Thursday, May 1, 2014

Syslog



SysLog

You know, there’s a lot of demand in the world for logging.   Great.  Let’s go get a syslog server and dump everything on that.  Great.  Now what?
So, you want to do something with those thousands of lines of information per day?  Yes?  So how in the world does one do all that fun stuff?  The first thought is to write a program to parse those wonderful syslogs and examine the data passively the next day.   Great.  We can do that.  All it’s going to take is about 30 hours of programming and testing to get all conditions down, and then make some sort of use out of them.   Because just capturing the information is only one part of the equation.  The next part of the equation is simple… what do you do with it?  
Sure, you can find that 208.118.237.22 scanned every port of your router, but what is that information worth?  Because every device on the internet is constantly getting scanned, and I don’t know of anything you can do to stop them.
Option part 2 is to take action based on what happens with those SysLogs.   So that means your program needs to get more complex.  Instead of buying your own bargain basement syslog software, it’s time to go code your own.  On the plus side, if you’ve already written the portion of the program to handle post event examination and processing, you can integrate that in. 
Once again, great.   Now what?  What can you do with the information?  Does the information need to be gathered for PCI compliance, or are you simply collecting logs and information that no one will ever read until you’ve been breached and your world is about to blow up?   Or is there certain specific stuff hidden deeply in all those messages that could be useful?
The only way to find out is to examine every single piece of information that comes through your system, log it, and then… 
Guess that’s one more thing I need to do…

So, the action items from this pile is write a program to accept and process syslog information.  And then get it to tell me what it didn’t know what to do with, so I can store it somewhere.   Or perhaps I need to integrate it with a SQL database so the information can be stored and examined.
Oh yeah, I suck at writing properly threaded code, so there’s that… 

No comments:

Post a Comment