Syslog Collection

By timadmin in Networking, Security Monitoring 0 Comment

Lately I’ve been thinking about ways to collect syslog data from network devices (especially Cisco and pfSense). Traditionally I’ve used commercial solutions, but would really like to have a simple open source solution to supply my clients early in a network consulting engagement. This post documents the search, and hopefully ends with a Preferred Solution.

A long time ago I discovered a tool called Logstash (https://en.wikipedia.org/wiki/Elasticsearch) which sounds like it was made for the job. I may always love the logo! It turns out that Logstash is a log-parsing engine, and feeds its data into an Elastic database which uses Kibana for presentation. It looks like setting this up requires many servers and is way bigger and complex than I really want.

Next up is a tool called syslog-ng (https://www.syslog-ng.com/). It looks like a powerful tool, but the open source version includes only command line support. Most of my clients are more comfortable with graphical user interfaces (aka GUIs), so I’d like to expose syslog data to them through a GUI even if I manage it using the command line. Searching for an accompanying tool let me to an interesting option: Logzilla (https://www.syslog-ng.com/community/b/blog/posts/web-interfaces-for-your-syslog-server-an-overview/). According to the post “Logzilla focuses on logs from Cisco devices” – a perfect fit!

Logzilla is another open source solution (https://www.logzilla.net/). They’re marketing it as Network Event Orchestration (NEO). The NEO engine can be used at no cost for less than one million events per day. It runs in a docker container and has the following system requirements:

  • Docker version 18+
  • 8 CPU cores
  • 8 GB RAM
  • 1000 Disk IOPs

Logzilla makes a VM image available: https://logzilla.sh/LogZilla-NEO.ova. It is a sizeable download, but makes for an easy install.

What if I want to run NEO on a FreeBSD system? Then I’d need to install Docker to FreeBSD (which is broken today), as detailed here: https://wiki.freebsd.org/Docker. Then it looks like I would need to install the application using the following command: curl -fsSL https://logzilla.sh |bash.

Firewall Logs

By timadmin in Security Monitoring 0 Comment

A firewall’s primary function is to control traffic. Troubleshooting authorized connections or verifying configuration changes are necessary functions to support that primary function. While we can use a firewall to detect and notify administrators of suspicious activity, there is a balance between collecting log information to support administrative functions and conserving resources (processor, bandwidth, and useability of data).  As we learn what normal traffic is we should tailor the log information to reflect that normal;  sometimes an adversary will be able to cloak their activity within that normal traffic.  An owner would be wise to install an Intrusion Detection System and even a Network Monitoring System in order to better detect adversarial activity.  In cases where an owner chooses not to install more capable detection layers then I think that we are well served by maintaining a robust ability to detect abnormal activity using log information.  We can only effectively detect abnormal activity with log information alone by reducing the noise floor generated by normal activity so that a casual network administrator can recognize the abnormal activity.

In the case where an owner puts forth minimal effort to control traffic and correct configuration errors, we will have much less sensitivity to abnormal traffic.  This is a consequence of that owner’s decisions and can only be avoided by giving up on detection entirely.