Explanation for syslog events


If you look at any of your SIM or IPS logs for any given TCP connection, you will probably notice tons of logs for the same traffic with different source ports.

Just pick a TCP connection, note the source and destination IP, and then run a search on it.  I am betting you will see pages of the same connection show up and some may be logged 5 times in the same second.

Why is that? Why do most devices send so much junk traffic when you turn on sysloging?
All i'm looking for is some explanations.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Without knowing the level of alerting your devices will produce, it is always hard to successfully plan and deploy a SIM system with manageable false positive.

- Large stream of log is expected as that is the intent if the device sources are a lot for big site but not smaller site.
- Tuning exercise from normal to deviation is necessary to taper down and surface the critical event log instead for the analyst.

The axiom “garbage in, garbage out” holds true with SIM, and the system is only as good as the data feeding it.

- Check for two most common categories such as log source and their critical level  which map to syslog message components "Facility," showing what daemon or service originated the message, and "Severity," weighing its importance.

- For logs to have value, it is critical to configure syslog properly. E.g. Kern and other critical services should be reviewed more often than some of the less important services running on a system.

- To keep messages from all facilities since they do still may give tips into a system problem or the root cause of a compromise. But be able to manage such influx on the thoroughness for the trial period of tuning to reduce it further if necessary.

We know and expect the volume of log data to grow hence tracing down anomalous event and to actual attack, even using syslog, is very hard.

- The SIM/SEM tools are supposed to aid and be well oiled to ease the hard work by initial correlation and analysis in narrowing down the events, and analyst can do more root-cause analysis more quickly.

Also check on the Severity level used since it determine the message's importance.

- Set the severity level for each device based on the impact a compromise would have on the organization and how quickly someone would need to react.

- When forwarding a syslog message, ensure able to retain original source IP as the header of the original device is often overwritten with the details of the forwarding device. E.g. if one device forwarded messages from three systems the original information would be lost. The original syslog contains limited information in the header.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.