logging iot
play

Logging IoT Know what your IoT devices are doing FOSDEM 2018 Peter - PowerPoint PPT Presentation

Mar 20, 2023 •171 likes •527 views

Logging IoT Know what your IoT devices are doing FOSDEM 2018 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Evangelist at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy Balabit is an IT

  1. Logging IoT Know what your IoT devices are doing FOSDEM 2018 Peter Czanik / Balabit

  2. ABOUT ME Peter Czanik from Hungary  Evangelist at Balabit: syslog-ng upstream  syslog-ng packaging, support, advocacy  ● Balabit is an IT security company with development HQ in Budapest, Hungary ● Over 200 employees: the majority are engineers ● Balabit is now a One Identity company 2

  3. OVERVIEW  What is syslog-ng  The four roles of syslog-ng  Why structured data  IoT devices: consumer, networking, industrial  syslog-ng on the server side  Configuring syslog-ng 3

  4. syslog-ng Logging Recording events, such as: Jan 14 11:38:48 linux-0jbu sshd[7716]: Accepted publickey for root from 127.0.0.1 port 48806 ssh2 syslog-ng Enhanced logging daemon with a focus on portability and high- performance central log collection. 4

  5. WHY CENTRAL LOGGING? EASE OF USE AVAILABILITY SECURITY one place to check even if the sender logs are available even machine is down if sender machine instead of many is compromised 5

  6. Why syslog-ng on IoT devices?  Portable (x86, ARM, POWER, MIPS, etc.)  Small footprint (written in C)  Can perform complex processing & filtering  Send / save only relevant logs  In a ready-to-use format  Use the same software on the client and server side 6

  7. MAIN SYSLOG-NG ROLES collector processor filter storage (or forwarder) 7

  8. ROLE: DATA COLLECTOR Collect system and application logs together: contextual data for either side A wide variety of platform-specific sources:  /dev/log & co  Journal, Sun streams Receive syslog messages over the network:  Legacy or RFC5424, UDP/TCP/TLS Logs or any kind of data from applications:  Through files, sockets, pipes, etc.  Application output 8

  9. ROLE: PROCESSING Classify, normalize and structure logs with built-in parsers:  CSV-parser, DB-parser (PatternDB), JSON parser, key=value parser and more to come Rewrite messages:  For example anonymization Reformatting messages using templates:  Destination might need a specific format (ISO date, JSON, etc.) Enrich data:  GeoIP  Additional fields based on message content 9

  10. ROLE: DATA FILTERING Main uses:  Discarding surplus logs (not storing debug level messages)  Message routing (login events to SIEM) Many possibilities:  Based on message content, parameters or macros  Using comparisons, wildcards, regular expressions and functions  Combining all of these with Boolean operators 10

  11. ROLE: DESTINATIONS “TRADITIONAL ” File, network, TLS, SQL, etc. ● “BIG DATA” Distributed file systems: ● ● Hadoop NoSQL databases: ● ● MongoDB ● Elasticsearch Messaging systems: ● ● Kafka 11

  12. FREE-FORM LOG MESSAGES Most log messages are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 Text = English sentence with some variable parts  Easy to read by a human  Difficult to search and report on  12

  13. SOLUTION: STRUCTURED LOGGING  Events represented as name-value pairs. Example: an SSH login: app=sshd user=root source_ip=192.168.123.45  syslog-ng: name-value pairs inside  Date, facility, priority, program name, program ID, etc.  Parsers in syslog-ng can turn unstructured and some structured data into name-value pairs  CSV-parser, JSON parser, key=value parser  DB-parser (PatternDB),  Python parser 13

  14. WHICH SYSLOG-NG VERSION IS THE MOST USED? Project started in 1998  RHEL EPEL has version 3.5  Latest stable version is 3.13, released two  months ago 14

  15. Kindle e-book reader Version 1.6 15

  16. IoT: consumer devices Where:  Kindle  BMW i3 electric car How:  Embedded, user is not aware Why:  Usage information  Troubleshooting 16

  17. IoT: NAS, network devices Where:  Synology, FreeNAS, etc.  Turris Omnia How:  Usually just CLI  Some provide rich GUI Why:  Troubleshooting, security  Central logging for SOHO network 17

  18. IoT: industrial Where:  National Instruments real-time Linux devices  Control and automation How:  Configuration through CLI  GUI for browsing the logs Why:  Troubleshooting 18

  19. IoT and central logging Where:  Car industry  Smart metering How:  Sending log and data through syslog  Processing and storing to Big Data Why:  Usage data  Troubleshooting  Metering 19

  20. CONFIGURATION  “Don't Panic”  Simple and logical, even if it looks difficult at first  Pipeline model:  Many different building blocks (sources, destinations, filters, parsers, etc.)  Connected into a pipeline using “log” statements 20

