One thing that I first noticed as a Net Tech, and then more as an OC/T at NTC, and finally a ton now that I have moved into the cyber side of the world is the just how important logs can be. Let me give some examples. As a Net Tech there were plenty of times when I was trying to find a piece of information to figure out why my network wasn’t working. I knew, like most of you do, that the answer probably lied in the logs of one or more devices. But getting those logs was rarely easy. First, baseline configs don’t have logging turned on to the level of detail for it to be of much use. Second, those logs are almost never forwarded anywhere which means that they roll fairly quickly on the device of if the device restarts, they are gone. Third, if they are forwarded somewhere it is entirely possible that the laptop with the collector software on it, isn’t even running. The point is, those logs very likely just don’t exist.
As a cyber guy, logs are a critical source of information for me. What is/has happened on a computer? Those Windows logs and domain controller logs hold a lot of those answers. What has been coming in and out of your network? Your firewall logs should be able to tell me that. Where is a connection actually originating from? VPN logs hold the answer to that. There are a ton of sources the produce all kinds of logs and you never know just when that piece of information will be critical.
Giving Back
One thing I have learned since moving over to the cyber side is that it can be pretty damn hard to get your hands on clean sets of data for training. If I want to have my guys go through some PCAP and tell me what they see, it can be pretty damn hard to find a set of “normal” network traffic. So with that, I am proud to announce the first of what I am hoping will be a couple steps to do my small part to fix that problem. When you came to Signal-Chief.com to read this article, you reached out to the web server that I host this on. That web server creates an access log that shows every connection to my website. It includes such things as the time, your public IP address, what resources you accessed (web page, graphics, css files, etc.), some basic details about your web browser and others.
So with that, I am making those logs public. My goal is to every couple of weeks put a dump of my webserver logs onto here for you. The logs can be found at www.signal-chief.com/logs. These logs are publicly available and licensed for use under the Creative Commons Attribution-ShareAlike license. This means that you can take these logs, and use them pretty much however you like, just please put a statement in there noting that you go them from here. If you make a product or something along those lines that use those logs as a part of it, then that product must be shared under a similar license. As a note, I host a few different websites under my hosting account. I have removed the logs for those sites so what you get is just Signal-Chief.
If you have a website that you host and are interested in adding to this effort, please drop me a note and I would be more than happy to serve as a distribution platform for you. Also if you’re looking through the logs and you find something interesting, drop me a note. I admittedly don’t look at them nearly as much as I should.