Mastering Syslog on small networks

By on
Mastering Syslog on small networks
Page 2 of 3  |  Single page
The Sorcerer’s Apprentice
Snare converts Windows Event Viewer entries into Syslog messages and uses rules to limit the quantity of delivered messages.
Snare converts Windows Event Viewer entries into Syslog messages and uses rules to limit the quantity of delivered messages.

As any Disney fan will know, there’s an animated version of this fable with the music provided by Dukas, as Mickey Mouse discovers that a good idea to fix a short-term problem can turn into a very bad idea once it encounters the march of time. Syslog reporting can be a good deal like that.

For example, I’ve a firewall that will report in Syslog format, and everything it considers an event – whether it’s an intrusion attempt or a service without a redirector target – gets thrown into the Syslog file, hosted on a nearby Windows server. Believe it or not, I have that Syslog server set to close the old file and open a new one every 100MB (yes, megabytes). It typically opens three or four such files a week. Leave it for a month and you have roughly 2.8GB of Syslog messages – and that’s just one firewall.

This is where the apprentice makes his mistake. When persistent problems strike, diagnosis of what causes the niggling failure can make you think that you should monitor every last packet and twitch that passes through the network or hits the device in question.

For example, let’s say your router or your print server crashes every morning at 5.30am. You don’t want to get up to watch it, you’re fairly sure there’s nobody in the building from the CCTV tapes, and you want to start watching the device from about 3am. I’ve heard of a few hard-core techies watching this kind of situation with a copy of Ethereal (www.ethereal .com), but this isn’t the solution for everyone. Ethereal produces volumes of data that makes Syslog look anaemically under-endowed and depends on long years of experience in assembling packet filters with which to cut down the blizzard of data. You don’t want to see the parity bits in the head and tail of the IP encapsulation of the packet that hits your device 5,000 times in two seconds: what you want is your device to say “buffer overflow due to time zone error” (to quote one example that still scars me) just at that exact right moment.

It’s far simpler to only monitor messages arising from a device with some brains included than it is to wash through all the traffic that incorporates that device. The process is made even more complex, in these times of smart central network switches, by the need to arrange your Ethereal monitor machine on a simple LAN hub with the thing it’s monitoring. Even this relatively humble, almost plain-electrical requirement can have pitfalls – I’ve seen one network reduced to a crawl for months because someone elected to monitor with Ethereal and then forgot to take the server off the 10Mb hub they’d used to permit Ethereal to eavesdrop.

The lesson from my firewall, however, is that, like the Sorcerer’s Apprentice, you can find that turning on all the reporting options simply drowns you in data. For even a small business network, Syslog generators can trivially compose a database that is in reality your largest data store, in terms of number of transactions and horsepower required, to extract a meaningful report.
The rule is: the duller the web page the more valuable the information it presents.  At www.precision-guesswork.com there's a comprehensive list of setup guides for generating syslog messages.
The rule is: the duller the web page the more valuable the information it presents. At www.precision-guesswork.com there's a comprehensive list of setup guides for generating syslog messages.

Kiwi Syslog applying filters. Better done on the source device, but if you have no other choice...
Kiwi Syslog applying filters. Better done on the source device, but if you have no other choice...
Previous PageNext Page
1 2 3 Single page
Copyright © Alphr, Dennis Publishing
Tags:

Most Read Articles

Poll

What would you like to see more of on BiT?
News
Reviews
Features
How To's
Lollies
Photo Galleries
Videos
Opinion
View poll archive

Log In

Email:
Password:
  |  Forgot your password?