I am a novice at logging. I have installed Graylog on my home network as a self learning exercise. I am collecting logs from Unify (including network some details of internal and external network traffic), Linux logs, and logs from Windows PC.
Because Linux/Graylog collector is a quiet box, I have been looking at its traffic (as logged by Unify) in detail. I have set up a filter for traffic that I can account for (which is slowly growing).
This log entry is routinely appearing that I am having trouble understanding.
NetworkSecurityGatewayPro4 kernel: [WAN_OUT-2002-A]IN=eth0.21 OUT=eth2 SRC=192.168.3.3 DST=116.202.120.181 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=26215 DF PROTO=TCP SPT=42824 DPT=443 WINDOW=2079 RES=0x00 ACK RST URGP=0
IP address 116.202.120.181 resolves to check.torproject.org
There are two entries in the log (present at 23 minutes and 27 minutes past the hour), and seems to beacon consistently at hourly intervals.
Running netstat shows that the PID associated with this 116.202.120.181 traffic is 1493/java.
Running sudo isof -p 1493 suggests that the user of the process is Graylog (and gives lines and lines of output).
A PCAP from Wireshark shows 223kb encrypted payload downloaded for each poll of 116.202.120.181.
I am at a loss as to what to do next. I would like to understand if it is Graylog (or some other process) that is beaconing to 116.202.120.181.
Suggestions???