get the most out of your security logs using syslog ng
play

GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre - PowerPoint PPT Presentation

Jul 06, 2023 •181 likes •548 views

GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Evangelist at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy

  1. GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik / Balabit

  2. ABOUT ME Peter Czanik from Hungary  Evangelist at Balabit: syslog-ng upstream  syslog-ng packaging, support, advocacy  Balabit is an IT security company with development HQ in Budapest, Hungary Over 200 employees: the majority are engineers 2

  3. OVERVIEW  What is syslog-ng  The four roles of syslog-ng  Message parsing  Enriching messages  Blacklist filtering  Configuring syslog-ng  Analyzing logs: heat map, anonymization 3

  4. syslog-ng Logging Recording events, such as: Jan 14 11:38:48 linux-0jbu sshd[7716]: Accepted publickey for root from 127.0.0.1 port 48806 ssh2 syslog-ng Enhanced logging daemon with a focus on high-performance central log collection. 4

  5. WHY CENTRAL LOGGING? EASE OF USE AVAILABILITY SECURITY one place to check even if the sender logs are available even machine is down if sender machine instead of many is compromised 5

  6. MAIN SYSLOG-NG ROLES collector processor filter storage (or forwarder) 6

  7. ROLE: DATA COLLECTOR Collect system and application logs together: contextual data for either side A wide variety of platform-specific sources:  /dev/log & co  Journal, Sun streams Receive syslog messages over the network:  Legacy or RFC5424, UDP/TCP/TLS Logs or any kind of data from applications:  Through files, sockets, pipes, etc.  Application output 7

  8. ROLE: PROCESSING Classify, normalize and structure logs with built-in parsers:  CSV-parser, DB-parser (PatternDB), JSON parser, key=value parser and more to come Rewrite messages:  For example anonymization Reformatting messages using templates:  Destination might need a specific format (ISO date, JSON, etc.) Enrich data:  GeoIP  Additional fields based on message content 8

  9. ROLE: DATA FILTERING Main uses:  Discarding surplus logs (not storing debug level messages)  Message routing (login events to SIEM) Many possibilities:  Based on message content, parameters or macros  Using comparisons, wildcards, regular expressions and functions  Combining all of these with Boolean operators 9

  10. ROLE: DESTINATIONS “TRADITIONAL ” File, network, TLS, SQL, etc. ● “BIG DATA” Distributed file systems: ● ● Hadoop NoSQL databases: ● ● MongoDB ● Elasticsearch Messaging systems: ● ● Kafka 10

  11. WHICH SYSLOG-NG VERSION IS THE MOST USED? Project started in 1998  RHEL EPEL has version 3.5  Latest stable version is 3.10, released two  weeks ago 11

  12. Kindle e-book reader Version 1.6 12

  13. FREE-FORM LOG MESSAGES Most log messages are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 Text = English sentence with some variable parts  Easy to read by a human  Difficult to create alerts or reports  13

  14. SOLUTION: STRUCTURED LOGGING  Events represented as name-value pairs  Example: an ssh login: app=sshd user=root source_ip=192.168.123.45  syslog-ng: name-value pairs inside  Date, facility, priority, program name, pid, etc.  Parsers in syslog-ng can turn unstructured and some structured data (CSV, JSON) into name-value pairs 14

  15. JSON PARSER T urns JSON-based log messages into name-value pairs {"PROGRAM":"prg00000","PRIORITY":"info","PID":"1234","MESSAGE":"seq: 0000000000, thread: 0000, runid: 1374490607, stamp: 2013-07-22T12:56:47 MESSAGE... ","HOST":"localhost","FACILITY":"auth","DATE":"Jul 22 12:56:47"} 15

  16. CSV PARSER Parses columnar data into fjelds parser p_apache { csv-parser(columns("APACHE.CLIENT_IP", "APACHE.IDENT_NAME", "APACHE.USER_NAME", "APACHE.TIMESTAMP", "APACHE.REQUEST_URL", "APACHE.REQUEST_STATUS", "APACHE.CONTENT_LENGTH", "APACHE.REFERER", "APACHE.USER_AGENT", "APACHE.PROCESS_TIME", "APACHE.SERVER_NAME") flags(escape-double-char,strip-whitespace) delimiters(" ") quote-pairs('""[]') ); }; destination d_file { file("/var/log/messages-${APACHE.USER_NAME:-nouser}"); }; log { source(s_local); parser(p_apache); destination(d_file);}; 16