  21. syslog-ng.conf: global options @version:3.13 @include "scl.conf" # this is a comment :) options { flush_lines (0); # [...] keep_hostname (yes); }; 21

  22. syslog-ng.conf: sources source s_sys { system(); internal(); }; source s_net { udp(ip(0.0.0.0) port(514)); }; 22

  23. syslog-ng.conf: destinations destination d_mesg { file("/var/log/messages"); }; destination d_es { elasticsearch( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") cluster("syslog-ng") template("$(format-json --scope rfc3164 --scope nv-pairs --exclude R_DATE --key ISODATE)\n"); ); }; 23

  24. syslog-ng.conf: flters, parsers filter f_nodebug { level(info..emerg); }; filter f_messages { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; parser pattern_db { db-parser(file("/opt/syslog-ng/etc/patterndb.xml") ); }; 24

  25. syslog-ng.conf: logpath log { source(s_sys); filter(f_messages); destination(d_mesg); }; log { source(s_net); source(s_sys); filter(f_nodebug); parser(pattern_db); destination(d_es); flags(flow-control); }; 25

  26. PatternDB & Elasticsearch & Kibana 26

  27. ANONYMIZING MESSAGES Many regulations about what can be logged  PCI-DSS: credit card numbers  Europe: IP addresses, user names Locating sensitive information:  Regular expression: slow, works also in unknown logs  PatternDB, CSV parser: fast, works only in known log messages Anonymizing:  Overwrite it with a constant  Overwrite it with a hash of the original 27

  28. 28

  29. GeoIP parser p_kv{ kv-parser(prefix("kv.")); }; ● ● parser p_geoip { geoip( "${kv.SRC}", prefix( "geoip." ) database( "/usr/share/GeoIP/GeoLiteCity.dat" ) ); }; ● ● rewrite r_geoip { ● set( ● "${geoip.latitude},${geoip.longitude}", ● value( "geoip.location" ), ● condition(not "${geoip.latitude}" == "") ● ); ● }; ● ● log { ● source(s_tcp); ● parser(p_kv); ● parser(p_geoip); ● rewrite(r_geoip); ● destination(d_elastic); ● }; ● ● 29

  30. WHAT IS NEW IN SYSLOG-NG Disk-based buffering  Grouping-by(): generic correlation  Parsers written in Python  Elasticsearch REST API support  HTTP(s) destination  Wildcard file source  Performance and memory usage  improvements Many more :-)  30

  31. SYSLOG-NG BENEFITS FOR IoT AND BIG DATA High-performance Simplified Easier-to-use data Lower load on reliable log collection architecture destinations Parsed and presented in a ready-to-use format Single application for both Efficient message filtering syslog and application data and routing 31

  32. JOINING THE COMMUNITY syslog-ng: http://syslog-ng.org/  Source on GitHub: https://github.com/balabit/syslog-ng  Mailing list: https://lists.balabit.hu/pipermail/syslog-ng/  Gitter: https://gitter.im/balabit/syslog-ng  32

  33. QUESTIONS? My blog: https://syslog-ng.com/blog/author/peterczanik/ My e-mail: peter.czanik@balabit.com Twitter: https://twitter.com/PCzanik 33

  34. SAMPLE XML <?xml version='1.0' encoding='UTF-8'?> ● <patterndb version='3' pub_date='2010-07-13'> ● <ruleset name='opensshd' id='2448293e-6d1c-412c-a418-a80025639511'> ● <pattern>sshd</pattern> ● <rules> ● <rule provider="patterndb" id="4dd5a329-da83-4876-a431-ddcb59c2858c" class="system"> ● <patterns> ● <pattern>Accepted @ESTRING:usracct.authmethod: @for @ESTRING:usracct.username: @from @ESTRING:usracct.device: @port @ESTRING:: ● @@ANYSTRING:usracct.service@</pattern> </patterns> ● <examples> ● <example> ● <test_message program="sshd">Accepted password for bazsi from 127.0.0.1 port 48650 ssh2</test_message> ● <test_values> ● <test_value name="usracct.username">bazsi</test_value> ● <test_value name="usracct.authmethod">password</test_value> ● <test_value name="usracct.device">127.0.0.1</test_value> ● <test_value name="usracct.service">ssh2</test_value> ● </test_values> ● </example> ● </examples> ● <values> ● <value name="usracct.type">login</value> ● <value name="usracct.sessionid">$PID</value> ● <value name="usracct.application">$PROGRAM</value> ● <value name="secevt.verdict">ACCEPT</value> ● </values> ● </rule> ● 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business, one of the things that you have to do is to learn about heavy equipment. Robert VanNatta, Logging History of Columbia County Database Management

