creating a dedicated log management layer
play

Creating a dedicated log management layer Peter Czanik / syslog-ng, - PowerPoint PPT Presentation

Feb 19, 2023 •540 likes •906 views

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng originally

  1. Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

  2. About me ■ Peter Czanik from Hungary ■ Evangelist at One Identity: syslog-ng upstream ■ syslog-ng packaging, support, advocacy syslog-ng originally developed by Balabit, now part of One Identity 2 One Identity - Restricted

  3. Overview ■ Basics: central log collection ■ Growing complexity: analytics for security & operations ■ Reducing complexity: dedicated log management ■ Implementation using syslog-ng 3 One Identity - Restricted

  4. Back to basics ■ Central log collection 4 #GetIAMRight | One Identity - Restricted - Confjdential

  5. Why central logging? Ease of use Availability Security One place to check Even if the sender Logs are available even machine is down if sender machine instead of many is compromised 5 One Identity - Restricted

  6. Growing and reducing complexity ■ Multiple analytics systems ■ Wasting of resources ■ Consolidating using a unifjed log management layer 6 #GetIAMRight | One Identity - Restricted - Confjdential

  7. Multiple analytics systems ■ Security, developers, operators use different analytics ■ All come with log aggregation tools ■ Some examples:  Elastic: Beats and Logstash  Splunk: forwarders  LaaS: collectors 7 One Identity - Restricted

  8. Log aggregation ■ Elastic stack on top of a local syslog: ■ Also most LaaS adds an additional layer on top of existing log management 8 One Identity - Restricted

  9. Why is it a problem? ■ More computing resources ■ More network bandwidth (cloud!) ■ More human resources ■ More security problems 9 One Identity - Restricted

  10. Using a unifjed log management layer ■ Saves on computing, network & human resources ■ Easier to push through security & operation teams ■ Log management is separate from analytics ■ Bonus: might save on analytics licensing and hardware costs 10 One Identity - Restricted

  11. Implementing log management on syslog-ng ■ What is syslog-ng ■ Four roles: collecting, processing, fjltering, store/forward ■ Modes of operation ■ Confjguration 11 #GetIAMRight | One Identity - Restricted - Confjdential

  12. syslog-ng Logging Recording events, such as: Jan 14 11:38:48 linux-0jbu sshd[7716]: Accepted publickey for root from 127.0.0.1 port 48806 ssh2 syslog-ng Enhanced logging daemon with a focus on portability and high-performance central log collection. Originally developed in C. 12 One Identity - Restricted

  13. Role: data collector Collect system and application logs together: contextual data for either side A wide variety of platform-specifjc sources: ■ /dev/log & co ■ Journal, Sun streams Receive syslog messages over the network: ■ Legacy or RFC5424, UDP/TCP/TLS Logs or any kind of text data from applications: ■ Through fjles, sockets, pipes, application output, etc. Python source: Jolly Joker ■ HTTP server, Kafka source, etc. 13 One Identity - Restricted

  14. Role: processing Classify, normalize, and structure logs with built-in parsers: ■ CSV-parser, PatternDB, JSON parser, key=value parser Rewrite messages: ■ For example: anonymization Reformatting messages using templates: ■ Destination might need a specifjc format (ISO date, JSON, etc.) Enrich data: ■ GeoIP ■ Additional fjelds based on message content Python parser: ■ all of above, enrich logs from databases and also fjltering 14 One Identity - Restricted

  15. Role: data fjltering Main uses: ■ Discarding surplus logs (not storing debug-level messages) ■ Message routing (login events to SIEM) Many possibilities: ■ Based on message content, parameters, or macros ■ Using comparisons, wildcards, regular expressions, and functions ■ Combining all of these with Boolean operators 15 One Identity - Restricted

  16. Role: destinations 16 One Identity - Restricted

  17. MODES OF OPERATION • Client mode: collecting logs from the client and sending them to the remote server (directly or through a relay) • Relay mode: collecting logs from the clients (through the network) and sending them to the remote server (directly or through another relay) • Server mode: collecting logs from the clients and storing them locally or in a database

  18. Why relays? UDP source Scalability Structure Collect as close Distributing A relay for each processing site or department as possible 18 One Identity - Restricted

  19. Freeform log messages Most log messages are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard- interactive/pam for root from 127.0.0.1 port 46048 ssh2 ■ Text = English sentence with some variable parts ■ Easy to read by a human ■ Diffjcult to create alerts or reports 19 One Identity - Restricted

