1

Splunk has this capability via its Google Maps addon that allows you to map IP addresses that show up in your syslog. That way you can pinpoint geo locations of attacks such as scans.

Do you guys have any suggestions as to if and how this can be done with just a regular syslog server such as syslog-ng or a syslog software collecting the logs? How would you go about performing reverse lookups on the syslogs?

We have an ASA device that we want to analyze syslogs from to get a better idea about the location of external attacks.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Bourne
  • 1,039
  • 5
  • 18
  • 24

2 Answers2

4

These services use a Geo-IP database to do their lookups of IP addresses to physical locations. Some databases are cheap, some are (very) expensive - it depends on the level of granularity you want.

As to how to actually do this, I'm afraid I can't shed much light. I would extract each line into a database and do lookups against a GeoIP table - but there's possibly more efficient ways of doing it.

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
  • The GeoIP table lookups are very fast, since even a high-granularity table can be loaded into memory. So your "inefficient" approach is probably fine. – mattdm Dec 02 '10 at 20:51
  • @matt - Good point, although I was more concerned about the inefficiency of getting the logs into the database in the first place. Parsing text log files can be difficult at the best of time. syslog software may have custom lookup abilities that might make it easier. – Mark Henderson Dec 02 '10 at 21:30
  • Thank you Mark. I was hoping for a more specific answer for how to achieve this though so I might have to do some more digging around. – Bourne Dec 03 '10 at 21:08
0

Syslog-ng has the ability to do DNS lookups as logs are coming in.

However, this will increase latency and degrade performance of your syslog server, since you have to wait for the DNS lookup to complete before the log can be written to disk or forwarded.

Some alternative options - such as "resolve hostnames locally" are recommended (documented here - https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/98#TOPIC-1595234)

Finally, you can simply dump the IP addresses into the raw log file. A postprocessing script can run over the log files to allow the FQDN to be to added since the DNS lookups won't impact syslog server performance.

The Programmer
  • 1
  • 1