Syslog Examiner

Download       Buy      FAQ          Program and demodata

 

All traffic to and from your PCs, Macs, Smartphones, SmartTV, IoT devices, etc. passes through your internet router. That’s the only spot, where you can be sure to watch all traffic. That’s why InfoShare will help you to monitor and understand this traffic using our Syslog Examiner.

InfoShare SysLog Examiner is a Windows program to help you analyze the internet traffic leaving your network. Hopefully it’s traffic that you yourself initiated, but it might also be traffic from a planted malware program or from a computer or smartphone attached to your wireless network without your knowledge. And keeping an eye on this is tedious. However, it becomes a little less tedious if you are using InfoShare SysLog Examiner.

What Syslog Examiner does:

The SyslogCollect program reads all syslog information sent to your windows computer and puts it into a database. SyslogExaminer shows you this information in a way, that helps you understand what’s going on and gives you a couple of tools to get further information on the remote hosts, that you are sending information to. Easy as that. And a necessary thing to do, if you want to be sure that your computers are not sending information, that you wouldn’t like them to send. So here’s what you do:

  1. Enable syslog on your router

  2. Open up the firewall for syslog on your PC

  3. Use SyslogCollect to collect information on the traffic

  4. Start SyslogExaminer to examine the traffic

  5. Use Syslog’s build-in tools to get information on the IP addresses involved

  6. For each transmission type tell the ToDo list what you plan to do regarding this (hopefully nothing)

  7. Go through the ToDo list and follow your own recommendations and mark as done.

  8. Wait a while and repeat from step 3. Or put the Syslog Collector on continuous work to get information about all new connections.

You may choose to start your analyzis from the graphical overview making it easy to find the hosts, that produces the most traffic. Hopefully that will not be the hosts with surprising results, but it will make the remaining number of connections easier to comprehend.

Using the button at the bottom will send you directely to the details about this connection:

Or you can choose to browse all the connections from a received or transmitted point of view: Sample screenshot of collected data showing your computer (10.10.10.137) having sent data to 4 external IP addresses:

For each external IP you click the tool buttons at the bottom to find information on that IP. Most often the “Who is” lookup will do the trick. Next you click Action to record what you plan to do in regards to this transmission. If you did a “Who is” lookup the information from that is already saved in the Comments field:

 

If the traffic is safe, you can leave the Severity radio button at “No action needed” and maybe even exclude this traffic from further collections and let the decision count for all ports going to this IP address.

When you’ve done with all IP addresses, you go to the ToDo list to see what you might need to do on your network:

If you’re lucky you are done and don’t have to do anything on your network or computers. Notice the tick marks at the top the screens: “Show all” and “Show only pending” – they are there to make it easier for you to see how much evaluation or changes you still need to do.

If you are slightly less lucky, you might get a ToDo list like this:

 

Try it:

You can download the Syslog Examiner and try it for free. A couple of features are disabled until you enter a valid licence, but you can easily see whether the Syslog Examiner can provide you with valuable information.

Requirements:

Syslog Examiner runs under Windows, so you need to have a Windows PC for collecting and analyzing the traffic. To be able to collect all data, the PC must be reasonably fast – but even if your PC doesn’t catch all the data, you still get vital information on the traffic.

The program analyzes traffic as it is presented in the syslog messages produced by your router, so you need a router with the syslog feature.

Your PC must have port 514 opened on the firewall for the syslog information to be available on your PC.

Related products:

If you have a router without the syslog feature, as is common for relatively cheap routers supplied from Internet Service Providers, you must either change to a better, often more expensive router or you can buy a cheap open-source based router from InfoShare. This part of the project is still under development, so you’ll have to contact Infoshare (admin @ infoshare . dk) for an updated status. Right now we deliver a TP-Link TL-WA801ND 300 Mbps Wireless Router flushed with open-source ddWRT software and syslog enabled at 340 DKK + VAT and shipment.

Relevant links:

Wikipedia list of port numbers

KrebsOnSecurity article on DDoS attack by botnet