534 views • 26 slides
Debugging &amp; Logging Java Logging Java has built-in support for logging Logs contain

Debugging &amp; Logging Java Logging Java has built-in support for logging Logs contain

Debugging &amp; Logging Java Logging Java has built-in support for logging Logs contain messages that provide information to Software developers (e.g., debugging) System administrators Customer support agents Programs send

254 views • 10 slides
TomskGAZPROMgeofjzika Company Profjle { Logging while drilling { Production logging for reservoir

TomskGAZPROMgeofjzika Company Profjle { Logging while drilling { Production logging for reservoir

TomskGAZPROMgeofjzika Geophysical Services We provide full range of well logging and mud logging op- erations, cement quality control, MWD and well engineering services throughout Western and Eastern Siberia. Over 15 years of top quality

554 views • 31 slides
LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

Outline Launching of t he LHC Logging proj ect Mandat e, scope and obj ect ives LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic f unct ionalit ies Filt ering of dat a I nt erf acing t o ot

667 views • 3 slides
DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING AND RECOVERY PROTOCOLS 2 TODAYS AGENDA Logging Schemes Crash Course on ARIES protocol Physical Logging Logical Logging 3 LOGGING &amp;

1.64k views • 125 slides
ALMA Common Software Basic Track Logging and Error Systems Logging system conceptual overview

ALMA Common Software Basic Track Logging and Error Systems Logging system conceptual overview

ALMA Common Software Basic Track Logging and Error Systems Logging system conceptual overview Logging system The logging system provide status and diagnostic information historical archive filtering capabilities by

305 views • 11 slides
THE LOGGING LOOPHOLE How the Logging Industrys Unregulated Carbon Emissions Undermine

THE LOGGING LOOPHOLE How the Logging Industrys Unregulated Carbon Emissions Undermine

THE LOGGING LOOPHOLE How the Logging Industrys Unregulated Carbon Emissions Undermine Canadas Climate Goals environmental defence Dale Marshall Jennifer Skene Graham Saul Photo Credit: River Jordan for NRDC The Boreal Forest CARBON:

508 views • 23 slides
Logging with ASP.NET Core Damien Bowden Microsoft MVP https://damienbod.com @damien_bod Why

Logging with ASP.NET Core Damien Bowden Microsoft MVP https://damienbod.com @damien_bod Why

Logging with ASP.NET Core Damien Bowden Microsoft MVP https://damienbod.com @damien_bod Why Logging? explain logging in ASP.NET Core &amp; .NET Core how to add third party loggers What Microsoft provides Abstraction layer for logging in

573 views • 17 slides
RPC / failure 1 last time redo logging (fjnish) (weird?) choice not to use redo logging for

RPC / failure 1 last time redo logging (fjnish) (weird?) choice not to use redo logging for

RPC / failure 1 last time redo logging (fjnish) (weird?) choice not to use redo logging for everything reasons to use distributed systems mailbox and connnection models names versus addresses domain name system distributed, hierarchical

873 views • 75 slides
IT350: Web &amp; Internet Programming Set 16: Sessions Logging In Correctly 1 Logging In

IT350: Web &amp; Internet Programming Set 16: Sessions Logging In Correctly 1 Logging In

IT350: Web &amp; Internet Programming Set 16: Sessions Logging In Correctly 1 Logging In Correctly Unique session IDs identify your client No other client who has connected to the website should have the same ID With proper

627 views • 4 slides
Samson Logging Tires Logging Tire Size Definition 24.5-32/16 24.5 = section width in inches -

Samson Logging Tires Logging Tire Size Definition 24.5-32/16 24.5 = section width in inches -

Samson Logging Tires Logging Tire Size Definition 24.5-32/16 24.5 = section width in inches - = bias carcass construction 32 = rim diameter in inches 16 = load range Samson Logging Tire TUBE TYPE SERVICE TUBE MAX SPEED 20 TYPE TIRE

241 views • 8 slides
J2E Logging in General Early years Key Stage 1 Key Stage 2 Home learning

J2E Logging in General Early years Key Stage 1 Key Stage 2 Home learning

J2E Logging in General Early years Key Stage 1 Key Stage 2 Home learning ideas Have a go Questions https://www.just2easy.com/ LOGGING IN LOGGING IN EYFS SCREEN KS1 AND KS2 SCREEN CHANGING DISPLAY NAME KS1 AND

457 views • 19 slides
Land Use Perm it Regulations Tem porary Logging Entrances Tem porary Logging Entrances Mutaz

Land Use Perm it Regulations Tem porary Logging Entrances Tem porary Logging Entrances Mutaz

