I am very happy and very proud to present you today LogIDS 2.0. LogIDS is a new intrusion detection system that is built around the unified analysis of all your other security applications. That is, at detecting intrusions, it will only be as good as your overall security architecture, which means that the more and more varied the security tools you deploy around your network, the better will be LogIDS to detect illicit activities. I sometimes like to think of it as a mega-IDS, as it does not try do to what other tools already do better, but tries to benefit from the upsides of each of these existing tools. For example, Snort is a very good network-based intrusion detection system, and Tripwire or IntegCheck (a module now part of the SIDTk 1.0) are very good host-based intrusion detection systems, but LogIDS will actually benefits from the logs of both types of IDS to offer you a single view of what's going on with your network.
Of course, LogIDS is not limited to Snort or IntegCheck logs, but from just about any ASCII log file you can provide it with. I took great care to make it as flexible and vendor-independent as possible, even if I also took great care to make it work hand-in-hand with LogAgent 5.0, ComLog and the SIDTk, but their use is not mandatory, although strongly recommended. You can add to the mix your antivirus logs, personal firewalls logs, ComLog logs, Event Viewer logs, download agents logs, Apache logs, and just about any ASCII log file you could think of (with the notable exception of IIS, because of the lock it maintains on its logfiles, but this can be worked around by using URLScan from Microsoft and monitoring URLScan's log instead of IIS's).
LogIDS is built around four configuration files, map.txt, netdef.txt, filter.txt and rules.txt. I tried to make LogIDS as easy to configure and customize via these files as possible. filter.txt is the file where you define each of your monitored log files, its associated application, and each of its fields definition. In the file rules.txt, you define the rules that will apply according to conditions set on the fields you have defined in filter.txt. It is the combination of these two files that gives LogIDS its great flexibility over the kind of log files it can handle and the level of analysis it can perform. Unlike other log-based analysis software, I do not try to cover all the commercial tool logs that exist out there, in place I choose to give you complete control on how these files are defined. The file netdef.txt contains the definition of the network items you want to monitor. These can be hosts, servers, sub networks, firewalls, etc... The file map.txt lets you define a network map of your environment to display the items listed in netdef.txt. The result, when the application loads, gives an interface like the one presented in Figure 1. By analysing the data contained in your logfiles as they arrive, they get the appropriate rules applied and eventually get displayed (if the rule says so) in the appropriate network item's text display field. Visual and sound warnings are also supported, as we will see later.