Decidimos usar o analisador de firewall do Manage Engine. O Cacti é muito difícil de administrar e manter e o Splunk não faria o que queríamos depois.
Gostaria de encontrar algum software de código aberto (ou relativamente barato) que possa executar análises contra as mensagens do syslog de um firewall do Juniper SSG (netscreen OS) e fornecer informações como "Principais destinos", "Principais protocolos", " Uso geral "...
Alguém conhece essa ferramenta?
Dê uma olhada no Splunk para analisar arquivos syslog.
O Cacti é uma solução de criação de gráficos / alertas de código aberto que, junto com um servidor Syslog como o syslog-NG (código-fonte aberto também) e o plug-in Syslog deve fornecer o que você precisa. Cactos é ótimo, ainda não tentei esse plugin, mas está na minha (longa) lista de tarefas de software para avaliar.
Tem certeza de que deseja uma solução comercial? Eu escrevi um pequeno script Perl que pode fazer o mesmo. Veja se é útil:
use strict;
my $log = shift;
my $n = shift || 5;
open FILE, $log or die "Can't open the file";
my %connections;
my %all_connections;
while (<FILE>){
if (/^.*sent=(\d+) rcvd=(\d+) src=([\S+]+) dst=([\S+]+) src_port=(\d+) dst_port=(\d+).*$/){
my ($src_ip, $dst_ip, $dst_port, $bytes) = ($3,$4, $6, $2);
my $src_port = "";
my ($src_int, $dst_int) = ("DMZ","TRUST");
# Calculating Top users based on connection counts
$connections{$src_int." => ".$dst_int}{conn_count}{$src_ip." => ".$dst_ip}++;
$connections{$src_int." => ".$dst_int}{src_count}{$src_ip}++;
$connections{$src_int." => ".$dst_int}{dst_count}{$dst_ip}++;
# Calculating Top users based on bytes transferred
$connections{$src_int." => ".$dst_int}{conn_bytes}{$src_ip." => ".$dst_ip} += $bytes;
$connections{$src_int." => ".$dst_int}{src_bytes}{$src_ip}+= $bytes;
$connections{$src_int." => ".$dst_int}{dst_bytes}{$dst_ip}+= $bytes;
$all_connections{sprintf ("%-36s => %-36s (%-6d) %12s",$src_ip, $dst_ip, $dst_port)} += $bytes;
}
}
foreach my $connection (sort keys %connections){
print "--------------------------------------------------------------------------\n";
print "STATISTICS FOR CONNECTION ", $connection, "\n";
print "--------------------------------------------------------------------------\n";
print "\nTop $n Connections by Bytes transferred\n";
my $i = 0;
printf ("%-56s %15s\n","Connection","Bytes Transferred");
printf ("%-56s %15s\n","----------","-----------------");
foreach my $conn_string (sort {$connections{$connection}{conn_bytes}{$b} <=> $connections{$connection}{conn_bytes}{$a} } keys %{$connections{$connection}{conn_bytes}}){
last if $i > ($n-1);
printf ("%-56s %15.0f\n", $conn_string, $connections{$connection}{conn_bytes}{$conn_string});
$i++;
}
print "\n--------------------------------------------------------------------------\n";
print "\nTop $n Source by Bytes transferred\n";
my $i = 0;
printf ("%-56s %15s\n","Source","Bytes Transferred");
printf ("%-56s %15s\n","------","-----------------");
foreach my $conn_string (sort {$connections{$connection}{src_bytes}{$b} <=> $connections{$connection}{src_bytes}{$a} } keys %{$connections{$connection}{src_bytes}}){
last if $i > ($n-1);
printf ("%-56s %15.0f\n", $conn_string, $connections{$connection}{src_bytes}{$conn_string});
$i++;
}
print "\n--------------------------------------------------------------------------\n";
print "\nTop $n Destination by Bytes transferred\n";
my $i = 0;
printf ("%-56s %15s\n","Destination","Bytes Transferred");
printf ("%-56s %15s\n","-----------","-----------------");
foreach my $conn_string (sort {$connections{$connection}{dst_bytes}{$b} <=> $connections{$connection}{dst_bytes}{$a} } keys %{$connections{$connection}{dst_bytes}}){
last if $i > ($n-1);
printf ("%-56s %15.0f\n", $conn_string, $connections{$connection}{dst_bytes}{$conn_string});
$i++;
}
print "\n--------------------------------------------------------------------------\n";
print "\nTop $n connections by Connection count\n";
my $i = 0;
printf ("%-56s %15s\n","Connection","Connection Count");
printf ("%-56s %15s\n","----------","----------------");
foreach my $conn_string (sort {$connections{$connection}{conn_count}{$b} <=> $connections{$connection}{conn_count}{$a} } keys %{$connections{$connection}{conn_count}}){
last if $i > ($n-1);
printf ("%-56s %15d\n", $conn_string, $connections{$connection}{conn_count}{$conn_string});
$i++;
}
print "\n--------------------------------------------------------------------------\n";
print "\nTop $n Source by Connection count\n";
my $i = 0;
printf ("%-56s %15s\n","Source","Connection Count");
printf ("%-56s %15s\n","------","----------------");
foreach my $conn_string (sort {$connections{$connection}{src_count}{$b} <=> $connections{$connection}{src_count}{$a} } keys %{$connections{$connection}{src_count}}){
last if $i > ($n-1);
printf ("%-56s %15d\n", $conn_string, $connections{$connection}{src_count}{$conn_string});
$i++;
}
print "\n--------------------------------------------------------------------------\n";
print "\nTop $n Destination by Connection count\n";
my $i = 0;
printf ("%-56s %15s\n","Destination","Connection Count");
printf ("%-56s %15s\n","-----------","----------------");
foreach my $conn_string (sort {$connections{$connection}{dst_count}{$b} <=> $connections{$connection}{dst_count}{$a} } keys %{$connections{$connection}{dst_count}}){
last if $i > ($n-1);
printf ("%-56s %15d\n", $conn_string, $connections{$connection}{dst_count}{$conn_string});
$i++;
}
print "\n\n";
}
printf ("%-30s %-36s %-6s %12s\n", "Source IP", "Destination IP", "Port", "Bytes");
printf ("%-30s %-36s %-6s %12s\n", "-------------------------------", "------------------------------------", "------", "------------");
#map {print $_->[0]."\n"} @all_connections;
#print Dumper(\%all_connections);
foreach my $connection (sort {$all_connections{$b} <=> $all_connections{$a}} keys %all_connections)
{
print "$connection $all_connections{$connection}\n";
}
#map {printf ("%-36s (%-6d) => %-36s (%-6d) %12s\n", $_->[0], $_->[1], $_->[2], $_->[3], $_->[4])} sort {$b->[4] <=> $a->[4]} @all_connections;
Tags juniper