Land Use Perm it Regulations Tem porary Logging Entrances Tem porary Logging Entrances Mutaz Alkhadra C Central Office Permit Manager t l Offi P it M (804) 786-0622 Keith Goodrich Land Development Program Specialist Land Development

327 views • 16 slides
MODULE 1: LOGGING IN &amp; NAVIGATION IDIS Online for CDBG Entitlement Communities 1 Logging In

MODULE 1: LOGGING IN &amp; NAVIGATION IDIS Online for CDBG Entitlement Communities 1 Logging In

MODULE 1: LOGGING IN &amp; NAVIGATION IDIS Online for CDBG Entitlement Communities 1 Logging In to IDIS Online Same website Today we will use the UAT region Todays ID and Password ID = Your normal C number Password = ????

259 views • 3 slides
Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant

Security Audit Principles and Practices Logging and auditing are two of the most unpleasant chores facing information security professionals. Chapter 11 tedious, time-consuming, boring Lecturer: Pei-yih Ting 1 Overview Configuring Logging

401 views • 7 slides
CS411 Concurrency control Database Systems Recovery Logging Redo 13: Logging

CS411 Concurrency control Database Systems Recovery Logging Redo 13: Logging

Outline Transaction Atomicity CS411 Concurrency control Database Systems Recovery Logging Redo 13: Logging and Recovery Undo Redo/undo Kazuhiro Minami Users and DB Programs Transaction DB

424 views • 13 slides
Selective Logs Log all the certs! A log server indicates which CAs it supports

Selective Logs Log all the certs! A log server indicates which CAs it supports

Selective Logs Log all the certs! A log server indicates which CAs it supports Implied that (almost) all certs from those CAs are logged not all Its not required What should we do, if anything?

328 views • 3 slides
Surgical and Non-Surgical Adenomas Approaches for Large Pituitary 1. Definitions, Epidemiology,

Surgical and Non-Surgical Adenomas Approaches for Large Pituitary 1. Definitions, Epidemiology,

Overview Large Pituitary Surgical and Non-Surgical Adenomas Approaches for Large Pituitary 1. Definitions, Epidemiology, and Clinical Masses Presentations 2. Surgical Management Manish K. Aghi , M.D., Ph.D. Professor 3. Postoperative

258 views • 6 slides
3D imaging of heterogeneous surfaces on laterite drill core materials Henry Pilliere 1 , Thomas

3D imaging of heterogeneous surfaces on laterite drill core materials Henry Pilliere 1 , Thomas

RTM Amsterdam October 10th -11th, 2017 3D imaging of heterogeneous surfaces on laterite drill core materials Henry Pilliere 1 , Thomas Lefevre 1 , Dominique Harang 1 , Beate Orberger 2* , Thanh Bui 2 , Anne Salaun 2 , Celine Rodriguez 2 , Cdric

465 views • 33 slides
Mantis a framework and toolkit for Geant4 simulation in CMS M. Stavrianakou CERN Geant4

Mantis a framework and toolkit for Geant4 simulation in CMS M. Stavrianakou CERN Geant4

Mantis a framework and toolkit for Geant4 simulation in CMS M. Stavrianakou CERN Geant4 Workshop 02.10.2002 COBRA Mantis OSCAR COBRA is the CMS framework; it implements the CMS OO architecture Mantis is the

344 views • 12 slides
Delivering Intelligence from space Crop Forecasting Pipeline Monitoring Market Intelligence

Delivering Intelligence from space Crop Forecasting Pipeline Monitoring Market Intelligence

Delivering Intelligence from space Crop Forecasting Pipeline Monitoring Market Intelligence Gathering Plane &amp; Ship Tracking 3 Distributed Data Engineering - Lessons 4 Distributed Data Engineering - Lessons 1. Metrics 5 Distributed

553 views • 53 slides
Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It allows separation of the software that generates log messages from the system that

900 views • 15 slides
Cyber(space) Incidents 1 IS TV4 attack TV5Monde went black (2015)

Cyber(space) Incidents 1 IS TV4 attack TV5Monde went black (2015)

Cyber(space) Incidents 1 IS TV4 attack TV5Monde went black (2015) Heartbleed: Wikileaks Revelations worst vulnerability ever secret hacking tools: IoT (2014; in open SSL) (democratic control?, 2017)

715 views • 42 slides
PSHEE - PFG PSHEE gives someone autonomy . Giving someone the ability to make choices

PSHEE - PFG PSHEE gives someone autonomy . Giving someone the ability to make choices

PSHEE - PFG PSHEE gives someone autonomy . Giving someone the ability to make choices (informed by knowledge); not just legal but right . Statutory RSE from September 2020 Physical Health &amp; Wellbeing Relationship &amp;

261 views • 12 slides

More recommend