Does Anyone REALLY Read the Syslogs?

deanwebb · July 27, 2018, 09:10:49 AM

So, does the SOC read and respond to syslogs, or do they primarily make reports with pie graphs in them?

If they just make pie graphs, is it because they're lazy, because there are so many syslogs that they can't respond to them all, or because there are so many managers, it's all they can do to keep up with the requests for pie charts?

icecream-guy · July 27, 2018, 10:39:54 AM

Quote from: deanwebb on July 27, 2018, 09:10:49 AM
So, does the SOC read and respond to syslogs, or do they primarily make reports with pie graphs in them?

If they just make pie graphs, is it because they're lazy, because there are so many syslogs that they can't respond to them all, or because there are so many managers, it's all they can do to keep up with the requests for pie charts?

they probably do what the procedures they've been given, that tell them what to do. They MEH! at like 40 attempts to gain access, at 400 they may notice, 4000 may peak their interest, 40000, they are taking action.

deanwebb · July 27, 2018, 10:51:36 AM

Yeah, there is precious little automation of those syslogs. It's fun to make graphs and pore over them, but doing the actual work, going device to device to remediate, that's for someone else. Quite frankly, it's work that gets put on the back burner because nobody really worries a lot about malware in sleep mode.

icecream-guy · July 27, 2018, 03:50:08 PM

S-P-L-U-N-K.

it's a great tool. makes searches SIMPLE
(and makes those little graphy pie chart things easy)

deanwebb · July 27, 2018, 04:45:17 PM

Quote from: ristau5741 on July 27, 2018, 03:50:08 PM
S-P-L-U-N-K.

it's a great tool. makes searches SIMPLE
(and makes those little graphy pie chart things easy)

That it does... but it's still in the application of the knowledge where I find organizations have their shortcomings, to say the least...

Dieselboy · July 31, 2018, 08:41:26 PM

I'm not yet monitoring logs here but I want to and it's on the horizon. Last year I see a webinar about a free piece of software called 411 that goes in with the ELK stack.

Graphs and pie charts are lovely if you can produce them it's very helpful to non-techy people. Ages ago I used to play around with text files, CSVs and excel to make the odd graph here and there. Like paste the results from cmd.exe into text file to apply some formatting then paste it into excel to make a graph. Was cumbersome

Otanx · August 01, 2018, 12:29:13 PM

I don't read every log, but we do track trends. In 24 hours I have about 130K logs from Cisco devices, I look at the unique log messages, and I look at a filtered list of the most common (remove build, teardown, deny logs). This gives me a pretty good overview of what is going on. The best part is this is done automagically with the Splunk Cisco app. It even gives some other cool items like ports with most link flaps. Our SOC also runs special queries that grab what they care about. Stuff like failed logins, multiple logins in X minutes, source IP with most deny messages, destination IP with most deny messages, etc. Stuff that for operations I don't care about usually, but is still important to track.

-Otanx

icecream-guy · August 02, 2018, 06:32:56 AM

I have a splunk dashboard that does a few things.

top 10 busiest firewalls, by # of events generated
top 10 not busiest firewalls, by # of events generated
overall traffic count for allowed and blocked events
top 10 firewall errors
top 10 fewest seen firewall errors
what users are doing on firewalls
top errors by source
top errors by destination