Quick charge in 1.5 hours
  • (2) surface stabilizers
  • Standard reference material for calibration – 1.0 mg/cm2 NIST traceable
  • Instruction manual
  • Computer RS-232 interface cable
  • Windows based Report Generation Software (RGS)
  • Software instruction manual
  • Foam-lined carrying case
  • Optional Portable Data Recorder (PDR), connection bracket, standard PDA accessories PDR Synch Software.
  • Warranty: parts labor 2 years
  • Portable Data Recorder (PDR) System: No Limitations in identifying the inspection environment and related components. Ability to adopt fixed or variable formats based on inspect
  • Other features include: Auto Save, Easy Data Merge, Multi-function Use, Instant Report Generation, Compatible with Access and Excel, as well as other popular database software.
  • Measuring point/depth: 1/4 to 3/8
  • Response Time: 5 seconds typical at 2-sigma confidence level
  • Accuracy: Wood, Drywall: +/- 0.10 mg/cm2 Metal, Concrete: +/- 0.15 mg/cm2
  • Radiation Source: 57Co (10mCi)
  • Datalogging: 4000 data points, RS-232 port
  • Power: Rechargeable battery, up to 18 hours operation
  • Weight: 3 lbs




Cisco ASA and PIX Firewall Logging > Managing the Firewall Clock #firewall

#

Cisco ASA and PIX Firewall Logging

Chapter Description

Cisco firewalls and security appliances can be configured to generate an audit trail of messages describing their activities. Firewall logs can be collected and analyzed to determine what types of traffic have been permitted or denied, what users have accessed various resources, and so on. This chapter presents the tasks that are necessary to begin generating and collecting logging messages.

From the Book

For more information on Security, visit our Security Reference Guide or sign up for our Security Newsletter

Refer to the following sections for information about these topics:

  • 9-1: Managing the Firewall Clock Discusses ways to set and maintain the firewall s internal clock so that events and messages can have accurate time stamps.
  • 9-2: Generating Logging Messages Explains how firewalls generate logging messages and how you can configure them to do that.
  • 9-3: Fine-Tuning Logging Message Generation Covers the configuration steps that can be used to enable or disable specific logging messages or change their severity levels. This section also discusses how to configure access list activity logging.
  • 9-4: Analyzing Firewall Logs Provides an overview of how you can approach collecting and analyzing the logging messages that firewalls produce.

Cisco firewalls and security appliances can be configured to generate an audit trail of messages describing their activities. Firewall logs can be collected and analyzed to determine what types of traffic have been permitted or denied, what users have accessed various resources, and so on.

This chapter presents the tasks that are necessary to begin generating and collecting logging messages.

9-1: Managing the Firewall Clock

A Cisco firewall keeps an internal clock that can be used for Syslog time stamps, certificate time stamps, and so on. The clock is powered by a battery in the absence of regular power.

The internal clock is always based on Coordinated Universal Time (UTC). UTC was previously known as Greenwich Mean Time (GMT).

You can set the system time using two different approaches:

  • Manually You set the time and date on the firewall along with the time zone and specify whether to observe daylight savings time. With manual configuration, the firewall clock is only as accurate as the internal clock hardware.
  • Using Network Time Protocol (NTP) This is a protocol defined by RFC 1305 that provides a mechanism for the devices in the network to get their time from an NTP server. With NTP, all the devices are synchronized to a common, trusted source and keep very accurate time.

NTP uses the concept of stratum to determine how close an NTP server is to an authoritative time source (an atomic or radio clock). Stratum 1 means that an NTP server is directly connected to an authoritative time source. NTP also compares the times reported from all configured NTP peers and does not listen to a peer that has a significantly different time.

NTP associations with other NTP peers can be protected through an encrypted authentication.

NTP version 3 is based on RFC 1305 and uses UDP port 123. Information about public NTP servers and other NTP subjects can be found at http://www.ntp.org .

You can also use a commercial product as your own stratum 1 time source. For example, Symmetricom (http://www.ntp-systems.com/products.asp ) offers several NTP time servers that are based on Global Positioning Satellite (GPS) signals.

Setting the Clock Manually

  1. (Optional) Identify the time zone:

Firewall(config)# clock timezonezone-name hours [minutes ]

zone-name is the time zone (an arbitrary text string such as EST) and is hours (0 to 12 or 0 to 12) and optionally minutes offset from UTC. For example, Eastern Standard Time in the U.S. is 5 hours behind UTC and would be configured as follows:

Firewall(config)# clock timezone EST -5

  • (Optional) Set daylight savings time (summer time) parameters.
    1. Use the following command if daylight savings time recurs at regular intervals:

    If daylight savings time begins and ends on a certain day and week of a month, you can use this command. The name of the daylight savings time zone is given as zone (an arbitrary name or abbreviation, such as EDT). The week number week (1 to 4 or the words first and last ), the name of the weekday. the name of the month (only the first three letters matter), and the time hh:mm in 24-hour format can all be given to start and stop daylight savings time. The offset value gives the number of minutes to add during daylight savings time (the default is 60 minutes).

    For example, daylight savings time in the U.S. begins at 2 a.m. on the first Sunday in April and ends at 2 a.m. on the last Sunday in October. You could define it with this command:

    You can use the recurring keyword with no other arguments for any of the U.S. and Canadian time zones. The correct begin and end dates are used automatically. For the preceding example, you could define daylight savings time as follows:

    Firewall(config)# clock summer-time EDT recurring

  • If daylight savings time occurs at specific times, you can use the following command to specify the exact date and time that daylight savings time begins and ends in a given year:

    This command is useful if the begin and end times change from year to year. Specify the year number as year (four digits, 1993 to 2035).

