This chapter covered the many methods and some of the applications you can use to monitor your honeypot system. Setting up a honeypot monitoring system means collecting a baseline, creating log files, collecting them to a centralized location, and then prioritizing the critical events so the administrator is alerted to only the appropriate exploits.
I emphasized how the goal of honeypot system logging is to capture all traffic into and out of the system, while only presenting the most relevant data first. The worst possible outcome is for log files to be left distributed and unranked, forcing the administrator to wade through a myriad of data looking for the clues manually. This virtually guarantees unread log files, and consequently, a less useful honeypot system. Logging data in a honeypot system requires thoughtful consideration. All log-generating systems must be time synchronized and the data collected to a centralized location. The most important events must be brought to the attention of the administrator using an alert system, and all the data stored securely for future analysis.
Chapter 11 discusses the forensic analysis of the collected data.
Unable to display preview. Download preview PDF.