[ANSWERED 2023] Explain the process of collecting network data using events per second (EPS) measurements

Explain how a sever syslog can be used as a strategy to collect network traffic data. Illustrate your ideas with a real-world example.

A Syslog is a tool used to collect and store log data from servers, applications, and other network devices. It can monitor and analyze network traffic data in real-time. A Syslog server can collect and store logs from multiple devices, allowing administrators to identify and respond to security incidents quickly.

The primary benefit of using a Syslog server is that it provides a centralized location for log data. This allows administrators to monitor and analyze logs from multiple devices in one place. Additionally, Syslog servers can be configured to alert administrators of potential security incidents based on the data it collects.

For example, a network administrator can use the server Syslog to monitor the network traffic on their network. They can use the Syslog to detect unusual activity, such as too many connections from a particular IP address or a suspicious port. They can also use Syslog to determine the bandwidth usage of specific applications or services. The network administrator can identify potential security threats or performance bottlenecks by analyzing the server Syslog.

Syslog servers can also be used to archive log data for future analysis. This allows administrators to review log data from the past and use it to identify trends in network activity. This can be especially useful for detecting malicious activity and helping to prevent future security incidents (Jablokow, 2020).

Syslog servers provide a powerful tool for monitoring and analyzing network traffic data. Syslog servers can help administrators quickly identify and respond to potential security incidents by collecting and storing log data from multiple devices in one place.

Additionally, Syslog servers can archive log data for future analysis, allowing administrators to identify trends in network activity and help prevent future security incidents.

References

Jablokow, A. (2020, March 4). What is a Syslog Server and How Does it Work? Retrieved from WhatsUp Gold: https://www.whatsupgold.com/blog/what-is-a-syslog-server-and-how-does-it-work

Benchmark – Network Traffic and Internal Threats

The purpose of this assignment is to practice data collection techniques.

For decades, anyone analyzing network traffic concentrated on external network traffic through the perimeter via firewalls. Although firewalls evolved to better analyze this traffic, two primary trends emerged: 1) cloud adoption was causing the perimeter to become more porous, even to the point of extinction, and 2) as attackers gained sophistication, threats inside the network were becoming increasingly difficult to detect. External traffic analysis was no longer enough to protect an organization’s network.

What initially emerged to analyze internal network traffic is deep packet inspection solutions, originally built for ingress/egress traffic analysis. The challenge with these inline solutions is that they are very expensive to deploy and scale, leading organizations to make strategic bets on which internal traffic to monitor.

Assume that the SOC sandbox you created contains information related to the corporation you selected from the “Company Profiles.” Use the SOC sandbox to collect basic data for the company. Consider the type of data you would want to collect for the organization and the processes you would use for collecting the data.

In a 500- to 750-word summary, address the following. This will be the Network Traffic and Internal Threats section in the IT Proposal.

• Describe the data you want to collect and explain why this data collection is important to cyber operations within the organization. Include discussion of network defense measures and the use of networking monitoring and/or mapping tools.
• Explain which elements/VMs should be monitored. Include screenshots of the VMs to support your selections.
• Describe the data format and protocol. Include supporting screenshots of the VMs to illustrate.
• Explain whether data collection causes system and network overhead. Include supporting screenshots of the VMs to illustrate.
• Explain how you can optimize data collection capabilities. Include supporting screenshots of the VMs to illustrate.

APA style is not required, but solid academic writing is expected.

This assignment uses a rubric. Please review the rubric prior to beginning the assignment to become familiar with the expectations for successful completion.

You are required to submit this assignment to LopesWrite. Refer to the LopesWrite Technical Support articles for assistance.

This benchmark assignment assesses the following programmatic competencies:

B.S. Cybersecurity

4.2: Implement network defense measure by applying the knowledge of a network monitoring tools or a network mapping tool.

FAQs

What is EPS events per second?

EPS, or events per second, is a measure of the rate at which a system or process generates or processes discrete events, such as log entries or network packets. It represents the number of events that occur in one second. EPS is commonly used in the context of monitoring and analyzing system performance or security events.

How to calculate events per second

To calculate events per second (EPS), you need to count the number of events that occur within a specific time period and then divide that count by the duration of the time period in seconds. The formula for calculating EPS is:

EPS = (number of events) / (time period in seconds)

For example, if you count 1000 events over a 10-second period, the EPS would be:

EPS = 1000 / 10 = 100 events per second

You can also use tools like monitoring software or network analyzers to automatically count events and calculate EPS for you.

SIEM EPS vs MPS

SIEM EPS and MPS are both measures of the rate of events that a security information and event management (SIEM) system processes, but they represent different types of events.

• SIEM EPS: SIEM EPS (events per second) measures the rate at which security-related events are generated and processed by a SIEM system. These events can include logs from different sources such as firewalls, intrusion detection systems, and other security tools.
• SIEM EPS is an important metric for monitoring the performance of a SIEM system and ensuring that it can keep up with the volume of security events generated by an organization.
• MPS: MPS (messages per second) is a measure of the rate at which log messages are generated by network devices or systems, regardless of whether they are security-related. MPS is commonly used to monitor network performance and identify issues such as network congestion or bottlenecks. MPS can also be used to identify issues with individual network devices or systems that may be generating an excessive number of log messages.

In summary, SIEM EPS is specifically focused on measuring the rate of security-related events, while MPS is a more general measure of the rate of log messages generated by network devices and systems.

What is a syslog server

A syslog server is a centralized logging server that receives, stores, and manages log messages from different network devices and applications. It is a software application that listens for syslog messages, which are standardized messages that are generated by network devices and applications to report various events or system activities.

Syslog messages can include information such as security events, device status, system errors, and more. By sending these messages to a syslog server, network administrators can have a centralized location to view and analyze all the log messages generated by their network. This can help them quickly identify and troubleshoot issues, monitor system performance, and comply with regulatory requirements.

Syslog servers typically provide features such as message filtering, alerting, and reporting, and can be configured to store logs for a specified amount of time. They can also be integrated with other network management and security tools to provide a comprehensive view of network activity. Popular syslog servers include open-source options like rsyslog, syslog-ng, and commercial options like SolarWinds Kiwi Syslog Server and Graylog.

Syslog example

Here’s an example of a syslog message:

<14>Feb 14 12:34:56 my-computer-name dhcpd[1234]: DHCPDISCOVER from 00:11:22:33:44:55 via eth0

This syslog message consists of the following parts:

• <14>: This is the priority and facility level of the message, represented in a format called the “syslog header”. In this case, the priority level is 14 (which is the decimal equivalent of the binary value 00001110), and the facility level is not specified, so it defaults to user-level messages.
• Feb 14 12:34:56: This is the timestamp when the message was generated, in the format “Month Day Time”. In this case, the message was generated on February 14th at 12:34:56.
• my-computer-name: This is the name of the device that generated the message.
• dhcpd[1234]: This is the name of the program that generated the message (in this case, the DHCP server), and the process ID of the program.
• DHCPDISCOVER from 00:11:22:33:44:55 via eth0: This is the content of the message, which indicates that a DHCPDISCOVER message was received from the MAC address 00:11:22:33:44:55 via the eth0 network interface.