Kapisi/roles/Sharingan/README.md

38 lines
1.7 KiB
Markdown
Raw Normal View History

2020-10-08 16:33:19 -05:00
Sharingan is the monitoring and blue-team solution for the AniNIX. It is responsible for monitoring and alarming on a wide array of events, from dev-ops to cybersecurity.
# Etymology
Sharingan is named after the mythical technique from the Naruto anime series. Sharingan confers deep insight abilities to its user, and our implementation of it will do the same for our administrators' domains.
# Relevant Files and Software
We use Graylog on a dedicated VM to aggregate results. By default, all servers in a datacenter should send journald via syslog to `sharingan.$datacenter.aninix.net`.
## Syslog-ng
We use a lot of services in the AniNIX ecosystem -- some create files, some pipe output, etc. Syslog-ng then picks these up and files them off to graylog over 514/udp/syslog.
## Journald
ArchLinux and most systemd-based Linux distributions use journald to track system log files.
## Suricata
Suricata generates a file, [fast.log](file:///var/log/suricata/fast.log), containing threat intelligence about network threats. We place this on the Core web front-end to detect incoming assaults on our applications.
## SSHGuard
## ClamAV
## OSSEC
TODO
## Monit
# Available Clients
See [[WebServer#Available Clients|AniNIX::Webserver's client list]].
# Equivalents or Competition
Various monitoring SaaS vendors are available, including Nagios, OP5, PagerDuty, etc. A variety of paid cybersecurity vendors are also on the market, particularly contract firms. Data aggregation is also oft used via the ElasticStack for a number of use-cases. We chose Graylog because it unifies these funtions for what we care about -- alarming on actionable events, whether they are malicious or accidental.