Results 1 to 5 of 5
  1. #1
    Master Untangler
    Join Date
    Aug 2008
    Posts
    111

    Default Addon for Consolidated Logging - Feedback wanted

    I've started on an adddon which may at some point be the basis for a feature request.

    Frequently, I find myself wondering what stopped a particular request or looking at what a particular client is doing, in terms of getting blocked.

    I've started a series of queries for each of the modules that can either report by LAN IP, WAN Hostname (ie MSN.com) or WAN IP such that I can track what happens.

    Essentially, it's a summary of the logs for each of the modules, but all in one place. For speed (at least during the design), I've put a limit on the number of results each query returns at the report could get huge (and slow) really quick.

    I'd like to throw this into a webpage, though I don't know java so I'll probably use php on another web server (unless someone could help design me a simple Java screen that could do this).

    It would return the following:
    Date/Time of incident
    LAN IP if WAN Host or IP provided
    WAN IP (and possibly DN?) if LAN IP provided
    Module (firewall, IPS, etc)
    Rack
    Comment or Rule applicable

    Sort would likely be optioned by each of the headers, default decending date/time.

    Is this anything anyone else could see a use for. Comments/Feedback welcome.

    I'm a far cry yet from requesting testors yet. It's nothing more than a series of queries at this point dumped to a file, getting sorted. The results I want available by command line but not exactly readable.

  2. #2
    Untangler
    Join Date
    Nov 2008
    Location
    Spring, TX
    Posts
    81

    Default

    This sounds like an awesome idea and if designed with being distributed as well (people who manage multiple UT devices) could be used as another product offering from UT (license). Something along the idea of where one system it is a free-addon and for multiple systems to record back to a central logging console you would need a pay for license of the server based on something like:
    3-5 $XX
    5-10 $XX
    10+ $XX

    You get the idea. If this works then the possibilities are endless because initial looks will be done by single systems (large audience for feedback) and lesson learned would come from the larger installations.

    Ok, done thinking out loud, and did I say I am highly interested
    --
    greyman & his :twocents:

  3. #3
    Master Untangler
    Join Date
    Aug 2008
    Posts
    111

    Default

    Never even thought of the distributed component...that actually becomes pretty easy once the data dumps are out...There's unique event ID's in the system. Periodic dumps to flat file...rsync out to "server"...then a reporting system...to pull it all together...
    Would the reporting system be an Untangle Server?
    Be a good way to spot something going on out there...
    Fast troubleshoot for clients..not have to remote log in to see their logs...
    I think this is something worth pursuing...even outside the untangle support...let me finish up my queries...and this would solve my problem too..don't have to have the report at the UT box...
    I could easily put a php script togehter then to dump data...liking this more and more...
    Anyone else?

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,543

    Default

    I have a colleague who is currently working on an ASP.NET web application that pulls all the data from the postgres to run whatever on them...

    Our approach is to allow for long term archival of UT log information outside of the appliance. I suppose it could be used for multiple UTs as well...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Nov 2008
    Location
    Spring, TX
    Posts
    81

    Default

    If possible the export should be something easily put back into a database. The meat and potatoes of a correlation engine is the ability to correlate and do it quickly. I am thinking that an add-on installed on the UT box that scrapes the database and normalizes the entries (not sure if needed) and sends them the correlation system.

    At this point in time the reporting server would be something that is external from the UT box but if UT picks this up it should also work within the confines of what UT uses (Standalone). On the reporting server I would like to see triggers written (or capability of) that would automatically trigger an entry from the database and write an event to a live interface (automatic loading/scrolling).

    The above will take longer but you/we/anybody keeps this in mind when looking at this it would make for an awesome open source based product. Below is what I am envisioning:

    user 'a' visits a site that hosts malicious content.
    - This visit triggers a rule in the IPS module and logs it
    - The Web Filter module logs all traffic (passed and blocked)

    This event in the correlation engine one be one entry and not multiple but if you clicked on it it would show you the log entries from each module.

    I have a few more features I would like to see but i will wait to see what kind of response we get from this.
    --
    greyman & his :twocents:

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2