Skip to main content

Security, The Second Step: Review Logs Timely

By July 16, 2015September 11th, 2020Blog

So you started capturing the logs of your network devices, but how will this help your network security. The short answer is it won’t, not till you review your logs in a timely manner. But there is good reason not to review logs in a timely manner, it takes time. It is really boring. And for most of the time useless, except when it is not.

So to improve your network or enterprise security, you need to easily be able to review the few needles in the haystack of logs. The good news is this is not impossible and gets easier each and every time you do it.

The key here is filtering out all the logs that you do not care about. If you are using a proprietary application this can be a rather complex operation, which is one reason I don’t suggest using them. If you are sending syslog to a standard Linux/Unix system or even a Windows server with Cygwin installed you have many more options.   The main two tools I use are either the standard grep/egrep command (which is on almost every version of *nix systems), or perl scripting language (also on almost every *nix system).

The key is to filter out the logs you don’t want.

Example:

To keep a constant eye on the active log, I use the “tail –f” command on the log:

tail -f network-devices.log

When I do this I get the logs flying across much faster than I can read or even barely see.

So I modify this by blocking messages I don’t care about with the “egrep –v”

So after blocking multiple messages I don’t care about it looks more like:

tail -f network-devices.log | egrep -v “419002|30501[1-5]|30201[1-9]|30202[0-1]|106100|60900[12]|715036|715047|715075|710005|106023|106015”

 

The key is to block everything you don’t either care about or is not an actionable item. You will have many iterations of this but what is left over is a very small log that will only take a minute or two to parse.

After I fine tune my log filter, it is easy enough to parse an entire days log and email it myself. I typically set these up in cron and send them to myself daily, “My Daily Log Reports”. This is how I can easily manage logs from thousands of routers and firewall and still see the important messages that I care about.

In my next blog, I will cover syslog to setup a quick and easy alert system.

Jason Howe, PEI

Leave a Reply