Thursday, August 7, 2014

How to use tshark to determine how much logging for a remote syslog server

In this example, I will demo a few tricks for determining syslog traffic rates. Why would you do  this? For a few reasons, to determine how much bandwidth is actually being used for logging and how much data is being sent. This helps in capacity planning for data storage and any bandwidth usage concerns.


To do this, we need to use tshark with the -z and io stats options. You will need to determine your IO sampler rate interval for measurements and you can get creative and set various display filters for for filtering ;  log facility or levels & even the log messages content.

example 1; let's look at how much log traffic is being collected for this particular syslog server over a 60 secs  duration and with 5 second intervals.


tshark -a duration:60 -q -z io,stat,5 -R syslog port 514

This breaks down to ;

run  tshark for 60secs
operate in quiet mode & display nothing till we finish
used io,stats collection in 5 secs intervals
only for syslog  services
and port 514 


The above would generate  output showing the bytes  and pps ( frames )  for the 5 seconds intervals;

( sample output )
 ===================================================================
IO Statistics
Interval: 5.000 secs
Column #0:
                |   Column #0  
Time            |frames|  bytes
000.000-005.000       12      1407
005.000-010.000       22      1856
010.000-015.000       9       1428
015.000-020.000       0         0
020.000-025.000       0         0
025.000-030.000       0         0
030.000-035.000       8       980
035.000-040.000       0         0
040.000-045.000       7      1240
045.000-050.000       8       1579
===================================================================



example 2; let's look at how much log traffic is being collected on this syslog server  and over 60 secs and with 5 second intervals, but this time we will apply a display filter to look for a certain message

 tshark -a duration:60  -q -z io,stats,5  -R 'syslog.msg contains FE-3KD3R11000037' port 514


The above tshark cli strings will show me how much logging is present from my fortimail server with serial#  FE-3KD3R11000037  & over 60secs within 5sec interval.

 ( sample output )
===================================================================
IO Statistics
Interval: 5.000 secs
Column #0:
                |   Column #0   
Time            |frames|  bytes 
000.000-005.000       1       442
005.000-010.000       0         0
010.000-015.000       6      2239
015.000-020.000       6      2273
020.000-025.000       2       700
025.000-030.000       2       842
030.000-035.000       1       428
035.000-040.000       3       798
040.000-045.000      13      3841
045.000-050.000       1       434
===================================================================


example 3; let's look at doing the same but now we want to know a certain facility and how much traffic for that syslog facility

You can use the following for determining the facility #;
http://en.wikipedia.org/wiki/Syslog#Facility_levels


tshark -a duration:60  -R  'syslog.facility==19' -q -z io,stat,5 port 514

( sample output )
===================================================================
IO Statistics
Interval: 5.000 secs
Column #0:
                |   Column #0   
Time            |frames|  bytes 
000.000-005.000       28       4898
005.000-010.000       29       4388
010.000-015.000       0         0
015.000-020.000       0         0
020.000-025.000       14      3388
025.000-030.000       0         0
030.000-035.000       0         0
035.000-040.000       2       1697
===================================================================


example 4; let's look at doing the same but now we want to know a certain syslog  level and how much traffic for that syslog level  ( informational  ) and for  60secs with a 1 sec interval

 tshark -n -a duration:60  -R  'syslog.level==6' -qz io,stat,1  port 514

 ( sample output )
 ===================================================================
IO Statistics
Interval: 1.000 secs
Column #0:
                |   Column #0  
Time            |frames|  bytes
000.000-001.000       6      2224
001.000-002.000       1         234
002.000-003.000       1         239
003.000-004.000       0         0
004.000-005.000       0         0
005.000-006.000       0         0
006.000-007.000       0         0
007.000-008.000       0         0
008.000-009.000       0         0
009.000-010.000       0         0
010.000-011.000       0         0
011.000-012.000       1         239
012.000-013.000       0         0
013.000-014.000       0         0
014.000-015.000       0         0
015.000-016.000       2       378
016.000-017.000       10     2777
017.000-018.000       3      1158
018.000-019.000       1       427
( output shorten)



Final  example; let's get creative and measure traffic for a particular host and at  1sec interval for informational  and ssh2 request for src network 10.8.23

tshark -n -R '(syslog.level==5) and (syslog.msg contains SSH)' -q -z io,stat,1 -a duration:60  port 514

With  MS or other tools you can easily import the data collection based on your interval and types of syslog details to build  graphs similar to the below

( example ssh logging traffic graphic from one data center over 60seconds )





Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=(  !  ! )=
      @
      /   \

No comments:

Post a Comment