  20. Solution: structured logging ■ Events represented as name-value pairs . For e xample, an ssh login: ■ app=sshd user=root source_ip=192.168.123.45 ■ syslog-ng: name-value pairs inside ■ Date, facility, priority, program name, pid, etc. ■ Parsers in syslog-ng can turn unstructured and some structured data (CSV, JSON) into name-value pairs ■ ■ Name-value pairs make fjltering more precise 20 One Identity - Restricted

  21. Confjguration ■ “Don't Panic” ■ Simple and logical, even if it looks diffjcult at fjrst ■ Pipeline model: Many different building blocks (sources, destinations, fjlters, parsers, ■ etc.) Connected into a pipeline using “log” statements ■ 21 #GetIAMRight | One Identity - Restricted - Confjdential

  22. syslog-ng.conf: getting started @version:3.18 @include "scl.conf" # this is a comment :) options {fmush_lines (0); keep_hostname (yes);}; source s_sys { system(); internal();}; destination d_mesg { fjle("/var/log/messages"); }; fjlter f_default { level(info..emerg) and not (facility(mail)); }; log { source(s_sys); fjlter(f_default); destination(d_mesg); }; @include "/etc/syslog-ng/conf.d/*.conf" 22 One Identity - Restricted

  23. Suricata.conf: source, JSON parsing # receive Suricata logs source s_suricata { tcp(ip("0.0.0.0") port("514") fmags(no-parse)); }; # parse JSON into name-value pairs parser p_json { json-parser (prefjx("suricata.")); }; 23 One Identity - Restricted

  24. Suricata.conf: GeoIP parser p_geoip2 { geoip2( "${suricata.dest_ip}", prefjx( "parsed.dest." ) database( "/usr/share/GeoIP/GeoLite2-City.mmdb" ) ); }; rewrite r_geoip2 { set( "${parsed.dest.location.latitude},${parsed.dest.location.longitude}", value( "parsed.dest.ll" ), condition(not "${parsed.dest.location.latitude}" == "") ); }; 24 One Identity - Restricted

  25. Suricata.conf: destinations destination d_suricata { fjle("/var/log/suricata.log" template("$(format-json --key suricata.* --key parsed.* --key ISODATE)\n")); }; destination d_elastic { elasticsearch2 ( cluster("syslog-ng") client_mode("http") index("syslog") time-zone(UTC) type("syslog") fmush-limit(1) server("192.168.1.187") template("$(format-json --key suricata.* --key parsed.* --key ISODATE)") persist-name(elasticsearch-syslog) ) }; 25 One Identity - Restricted

  26. Suricata.conf: more parsers # resolve non-local destination IP addresses using Python parser parser p_resolver { python(class("SngResolver")); }; # add-contextual-data based on local IP address parser p_localsrc_info { add-contextual-data(selector("${suricata.src_ip}"), default- selector("unknown"), database("/etc/syslog-ng/conf.d/context-info-db.csv"), prefjx("parsed.src.")); }; 26 One Identity - Restricted

  27. Suricata.conf: inline Python code python { import socket class SngResolver(object): def parse(self, log_message): ipaddr_b = log_message['suricata.dest_ip'] ipaddr = ipaddr_b.decode('utf-8') try: resolved = socket.gethostbyaddr(ipaddr) hostname = resolved[0] log_message['parsed.dest.hostname'] = hostname except: pass return True }; 27 One Identity - Restricted

  28. Suricata.conf: log statement 1. log { # receive Suricata logs source(s_suricata); # parse JSON into name-value pairs parser(p_json); # resolve non-local destination IP addresses # using Python parser if (not match("^192.168" value("suricata.dest_ip"))) { parser(p_resolver); }; 28 One Identity - Restricted

  29. Suricata.conf: log statement 2. # add-contextual-data based on local IP address if (match("^192.168" value("suricata.src_ip"))) { parser(p_localsrc_info); }; # send alert if someone is reading slashdot if (match("slashdot.org" value("suricata.tls.sni"))) { destination { fjle("/var/log/slashdot"); }; # ToDo: change to smtp destination }; 29 One Identity - Restricted

