427 Botnet fm qxd

if it’s not RRDtool data, we may have a 30-second report (now), an hourly
summarization, and a daily summarization. We keep about one week’s worth
of ASCII daily summarizations.
Roughly, the back-end graphics engine produces the following kinds of
data placed on the Web:
■
RRDtool strip charts. Figure 6.1 is an example.
■
Thirty-second ASCII reports. We will see an example of this in the
next chapter called the TCP port report.
■
Hourly summarizations, which are rolled over to daily summariza-
tions at midnight. Our bot client information in Tables 6.1 and 6.2 is
an example.
■
There is also an event log (which is kept as a daily report for a week
and rolled over every day). Important system events (like warnings
about too many IP hosts in an IRC channel) are logged in the event
log, which is also available in a daily/weekly format like the summa-
rized reports. We will discuss the event log in the final ourmon
chapter.
The back-end graphics engine also stores two kinds of logging informa-
tion. One directory called rrddata stores RRDtool data, which has a special
format that enables the one year of baselining graphs to be created.The other
directory, called logs, is where the back-end graphics engine scripts store all
logging information for anything in ourmon that is not RRDtool related. For
example, 30-second IRC reports from the front end are stored here and are
then built into hourly summaries placed on the Web. We will return to the
logs directory in Chapter 9 for some advanced data-mining techniques that
can help us extract botnet-related IP addresses from data stored in some of
the log directories. One important aspect of the ourmon log system is that in
general it gets to a certain size after a week and doesn’t get any bigger.
RRDtool logs have a fixed permanent size when first created, so they don’t
grow over time either.The other kinds of data stored in the logs directory are
rotated every day so that, for example, today becomes yesterday, yesterday
becomes the day before yesterday, etc.The very last day is deleted.Thus the
logs reach a rough size and don’t become an administrative problem.

Download 6,98 Mb.

Do'stlaringiz bilan baham: