Logging and Sniffing Server: Our Logging and Sniffing Server provides a platform for silently monitoring networks and logging audit trails from other servers on the LANs it connects to. The minimal logging server handles up to 3 LANs and Gigabytes of storage. Higher end versions can handle scores of LANs and terabytes of storage.
This server runs a custom version of White Glove Linux. It uses the journaling file system to provide high integrity with rapid recovery from power failure. It is configured so that it is only visible electronically (i.e., with a time domain reflectometer) from logging and sniffing interfaces and it responds to no packets in any way on those interfaces. On the control interface - either a USB or an Ethernet port - the server can take external commands via secure shell. X11 can operate on the server to provide the means for window and menu-based access and use.
The server can log packets at nearly full bandwidth on each of its 3 100 Mbps interfaces, however, because it has only a 5 gigabyte built-in disk, full content logging would fill its storage in a matter of hours in a heavily utilized network. Its intended purpose is to provide a monitoring capability for syslog and other log formats so that if a server, firewall, or other device is compromised, its logs will remain untouched in the logging server. It an also be used to centralize logging and analysis for up to 3 LANs, which makes it ideal for aggregating log files in many corporate settings.
In a manufacturing setting, the logging server can act as a backup log server for an entire assembly line, keeping records of all activities throughout the line and making this data available on demand from authorized remote monitoring or analysis locations. It is also well suited for retaining backup copies for legal purposes, so long as data volume is not extreme.
The "logging and sniffing server" covertly and securely logs content from networks. This can range from keeping reduindant copies of existing SYSLOG entries generated by diverse platforms to the collection and storage of forensic evidence of network activity. Its properties include:
It can be completely covert, emitting no signals whatsoever to the network. In this mode of operation, no network packet is ever emitted from the server, so with the exception of active physical or electromagnetic (non packet) search methods, it cannot be detected. This makes the tool ideal as a forensic or investigative tool, as a redundant logging server that gathers copies of logs other servers normally get, or as a surveillance tool for watching a suspect.
It is highly secured from external intrusion. In the covert mode, only console access can be obtained, however, interfaces can be made available for selective external access, while other interfaces remain covert and are connected to different networks. It also runs a more secure operating system than most other logging servers and has special operating system hardenning features the severely limit the classes of attack that can work against it.
It can selectively log based on a wide range of selectable or user or factory programmable triggering and collection conditions. For example, it can look for specific packet contents, deviations from previous patterns, or look for previously unknown MAC or IP addresses.
It can log in any desired format. Standard built-in formats include CSV and text based logging, however, all storage and recording funtions are fully programmable to the desired need. Log files are controlled by the user and can be moved to remote systems via secure shell on non-covert interfaces. It can record full packet contents or any subset of desired contents or packets.
It retains its own time base so that all logged information entering the system is recorded in the arrival sequence and time stamped to the microsecond if desired. This makes its logging of events independet of time settings on other computers, and allows the real sequence of network events to be revealed directly.
Logfile compression can be done with several compression algorithms and the logging server can be programmed to rotate log files over time based on traffic volume, time of day, or external signals. Logs can be checksummed to verify non-modification, and individual log entries can be checksummed if desired to assure entry-by-entry integrity.
With an additional log aggregation server, logs from multiple logging servers can be combined into large-scale loggin archives with redundant permanent storage.
Baseline product priced as shown. For pricing, configuration, and delivery on higher end versions, please contact a marketing representative.
Press here for the Logger manual.