  30. Suricata.conf: log statement 3. # talking to a malware C&C if { fjlter { in-list("/etc/syslog-ng/conf.d/malwarecc.list", value("suricata.dest_ip")) }; rewrite { set("Problem", value("parsed.malware")); }; } else { rewrite { set("OK", value("parsed.malware")); }; }; # add GeoIP information parser(p_geoip2); rewrite(r_geoip2); 30 One Identity - Restricted

  31. Suricata.conf: log statement 4. # save results locally destination(d_suricata); # save results to Elasticsearch destination(d_elastic); }; 31 One Identity - Restricted

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

L T EX3: A Creating the interface layer: xparse Code layer: Using the layers expl3

L T EX3: A Creating the interface layer: xparse Code layer: Using the layers expl3

L A T EX3: Using the layers Frank Mittelbach & Joseph Wright Layers L T EX3: A Creating the interface layer: xparse Code layer: Using the layers expl3 Conclusions Its alright ma, its only witchcraft Frank Mittelbach

660 views • 37 slides
4 Application Layer Protocols Device Management Protocols Application layer protocols offering

4 Application Layer Protocols Device Management Protocols Application layer protocols offering

EPFL, Spring 2017 4 Application Layer Protocols Device Management Protocols Application layer protocols offering remote services for large networks of devices: - Monitoring (health of devices and network, get current state) - Management

1.31k views • 93 slides
1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

Transport Layer Transport Layer Chapter 3: Transport Layer Mobile network Our goals: Global ISP understand principles learn about transport Chapter 3 behind transport layer protocols in the Transport Layer Internet: layer

678 views • 5 slides
5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

Network Layer Network Layer Network Layer Network Layer Network Layer Comparison of LS and DV algorithms Message complexity Robustness: what happens 1 Introduction 5 Routing algorithms if router malfunctions? LS: with n nodes, E

325 views • 4 slides
1 We are a New Jersey development firm dedicated to creating world-class communities. 2 For

1 We are a New Jersey development firm dedicated to creating world-class communities. 2 For

1 We are a New Jersey development firm dedicated to creating world-class communities. 2 For more than a decade, Walters has worked with municipalities across the state to create lasting partnerships and thriving communities. 3 We handle all

880 views • 57 slides
Dedicated to empowering American Indian and Alaskan Native communities by creating socio Dedicated

Dedicated to empowering American Indian and Alaskan Native communities by creating socio Dedicated

Dedicated to empowering American Indian and Alaskan Native communities by creating socio Dedicated to empowering American Indian and Alaskan Native communities by creating socio- -economic opportunities economic opportunities MISSION STATEMENT

223 views • 20 slides
1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

Network Layer Network Layer Chapter 4: Network Layer Mobile network Chapter goals: Global ISP understand principles behind network layer Network Layer services: Home network network layer service models Regional ISP forwarding

550 views • 3 slides
7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

Network Layer Network Layer Network Layer Network Layer IP Fragmentation & Reassembly IP Fragmentation and Reassembly network links have MTU length ID fragflag offset (max.transfer size) - largest possible link-level frame.

948 views • 5 slides
Creating Local Energy Who we are REPOWERING is a not-for-profit organisation Creating

Creating Local Energy Who we are REPOWERING is a not-for-profit organisation Creating

Creating Local Energy Who we are REPOWERING is a not-for-profit organisation Creating local energy: We specialise in co-producing community-owned renewable energy projects Our team: Dedicated employees working

593 views • 21 slides
ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent

ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent

ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent Multimedia Transport <draft lim irtf sam alm api 00.txt > p 71 ST IETF SAM RG MEETING, PHILADELPHIA. Lim Boon Ping

230 views • 19 slides
C4 LIS Integrity Services Streamlining LIS Systems and Processes with Dedicated Solutions

C4 LIS Integrity Services Streamlining LIS Systems and Processes with Dedicated Solutions

C4 LIS Integrity Services Streamlining LIS Systems and Processes with Dedicated Solutions Welcome to C4 C4 is dedicated to improving ease of use and ongoing management of LIS systems. We are equally dedicated to communicating in real-time, as

224 views • 6 slides
4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

Network Layer Network Layer Network Layer Network Layer Routing Table Aggregation - > 4 billion Forwarding table Longest prefix matching possible entries Prefix Match Link Interface Destination Address Range Link Interface 11001000

288 views • 3 slides
Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by an application in order to persist its state, that is to store and retrieve information using some sort of database management system. Presentation

633 views • 60 slides
The Essential Hip Exam Layer 1- Osteochondral Layer 2- Inert Layer 3- Contractile