  17. KEY=VALUE PARSER Finds key=value pairs in messages Introduced in version 3.7. Typical in firewalls, like: Aug 4 13:22:40 centos kernel: IPTables-Dropped: IN= OUT=em1 SRC=192.168.1.23 DST=192.168.1.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=59228 SEQ=2 Aug 4 13:23:00 centos kernel: IPTables-Dropped: IN=em1 OUT= MAC=a2:be:d2:ab:11:af:e2:f2:00:00 SRC=192.168.2.115 DST=192.168.1.23 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=9434 DF PROTO=TCP SPT=58428 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 17

  18. PATTERNDB PARSER Extracts information from unstructured messages into name- value pairs Add status fields based on message text  Message classification (like LogCheck)  Needs XML describing log messages Example: an ssh login failure: Parsed: app=sshd, user=root, source_ip=192.168.123.45  Added: action=login, status=failure  Classified as “violation”  18

  19. PARSERS WRITTEN IN PYTHON Python parser Released in syslog-ng 3.10  Parse complex data formats  Enrich logs from external data sources, like SQL, whois, etc.  Slower than C  Does not need compilation or a development environment  Jolly Joker :-)  19

  20. ENRICHING LOG MESSAGES Additional name-value pairs based on message content PatternDB GeoIP: find the geo-location of an IP address Country name or longitude/latitude  Detect anomalies  Display locations on a map  Add metadata from CSV files For example: host role, contact person  Less time spent on locating extra information  More accurate alerts or dashboards  20

  21. THE INLIST() FILTER Filtering based on white or blacklisting Compares a single field with a list of values  One value per line text file  Case sensitive  Use cases Poor mans SIEM: alerting based on spammer / C&C / etc IP address lists  Filtering based on a list of application names  21

  22. CONFIGURATION  “Don't Panic”  Simple and logical, even if it looks difficult at first  Pipeline model:  Many different building blocks (sources, destinations, filters, parsers, etc.)  Connected into a pipeline using “log” statements 22

  23. syslog-ng.conf: global options @version:3.10 @include "scl.conf" # this is a comment :) options { flush_lines (0); # [...] keep_hostname (yes); }; 23

  24. syslog-ng.conf: sources source s_sys { system(); internal(); }; source s_net { udp(ip(0.0.0.0) port(514)); }; 24

  25. syslog-ng.conf: destinations destination d_mesg { file("/var/log/messages"); }; destination d_es { elasticsearch( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") cluster("syslog-ng") template("$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n"); ); }; 25

  26. syslog-ng.conf: fjlters, parsers filter f_nodebug { level(info..emerg); }; filter f_messages { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; parser pattern_db { db-parser(file("/opt/syslog-ng/etc/patterndb.xml") ); }; 26

  27. syslog-ng.conf: logpath log { source(s_sys); filter(f_messages); destination(d_mesg); }; log { source(s_net); source(s_sys); filter(f_nodebug); parser(pattern_db); destination(d_es); flags(flow-control); }; 27

  28. Patterndb & ElasticSearch & Kibana 28

  29. ANONYMIZING MESSAGES Many regulations about what can be logged  PCI-DSS: credit card numbers  Europe: IP addresses, user names Locating sensitive information:  Regular expression: slow, works also in unknown logs  Patterndb, CSV parser: fast, works only in known log messages Anonymizing:  Overwrite it with a constant  Overwrite it with a hash of the original 29

  30. 30

  31. GeoIP parser p_kv{ kv-parser(prefix("kv.")); }; ● ● parser p_geoip { geoip( "${kv.SRC}", prefix( "geoip." ) database( "/usr/share/GeoIP/GeoLiteCity.dat" ) ); }; ● ● rewrite r_geoip { ● set( ● "${geoip.latitude},${geoip.longitude}", ● value( "geoip.location" ), ● condition(not "${geoip.latitude}" == "") ● ); ● }; ● ● log { ● source(s_tcp); ● parser(p_kv); ● parser(p_geoip); ● rewrite(r_geoip); ● destination(d_elastic); ● }; ● ● 31

  32. WHAT IS NEW IN SYSLOG-NG Disk-based buffering  Grouping-by(): correlation independent  of patterndb Parsers written in Python  Elasticsearch REST API support  HTTP(s) destination  Wildcard file source  Performance improvements  Many more :-)  32

  33. SYSLOG-NG BENEFITS High-performance Simplified Easier-to-use data Lower load on reliable log collection architecture destinations Parsed and presented in a ready-to-use format Single application for both Efficient message filtering syslog and application data and routing 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng

520 views • 30 slides
Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It allows separation of the software that generates log messages from the system that