  • Set the firewall clock:

    The clock is set when this command is executed. The time is given in 24-hour format, day is the day number (1 to 31), month is the name of the month (only the first three letters are needed), and year is the full four-digit year. The day and month parameters can be reversed, according to what is customary.

  • Verify the clock:

    The current time and date are shown. If you use the detail keyword, the source of the time ( hardware calendar is the internal battery-operated clock) and any daylight savings time definitions are shown, as in this example:

    Setting the Clock with NTP

    In PIX 7.x multiple-context mode, NTP must be configured on the system execution space only. All the other contexts (both admin and user) obtain their clock information from the system execution space, because all the contexts exist in the same physical firewall. You can use the changeto system command to move your session into the system execution space before using the following configuration steps.

    The Firewall Services Module (FWSM) doesn t have a standalone clock, and it doesn t support NTP. Because it is a module inside a Catalyst 6500 chassis, it relies on the switch clock instead. Therefore, you should make sure the switch has been configured for NTP as an accurate clock source.

    1. (Optional) Use NTP authentication./p>
      1. Define an authentication key:

      An MD5 authentication key numbered key-number (1 to 4294967295) is created. The key is given a text-string value of up to eight cleartext characters. After the configuration is written to Flash memory, the key value is displayed in its encrypted form.

      You can repeat this command to define additional keys if needed.

    2. (Optional) Identify a key to expect from all defined NTP servers:

      Remote NTP peers must authenticate themselves with the firewall using the authentication key numbered key-number (1 to 4294967295), as defined in Step 1a. If this command is used, any NTP server must supply this key to the firewall before its time update information is accepted. You can repeat this command to identify additional keys to expect. (Trusted keys can also be defined on a per-server basis in Step 2.)

    3. Enable NTP authentication:
  • Specify an NTP server:

    The NTP peer (server) is identified at ip-address. If you are using NTP authentication, you can use the key keyword to identify which authentication key to expect from this server. (See Step 1a.) By default, the firewall sends NTP packets on the interface derived from its routing table. You can specify an interface to use with the source keyword and the interface named if-name (outside or inside. for example).

    You can repeat this command to define more than one NTP server. If one server is down or unavailable, a second or third server could be used to synchronize time. You can use the prefer keyword to indicate one NTP server that is preferred if multiple NTP servers are configured.

    Actually, a firewall using NTP can use its associations with several servers to derive a more accurate idea of the time. If possible, you should configure a minimum of three different NTP servers so that your firewall can determine if any one of them is inaccurate.

  • Verify NTP operation.
    1. Verify the NTP configuration commands:




  • EventLog Analyzer – SIEM Log management software #eventlog #analyzer, #log #analyzer, #event

    #

    Know every bit of your network

    Trace the origin of security attacks

    Manage compliance with
    your eyes closed

    Detect anomalies in real-time

    Protect your data- it’s child’s play

    EventLog Analyzer is an IT Compliance Log Management Software for SIEM

    • Over 70 out-of-the-box event correlation rules for proactive threat management.
    • Pinpoints breach attempts, insider threats, policy violations, and more without any manual intervention.
    • Flexible drag-and-drop correlation rule builder allows users to define attack patterns therefore facilitating proactive security threat mitigation.
    • Includes out-of-the-box reports that help meeting the stringent requirements of regulatory mandates such as HIPAA. GLBA. PCI DSS. SOX. FISMA. ISO 27001, and more.
    • Create custom reports to adapt and comply to the developing regulatory acts of the present and future.
    • Collects logs from heterogeneous sources such as Windows servers and workstations, Linux and Unix systems, network devices, applications, threat intelligence solutions, vulnerability scanners and more at a centralized location.
    • Deciphers any log data regardless of the source and log format with its custom log parser.
    • Supports both agentless and agent based log collection methods.
    • Centrally track all changes and get real time alerts when files and folders are created, accessed, viewed, deleted, modified, and renamed.
    • Get a complete audit trail that answers the ‘what, when, where and how’ of all the changes that happen to files and folders in real time.
    • Collects and analyzes all activities of privileged users.
    • Get detailed report with logon and logoff activity information of privileged users.
    • Get precise user access information such as which user performed the action, what was the result of the action, on which server it happened and track down the user workstation from which the action was triggered.
    • Searches cover more than just the routine options and enable quick detection of network anomalies, abnormal user activities, system or applications errors, security incidents, and more.
    • Conduct a search using Wild-cards. Phrases. Boolean operators, Grouped searches and Range searches .
    • Get real-time SMS and email alerts whenever a network anomaly occurs. You can even run a script to remediate the alert condition.
    • 500+ predefined alert criteria across Windows, Unix/Linux, application, and network device infrastructure increases operational efficiency by eliminating the need to set alert profiles for known indicators of compromises.
    • Easily drill down to the raw log data and conduct a root cause analysis to find out the exact log entry that caused security incidents.
    • Various search options enable you to generate forensic reports from both the raw and formatted logs
    • Automatically archives all machine generated logs, system logs, device logs application logs to a centralized repository.
    • Encrypts the event log archive files to ensure the log data is secured for future forensic analysis, compliance and internal audits.