The Syslog search
There are plenty of documented network security breaches that took place over an extended period of time. In these slow breaches, quite often, we saw signs and traces in logs indicating that there were suspicious activities. These can be found in both server and network device logs. The activities were not detected, not because there was a lack of information, but rather because there was too much information. The critical information that we were looking for is usually buried deep in a mountain of information that is hard to sort out.
Besides Syslog, UFW is another great source of log information for servers. It is a frontend to iptables, which is a server firewall. UFW makes managing firewall rules very simple and logs a good amount of information. Refer to the Other tools section for more information on UFW.
In this section, we will try to use Python to search through the Syslog text in order to detect the activities that we were...