900 views • 15 slides
Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages

Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages

Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It allows separation of the software that generates log messages from the system that stores the

211 views • 19 slides
Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon rgerhards@hq.adiscon.com 2004-02-24 Status around November 2003 RFC 3164, 3195, syslog-sign and -international each specify message format, transport specifics

511 views • 23 slides
Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik /

Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik /

Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support,

1.22k views • 100 slides
Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng originally

906 views • 35 slides
Logs on Logs on Logs No More Append Atomic & Remap Eric Mackay Venkatesh Srinivas Basics

Logs on Logs on Logs No More Append Atomic & Remap Eric Mackay Venkatesh Srinivas Basics

Logs on Logs on Logs No More Append Atomic & Remap Eric Mackay Venkatesh Srinivas Basics of Block Device Interfaces I/O is done in granularity of blocks 512 bytes is pretty standard Writing is slooooooow Data is

898 views • 15 slides
SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit ABOUT

SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit ABOUT

SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Community Manager at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy Balabit is an

289 views • 18 slides
In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet

In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet

Chair of Network Architectures and Services Department of Informatics Technical University of Munich In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements Oliver Gasser, Benjamin Hof, Max

531 views • 39 slides
Cloud-based Log Analysis and Visualization RMLL 2010, Bordeaux, France My syslog mobile-166 Ra

Cloud-based Log Analysis and Visualization RMLL 2010, Bordeaux, France My syslog mobile-166 Ra

Cloud-based Log Analysis and Visualization RMLL 2010, Bordeaux, France My syslog mobile-166 Ra fg ael Marty - @zrlram Tuesday, July 6, 2010 Ra fg ael (Ra fg y) Marty Founder @ Chief Security Strategist and Product Manager @ Splunk

439 views • 43 slides
Why are UI Logs Important? UI logs will help you identify Trends and Patterns that need to be

Why are UI Logs Important? UI logs will help you identify Trends and Patterns that need to be

2/17/2015 Unusual Incident Log Reviews January 23, 2015 Why are UI Logs Important? UI logs will help you identify Trends and Patterns that need to be addressed to ensure the Health and Welfare of those you serve. To ensure that sound

589 views • 24 slides
USING SCL TO SIMPLIFY SYSLOG-NG CONFIGURATION Libre Software Meeting 2017 Peter Czanik / Balabit

USING SCL TO SIMPLIFY SYSLOG-NG CONFIGURATION Libre Software Meeting 2017 Peter Czanik / Balabit

USING SCL TO SIMPLIFY SYSLOG-NG CONFIGURATION Libre Software Meeting 2017 Peter Czanik / Balabit SCL syslog-ng configuration library Reusable configuration blocks Hide away complexity of configuration 2 apache-accesslog-parser()

341 views • 7 slides
Using Syslog Message Sequences for Predicting Disk Failures Wes Featherstun and Errin Fulp Wake

Using Syslog Message Sequences for Predicting Disk Failures Wes Featherstun and Errin Fulp Wake

Using Syslog Message Sequences for Predicting Disk Failures Wes Featherstun and Errin Fulp Wake Forest University Department of Computer Science Winston-Salem, NC USA November 11, 2010 Wes Featherstun and Errin Fulp Using Syslog Message

489 views • 20 slides
Behavioral Analysis Using Network traffic, DNS and logs JOSH PYORRE Security Researcher

Behavioral Analysis Using Network traffic, DNS and logs JOSH PYORRE Security Researcher

Behavioral Analysis Using Network traffic, DNS and logs JOSH PYORRE Security Researcher Previously: Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre rootaccesspodcast.com Behavioral Analysis VIDEO analyzing website visitors

1.45k views • 127 slides
Know more about your Ceph Cluster with ELK Stack Cameron Seader Technology Strategist

Know more about your Ceph Cluster with ELK Stack Cameron Seader Technology Strategist

Know more about your Ceph Cluster with ELK Stack Cameron Seader Technology Strategist cs@suse.com 2 Ceph and Logging rsyslog, syslog-ng to forward logs to (Logstash / Fluentbit) Filebeat Ceph has Graylog (GELF) support store

758 views • 32 slides
Harvesting Logs and Events Using MetaCentrum Virtualization Services Radoslav Bod, Daniel

Harvesting Logs and Events Using MetaCentrum Virtualization Services Radoslav Bod, Daniel

Harvesting Logs and Events Using MetaCentrum Virtualization Services Radoslav Bod, Daniel Kouil CESNET EGI Community Forum, April 2013 Agenda Introduction Collecting logs Log Processing Advanced analysis Resume

