Nashville Infosec Presentation – Log Collection on a Shoe String

Here are my slides and the tutorial I made for Rolling your own logging vm. Between the slides and the tutorial you can find all the links I referenced.

The VM tutorial uses Ubuntu Linux, syslog-ng and Splunk.  I go over how to use syslog-ng with fifo queues to handle multiple sources and even rewrite forwarded syslog events coming from Kiwisyslog before indexing in Splunk.  The tutorial zip has both pdf and epub formats in it.

*update* I was asked some questions today during my presentation on MS Log Parser.  I added my post on it below to the link list.  Also for those downloading my actual logging vm from the link I gave those whom attended my talk.  The url does redirect to dropbox so do not be surprised.

*second update* a question came up today on a forensics mailing list to search some evtx event log files.  I suggested using MS Log Parser to replay output to syslog.  The target being spunk say like in my logging vm tutorial.  Then the logs are easily searchable.