The Essential Hip Exam Layer 1- Osteochondral Layer 2- Inert Layer 3- Contractile

12/13/2018 The Layers of the Hip To treat hip pathology- 1 st task is to understand the source of hip pain Bryan Kelly et al Arthroscopy 2012 The Essential Hip Exam Layer 1- Osteochondral Layer 2- Inert Layer 3-

438 views • 9 slides
Now Arriving at Layer 3 Packet Forwarding although layer 2 switches and layer 3 routers

Now Arriving at Layer 3 Packet Forwarding although layer 2 switches and layer 3 routers

Now Arriving at Layer 3 Packet Forwarding although layer 2 switches and layer 3 routers are similar in many ways and ATM/Virtual Circuits are used at layer 2 these days 9/27/06 CS/ECE 438 - UIUC, Fall 2006 1 9/27/06 CS/ECE

514 views • 7 slides
1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

Transport Layer Transport Layer Outline Mobile network Transport-layer Connection-oriented Global ISP services transport: TCP Transport Layer Multiplexing and segment structure Home network demultiplexing reliable data

264 views • 5 slides
CompassPoint intensifies the impact of fellow nonprofit leaders, organizations, and networks as

CompassPoint intensifies the impact of fellow nonprofit leaders, organizations, and networks as

CompassPoint intensifies the impact of fellow nonprofit leaders, organizations, and networks as we achieve social justice together. Pair Interview (5 minutes each) 1. Last year, did your organization generate more financially than it consumed?

298 views • 12 slides
Intertemporal Choice and Saving David Laibson Summer Institute on Behavioral Economics July,

Intertemporal Choice and Saving David Laibson Summer Institute on Behavioral Economics July,

Intertemporal Choice and Saving David Laibson Summer Institute on Behavioral Economics July, 2002 Outline: Psychology of Saving 1. Suggestive evidence for: i. Bounded rationality. ii.Bounded self-control. iii.Excessive (unbounded?)

1.3k views • 31 slides
THIRD QUARTER 2020 November 9, 2020 Q3 2020 Highlights Strong performance across Retail &

THIRD QUARTER 2020 November 9, 2020 Q3 2020 Highlights Strong performance across Retail &

THIRD QUARTER 2020 November 9, 2020 Q3 2020 Highlights Strong performance across Retail & Wholesale business Retail brand comparable sales growth of +8.3%, the highest in 9 years Stabilization of Wholesale business with total

231 views • 20 slides
Matteo Cesari, MD, PhD EUGMS Congress Nice (France) September 22, 2017 Disclosure of

Matteo Cesari, MD, PhD EUGMS Congress Nice (France) September 22, 2017 Disclosure of

Self-reported screening tools for detecting community-dwelling older persons with frailty Matteo Cesari, MD, PhD EUGMS Congress Nice (France) September 22, 2017 Disclosure of speakers interests Presentations at scientific meetings for

768 views • 41 slides
Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng

520 views • 30 slides
2019-20 1st Interim Budget December 10, 2019 So... why do a 1st Interim budget report? The

2019-20 1st Interim Budget December 10, 2019 So... why do a 1st Interim budget report? The

Tamalpais Union High School District 2019-20 1st Interim Budget December 10, 2019 So... why do a 1st Interim budget report? The 1st Interim reports: Actual financial activity from July 1st through October 31st Projects financial

558 views • 43 slides
4Q17 and Full Year Results February 22, 2018 Full year pro forma financial results Pro-forma

4Q17 and Full Year Results February 22, 2018 Full year pro forma financial results Pro-forma

4Q17 and Full Year Results February 22, 2018 Full year pro forma financial results Pro-forma Revenue* Adj. EBITDA* and Adj. EBITDA Margin $800 $738 $739 $2,408 $2,500 $700 $2,308 Flat $600 -4% $500 $2,000 32.0% $400 30.7% $300

589 views • 21 slides
Outline 1. Life before the 1970s 2. Paradigm Shift: The Architectural Barriers Act and the

Outline 1. Life before the 1970s 2. Paradigm Shift: The Architectural Barriers Act and the

9/17/2015 Including Persons with Disabilities in We the People A Short History of Disability Rights In the United States Mid-Atlantic ADA Update Conference September 18, 2015 John L. Wodatch Outline 1. Life before the 1970s 2.

381 views • 7 slides

More recommend