601 views • 44 slides
Cloud service Virtual Computing Lab (VCL) Emir Imamagi Srce Virtual Computing Lab (VCL)

Cloud service Virtual Computing Lab (VCL) Emir Imamagi Srce Virtual Computing Lab (VCL)

Cloud service Virtual Computing Lab (VCL) Emir Imamagi Srce Virtual Computing Lab (VCL) Overview Project Cloud Servers Virtual Computing Lab Architecture Resources Limits Support Virtual Computing Lab (VCL) Project

472 views • 10 slides
The CentOS Ecosystem Karanbir Singh The Red Hat relationship Everything is a SIG Abstract the

The CentOS Ecosystem Karanbir Singh The Red Hat relationship Everything is a SIG Abstract the

The CentOS Ecosystem Karanbir Singh The Red Hat relationship Everything is a SIG Abstract the CentOS Project away from the CentOS Linux distro :: So we can do more and we can be wider inclusive. The Goals Be a great environment for people to

1.09k views • 20 slides
robust NETCONF <draft-cole-netconf-robust-config-02.txt> Robert G. Cole 1 Dan Romascanu 2

robust NETCONF <draft-cole-netconf-robust-config-02.txt> Robert G. Cole 1 Dan Romascanu 2

robust NETCONF <draft-cole-netconf-robust-config-02.txt> Robert G. Cole 1 Dan Romascanu 2 Andy Bierman 3 1 US Army CERDEC robert.g.cole@us.army.mil 2 Avaya dromasca@avaya.com 3 Interworking Labs andy@iwl.com 22 Mar 2010 / IETF-Anaheim

314 views • 9 slides
Color DS 4200 F ALL 2020 Prof. Cody Dunne N ORTHEASTERN U NIVERSITY Slides and inspiration from

Color DS 4200 F ALL 2020 Prof. Cody Dunne N ORTHEASTERN U NIVERSITY Slides and inspiration from

Color DS 4200 F ALL 2020 Prof. Cody Dunne N ORTHEASTERN U NIVERSITY Slides and inspiration from Michelle Borkin, Krzysztof Gajos, Hanspeter Pfister, 1 Miriah Meyer, Jonathan Schwabish, and David Sprague C HECK - IN 2 B RUSHING & L INKING S

748 views • 54 slides
Chicago Fusion Team Members Students: Alex Ballmer (1 st year UG) Ben Walters (2 nd year

Chicago Fusion Team Members Students: Alex Ballmer (1 st year UG) Ben Walters (2 nd year

Chicago Fusion Team Members Students: Alex Ballmer (1 st year UG) Ben Walters (2 nd year UG) Dan Gordon (4 th year UG) Jason DiBabbo (4 th year UG) Kevin Brandstatter (4 th year UG) Lauren Ribordy (Highschool)

334 views • 5 slides
The road four node Evan Lucas https://github.com/evanlucas https://twitter.com/evanhlucas 1

The road four node Evan Lucas https://github.com/evanlucas https://twitter.com/evanhlucas 1

The road four node Evan Lucas https://github.com/evanlucas https://twitter.com/evanhlucas 1 About Node.js Engineer at Help.com Node.js Core Collaborator Node.js Website Collaborator 2 Overview Versioning Official Builds

416 views • 29 slides
ENERGY DISSIPATION STRUCTURES: INFLUENCE OF AERATION IN SUPERCRITICAL FLOWS Juan Jos Rebollo 1

ENERGY DISSIPATION STRUCTURES: INFLUENCE OF AERATION IN SUPERCRITICAL FLOWS Juan Jos Rebollo 1

ENERGY DISSIPATION STRUCTURES: INFLUENCE OF AERATION IN SUPERCRITICAL FLOWS Juan Jos Rebollo 1 (juan.j.rebollo@cedex.es) David Lpez 1 (david.lopez@cedex.es) Tamara Ramos 1 (tamara.ramos@cedex.es) Luis Garrote 2 (l.garrote@upm.es) 1 Centro de

263 views • 25 slides
The Twenty-Sixth Sunday in Ordinary Time Welcome Home Gathering Song: All Hail the Power of

The Twenty-Sixth Sunday in Ordinary Time Welcome Home Gathering Song: All Hail the Power of

Empowered by the Eucharist Today we celebrate The Twenty-Sixth Sunday in Ordinary Time Welcome Home Gathering Song: All Hail the Power of Jesus Name All hail the power of Jesus name! Let angelsprostrate fall; Bring forth the royal

507 views • 24 slides

More recommend