Syslog Collection

By timadmin in Networking, Security Monitoring 0 Comment

Lately I’ve been thinking about ways to collect syslog data from network devices (especially Cisco and pfSense). Traditionally I’ve used commercial solutions, but would really like to have a simple open source solution to supply my clients early in a network consulting engagement. This post documents the search, and hopefully ends with a Preferred Solution.

A long time ago I discovered a tool called Logstash (https://en.wikipedia.org/wiki/Elasticsearch) which sounds like it was made for the job. I may always love the logo! It turns out that Logstash is a log-parsing engine, and feeds its data into an Elastic database which uses Kibana for presentation. It looks like setting this up requires many servers and is way bigger and complex than I really want.

Next up is a tool called syslog-ng (https://www.syslog-ng.com/). It looks like a powerful tool, but the open source version includes only command line support. Most of my clients are more comfortable with graphical user interfaces (aka GUIs), so I’d like to expose syslog data to them through a GUI even if I manage it using the command line. Searching for an accompanying tool let me to an interesting option: Logzilla (https://www.syslog-ng.com/community/b/blog/posts/web-interfaces-for-your-syslog-server-an-overview/). According to the post “Logzilla focuses on logs from Cisco devices” – a perfect fit!

Logzilla is another open source solution (https://www.logzilla.net/). They’re marketing it as Network Event Orchestration (NEO). The NEO engine can be used at no cost for less than one million events per day. It runs in a docker container and has the following system requirements:

  • Docker version 18+
  • 8 CPU cores
  • 8 GB RAM
  • 1000 Disk IOPs

Logzilla makes a VM image available: https://logzilla.sh/LogZilla-NEO.ova. It is a sizeable download, but makes for an easy install.

What if I want to run NEO on a FreeBSD system? Then I’d need to install Docker to FreeBSD (which is broken today), as detailed here: https://wiki.freebsd.org/Docker. Then it looks like I would need to install the application using the following command: curl -fsSL https://logzilla.sh |bash.

Interesting Requests for Comment

By timadmin in Networking 1 Comment

This post is intended to list Requests for Comment (RFCs) that I find interesting, find myself referring to, and think that I should study.  Hopefully it won’t become an exhaustive list of every RFC used in our networks today.

RFC 1034 – Domain Names – Concepts and Facilities

RFC 1035 – Domain Names – Implementation and Specification

RFC 1149 – A Standard for the Transmission of IP Datagrams on Avian Carriers

RFC 1855 – Netiquette Guidelines

RFC 1925 – The Twelve Networking Truths

RFC 4033 – DNS Security Introduction and Requirements

RFC 4034 – Resource Records for the DNS Security Extensions

RFC 4035 – Protocol Modifications for the DNS Security Extensions

RFC 5905 – Network Time Protocol Version 4: Protocol and Algorithms Specification

RFC 8140 – The Arte of ASCII

RFC 8484 – DNS Queries over HTTPS

RFC 8499 – DNS Terminology

More to follow!