Seci-log Open Source log analysis software released

With the development of Internet and cloud computing, public cloud server is an increasingly acceptable product, and one of the most common benefits is cost savings. Businesses don't have to buy, install, operate, or transport servers or other devices like they do with a private cloud. On a platform provided by a public cloud service provider, enterprises can only use or develop their own applications. But the public cloud security issue is also obvious, internet-based public cloud service features, the world as long as the Internet access to its cloud server, its cloud host and its cloud data is more and more complex, the data is in an unstable state relative to the private cloud. Whether it is the traditional information or the future trend of cloud computing, are faced with security risks, from the point of view of security, we need a gradual approach to improve the security system. The Order of general construction is to improve the order of network security, host security and data security gradually.

But for many small and medium-sized enterprises, their own equipment is not too much, but also a few to dozens of units, if spending too much energy to do security is not cost-effective, if not engage and feel insecure. What is the content of small and medium-sized enterprises concerned about it? Personally, it should be a priority to pay attention to access security, that is, there is no unauthorized access to your server, because under the cloud platform, anyone can access to your machine as long as access to the network. So I think we should give priority to this information, report non-working hours access, non-work location access, password guessing, account guessing, account guessing success and other behaviors. From my understanding of the situation, this part of the current is not more effective open source or free tools for everyone to use, now elk used more, but most of the cases are not suitable for small and medium companies, the threshold is too high. Therefore, the company for this situation, specifically developed Saikesaisi pharmaceutical Lande log analysis software, and open source web management side.

Secilog Log Analysis Software (hereinafter referred to as:) through the main passive combination of means, real-time uninterrupted collection of the user network in a variety of different manufacturers of the vast number of logs, information, alarms, including security equipment, network equipment, host, operating system, and various applications, etc. And this content into the audit center, for centralized storage, backup, query, audit, alarm, response, and issued a rich report report, the whole network to understand the overall operation, to achieve the full life cycle of the operation and maintenance management.

Currently on the market for enterprise monitoring open source free products many, in dazzling, sometimes want to find a practical simple and convenient software is actually not easy, a lot of open source software only focus on a point, maybe do good, but many times the enterprise needs is a face, from IT Equipment to the business of monitoring, so that the enterprise will deploy a lot of software to support the operation of the system, in addition, multi-source or free software configuration is more complex, often a function from learning to use, need to spend a lot of costs, if you encounter problems, it is difficult to have effective support services, The vast majority of cases are self-help search to solve, time-consuming and laborious, not necessarily be able to solve. From the experience, a lot of open-source software has nothing to do with, resulting in a lot of interface, the user to bring cumbersome, often no time to see or simply do not look.

For many small and medium-sized enterprises, their own equipment and systems are not too many, equipment is generally several to dozens of units, software systems from a few sets to dozens of sets of different, from the angle of operation and maintenance, small and medium-sized enterprises in the business operation and maintenance of security management needs and large companies do not have much difference, but spend the same resources and money to What to do, this product is for this kind of user born. Through this product, to meet the enterprise's information monitoring compliance business requirements, and by monitoring all possible logs to meet business analysis.

Portal diagram:

Web Reports

Below are the following types of alarms:

Non-working Hours login

This alarm rule is the non-working time login system, the main purpose is to prevent people in the non-working hours to log on the system, this situation is more dangerous.

Verification process:

First, the non-working hours are configured, and the system is built into the security configuration. The default is 0 to 8, and 20 o'clock to 24 for non-working hours.

Then use the SSH connection tool, such as the SECURECRT login system. This time there will be a log record.

As can be seen from the log, the logon time is 21:32:28 seconds, is non-working hours. After logging in, wait two or three minutes to view logs and alarms in the Web relational system.

You can see that the system logs the log and generates an alarm.

Non-working Location login

This alarm rule is a non-workplace login system, the main purpose is to prevent people from the non-work place to log on the system, this situation is more dangerous.

Verification process:

First, configure the office location. This data is set according to the working environment. It can be seen that there is no 192.168.21.1. It is important to note that after the configuration is complete, you need to reboot the collector to load the configuration parameters.

The verification process is consistent with the non-working hours. This time a non-workplace alarm is generated. It is important to note that if multiple alarm rules are met for the same event, multiple alarms are generated, but only one is logged.

From the details of the alarm log and the non-office hours just logged in is the same log.

When the 192.168.21.1 is added to the workplace, do a login operation. When the discovery does not produce an alarm, it indicates that the rule is in effect.

Password guessing attacks

Password guessing attacks are a very common means of attack, characterized by a continuous error log log for a period of time, which can be determined as a password guessing attack.

Verification process:

For a period of time, the wrong password can be lost continuously. From the log, the password was incorrectly 3 times in a short period of time.

The following alarms are generated:

The corresponding event:

There is a doubt that there is more than one log in this area, but the corresponding number of alarms is 3, this is because the original event in the system to merge processing, when the system found that the original event is a class, the event is combined into an event, the corresponding number of events is the actual number of occurrences.

Account guessing attack

Account guessing attack is a very common attack method, usually the attacker must first determine the host's account before they can initiate further attacks. So the general attacker would first guess the root account, so it is very effective to change the root account name or disable the root account remote login. It is characterized by a period of time the content has a continuous account does not exist log, you can determine the account guessing attacks. The alarm rules are as follows:

Authentication process, log in to the system with an account that does not exist in the system.

The following alarms are generated:

The corresponding log details are as follows:

Password guessing attack success

Password guessing attack success is a very serious attack, indicating that the attacker has successfully attacked and entered the system, this situation is very dangerous, especially to focus on this alarm. The main feature of this alarm is that at the beginning of the user has a password guessing behavior, followed by the user will have a login successful behavior, the combination of these two behaviors can be obtained after the password guessing attack success.

The verification process, first with the wrong password to log on the system several times, and then log in with the correct password.

The resulting alarm can be seen to produce two alarms, one is the password guessing attack, and the other is the successful password guessing attack.

We are looking at the log recorded in the system, it is obvious that there are 5 of this failed login, followed by a successful log.

As can be seen from the above, basically can meet the requirements of small and medium-sized companies log log analysis.

：

Linux version: Http://pan.baidu.com/s/1i3sz19V

Window version: Http://pan.baidu.com/s/1mg00RQo

For A detailed introduction, please see:

Https://git.oschina.net/secisland/seci-log

The latest download links are later unified to Http://pan.baidu.com/s/1qWt7Hxi, which is permanently valid.

Seci-log Open Source log analysis software released