Does Anyone REALLY Read the Syslogs?

Started by deanwebb, July 27, 2018, 09:10:49 AM

Previous topic - Next topic

deanwebb

So, does the SOC read and respond to syslogs, or do they primarily make reports with pie graphs in them?

If they just make pie graphs, is it because they're lazy, because there are so many syslogs that they can't respond to them all, or because there are so many managers, it's all they can do to keep up with the requests for pie charts?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on July 27, 2018, 09:10:49 AM
So, does the SOC read and respond to syslogs, or do they primarily make reports with pie graphs in them?

If they just make pie graphs, is it because they're lazy, because there are so many syslogs that they can't respond to them all, or because there are so many managers, it's all they can do to keep up with the requests for pie charts?

they probably do what the procedures they've been given, that tell them what to do.  They MEH! at like 40 attempts to gain access, at 400 they may notice, 4000 may peak their interest, 40000, they are taking action.
:professorcat:

My Moral Fibers have been cut.

deanwebb

Yeah, there is precious little automation of those syslogs. It's fun to make graphs and pore over them, but doing the actual work, going device to device to remediate, that's for someone else. Quite frankly, it's work that gets put on the back burner because nobody really worries a lot about malware in sleep mode.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

S-P-L-U-N-K.

it's a great tool. makes searches SIMPLE
(and makes those little graphy pie chart things easy)

:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: ristau5741 on July 27, 2018, 03:50:08 PM
S-P-L-U-N-K.

it's a great tool. makes searches SIMPLE
(and makes those little graphy pie chart things easy)



That it does... but it's still in the application of the knowledge where I find organizations have their shortcomings, to say the least...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

I'm not yet monitoring logs here but I want to and it's on the horizon. Last year I see a webinar about a free piece of software called 411 that goes in with the ELK stack.

Graphs and pie charts are lovely if you can produce them it's very helpful to non-techy people. Ages ago I used to play around with text files, CSVs and excel to make the odd graph here and there. Like paste the results from cmd.exe into text file to apply some formatting then paste it into excel to make a graph. Was cumbersome  :XD:

Otanx

I don't read every log, but we do track trends. In 24 hours I have about 130K logs from Cisco devices, I look at the unique log messages, and I look at a filtered list of the most common (remove build, teardown, deny logs). This gives me a pretty good overview of what is going on. The best part is this is done automagically with the Splunk Cisco app. It even gives some other cool items like ports with most link flaps. Our SOC also runs special queries that grab what they care about. Stuff like failed logins, multiple logins in X minutes, source IP with most deny messages, destination IP with most deny messages, etc. Stuff that for operations I don't care about usually, but is still important to track.

-Otanx

icecream-guy

I have a splunk dashboard that does a few things.

top 10 busiest firewalls, by # of events generated
top 10 not busiest firewalls, by # of events generated
overall traffic count for allowed and blocked events
top 10 firewall errors
top 10 fewest seen firewall errors
what users are doing on firewalls
top errors by source
top errors by destination



:professorcat:

My Moral Fibers have been cut.