I wanted to see what happens on my home network. Is there something going on I should be aware of? Is there any device which creates suspicious connections like phoning home? I will use OpenWRT and syslog-ng to get the answers and Elasticsearch to get analytics.
SOHO routers are usually not really resourceful, neither is mine. Therefore I needed a solution using as little resource as possible but still capable to answers that questions. My solution uses connection tracking data from the main OpenWRT router. Offload the information from OpenWRT to a central syslog server. Enrich it with GeoIP, Reverse DNS and session length metadata by using syslog-ng. Then analyze the logs with Elasticsearch.
The first part of this blog series answers where the packets come and go and some metrics. What are inside the packets is up to another posts. Continue reading
We already have a central log server where we can collect logs of Docker containers. It is very common to run web servers running in containerized ecosystems. In this tutorial I show you how you can parse access logs of NGINX or Apache with syslog-ng. I also describe how visualizing NGINX access logs in Kibana can be achieved.
This simplified guide to logging Docker to Elasticsearch shows you how to send logs of containers into Elastic. Although there are many tutorials on to logging Docker to Elasticsearch, this one is different from all as it uses syslog-ng. Visualize them on a nice dashboard in Kibana. And you can download it all at the end of the post!
Update: I moved the chapters about parsing and visualizing NGINX / Apache access logs in Kibana into a dedicated post / github repo.
Update 2: This post has been refactored and simplified to be compatible with Elasticsearch ECS and make it easier to implement. Compatible with Elasticsearch 7.x. Continue reading
In the last post I wrote about how you can create a central syslog server. This time I will show you how you can use syslog-ng to parse fail2ban log messages, enrich it with GeoIP metadata and send into Elasticsearch. You can even visualizing Fail2ban logs in Kibana to see where the failed login attempts are coming from.
Update: This post has been reviewed and all Fail2ban and GeoIP related contents have been merged here from the previous post. Look no further, you will find everything you need here. Note that this guide requires Elasticsearch 7.x.