This repository has been archived by the owner on Sep 20, 2022. It is now read-only.
System Design
- Log into Web Interface, resides on master node.
- Define a new data source for agents, for example, "/var/log/firewall.log", you might call this data source "Firewall".
- Master node uploads new data source to agents who start reporting log data back for processing.
- Switch to 'Data Sources' tab and under "Firewall" see the live data coming in, long with frequency graphs and other standard metrics. Automatically detects IP Addresses for Graph processing, and Timestamps for frequency.
- Switch to 'Querys' tab and define a new Query on this dataset using a simple query language, probably written by us (match substring, count, join, etc, as well as more advanced features, we could abstract some machine learning techniques). Simple example, any log with the string "Stealth Mode connection attempt" in it. We might call this query "Stealth Connections"
- On the "Firewall" dashboard you might then use this query to define a new graph, for example a pie chart showing the number of "Stealth Connections" against all connection types. Switch to the "Alerts and Messages" tab and define a new alert using a standard set of triggers, for example "Email me the hostname of any machine where the frequency of 'Stealth Connections' steps outside 3 standard deviations".