I think I 've found the ideal solution for keeping track of events across my network devices - a...

[G+_Marco van Laerhoven]

I think I've found the ideal solution for keeping track of events across my network devices - and wanted to share because there may be other people out there interested in what's going on in their networks :)

 

I found I had two types of data I wanted to see:

- normal system events

- firewall logs

 

After trying various things, I decided to have these in separate locations - the normal system events I usually just look at and review when something strange happens, whereas the firewall logs I only review after some kind of pattern analysis (there is just too much going on to review it line by line).

 

For the normal system events, I use my Synology NAS to collect syslog events (warning and above) from the various devices that I want to track.

Think about switches, access points, servers, etc.

Remember to install the separate LOG CENTER package, which allows you to setup a log receiving service, listening on UDP port 514 - default syslog port.

 

This allows me to see all relevant log entries in one location, in a dashboard - and when I want to investigate I can also "zoom in into one device" to see exactly what happened.

 

For the firewall logs, I decided to install Splunk in a docker container on the NAS too - and have it listen to another port. I tried various log analysis tools, and always found myself getting back to Splunk; it is very easy to use and allows flexible ad-hoc analysis of your log data. You'll quickly find patterns to review your data - and it helped me enormously to have it to tighten my firewall across the various network segments (I use 7 different networks at the moment, to separate devices)

 

There is a free enterprise license of SPlunk if your logs stay below 500Mb/day on average. In my experience that is more than enough for home / small office use (I only log unknown traffic - I rarely go over 50Mb/day and even if you do go ever one day, just ensure the next couple of days you're below and you'll still be fine)

 

I have my firewall logs (Ubiquiti Edgerouter X) sent to this UDP port, so I can perform "live analysis" of what's going on in the network

 

Additionally, these logs are sent to a raspberry pi running a syslog server - so in case the docker image is not running my logs are still collected and I can simply copy them into a "tracked folder" to have them analysed in Splunk at a later time.

 

(yes, the EdgeRouter allows you to send the logging data to multiple sites - even using different information settings if you want. You can use the CLI, I used the config tree instead)

 

I find it very useful to have the instant analysis option available (I can see the effect of my firewall changes on the fly) and still know all logs are safe in case something happens to the docker image or I want to stop it for a while).

 

I hope you found it useful - and I'm very interested to hear what level of logging and tracking you are performing in your networks!

[G+_Marco van Laerhoven]

Sorry everyone, first time post and hadn't noticed I didn't enable comments :$. Should work now.

[G+_Travis Hershberger]

Any reason you chose Splunk over Wazuh or OSSIM?

[G+_Marco van Laerhoven]

I started with windows PC based log analysis tools - tested a few, based on recommendations in user groups and various postings. I found most of them too restrictive, and when I ran into Splunk it solved my "ad-hoc" analysis needs, analysing logfiles whenever I had the need for it. After a while I found it to be overkill to have such a tool running continuously on my laptop, so searched for server-based solutions ... found splunk on Docker and presto!

 

 

But to be honest, even though I really like it there may be even better solutions available - that's why I wanted to get some feedback.

Do you think these are better than Splunk, and if so what are their benefits ??

[G+_Travis Hershberger]

Not necessarily better, but free. Wuzah is what I've been using, which is actually just OSSIM with some very useful reporting included.

[G+_Marco van Laerhoven]

I had a look at the wazuh documentation, it looks way more complex to set up with several stacks. Did you spend a lot of time setting it up? It looks like it can do some nice things but I think for my for my home use it could be overkill. Splunk works quite nicely. I'm using the free enterprise license btw, so this one is free too.

[G+_Travis Hershberger]

Marco van Laerhoven I've always found that with Splunk, the free one works for a little bit, but when you want to really start using it, that 500MB limit is hard to stay under. If it's working for you, then that's great.

[G+_Marco van Laerhoven]

There are a lot of things I've vetted so don't want to track, like my Kodi players streaming video from the Nas, and most other internal traffic. But if I were to log all traffic I'm sure I'd hot that limit too. I think I'll try wazuh in a couple of months, maybe it's not as daunting as it seems. Thanks for posting!

[G+_Mark Olson]

Thanks for making this post! I am a bit of a newbie in this area so I don't have anything useful to add, but I appreciate the initial post and the comment thread. Obviously I should be monitoring my LAN traffic but... :^) Maybe this will get me started.