SysLog
You know, there’s a lot of demand in the world for
logging. Great. Let’s go get a syslog server and dump
everything on that. Great. Now what?
So, you want to do something with those thousands of lines
of information per day? Yes? So how in the world does one do all that fun
stuff? The first thought is to write a
program to parse those wonderful syslogs and examine the data passively the
next day. Great. We can do that. All it’s going to take is about 30 hours of
programming and testing to get all conditions down, and then make some sort of
use out of them. Because just capturing
the information is only one part of the equation. The next part of the equation is simple… what
do you do with it?
Sure, you can find that 208.118.237.22 scanned every port of
your router, but what is that information worth? Because every device on the internet is
constantly getting scanned, and I don’t know of anything you can do to stop
them.
Option part 2 is to take action based on what happens with
those SysLogs. So that means your
program needs to get more complex.
Instead of buying your own bargain basement syslog software, it’s time
to go code your own. On the plus side,
if you’ve already written the portion of the program to handle post event
examination and processing, you can integrate that in.
Once again, great.
Now what? What can you do with
the information? Does the information need
to be gathered for PCI compliance, or are you simply collecting logs and
information that no one will ever read until you’ve been breached and your
world is about to blow up? Or is there
certain specific stuff hidden deeply in all those messages that could be
useful?
The only way to find out is to examine every single piece of
information that comes through your system, log it, and then…
Guess that’s one more thing I need to do…
So, the action items from this pile is write a program to
accept and process syslog information.
And then get it to tell me what it didn’t know what to do with, so I can
store it somewhere. Or perhaps I need
to integrate it with a SQL database so the information can be stored and
examined.
Oh yeah, I suck at writing properly threaded code, so there’s
that…
No comments:
Post a Comment