scaling your logging infrastructure using syslog ng
play

SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 - PowerPoint PPT Presentation

Oct 30, 2023 •100 likes •289 views

SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Community Manager at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy Balabit is an

  1. SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit

  2. ABOUT ME Peter Czanik from Hungary  Community Manager at Balabit: syslog-ng  upstream syslog-ng packaging, support, advocacy  Balabit is an IT security company with development HQ in Budapest, Hungary Over 200 employees: the majority are engineers 2

  3. syslog-ng Logging Recording events, such as: Jan 14 11:38:48 linux-0jbu sshd[7716]: Accepted publickey for root from 127.0.0.1 port 48806 ssh2 syslog-ng Enhanced logging daemon with a focus on high-performance central log collection. 3

  4. WHY CENTRAL LOGGING? EASE OF USE AVAILABILITY SECURITY even if the sender logs are available even one place to check machine is down if sender machine instead of many is compromised 4

  5. MAIN SYSLOG-NG ROLES collector processor filter storage (or forwarder) 5

  6. ROLE: DATA COLLECTOR Collect system and application logs together: contextual data for either side A wide variety of platform-specific sources:  /dev/log & co  Journal, Sun streams Receive syslog messages over the network:  Legacy or RFC5424, UDP/TCP/TLS Logs or any kind of data from applications:  Through files, sockets, pipes, etc.  Application output 6

  7. ROLE: PROCESSING Classify, normalize and structure logs with built-in parsers:  CSV-parser, DB-parser (PatternDB), JSON parser, key=value parser and more to come Rewrite messages:  For example anonymization Reformatting messages using templates:  Destination might need a specific format (ISO date, JSON, etc.) Enrich data:  GeoIP  Additional fields based on message content 7

  8. ROLE: DATA FILTERING Main uses:  Discarding surplus logs (not storing debug level messages)  Message routing (login events to SIEM) Many possibilities:  Based on message content, parameters or macros  Using comparisons, wildcards, regular expressions and functions  Combining all of these with Boolean operators 8

  9. ROLE: DESTINATIONS “TRADITIONAL ” File, network, TLS, SQL, etc. ● “BIG DATA” Distributed file systems: ● ● Hadoop NoSQL databases: ● ● MongoDB ● Elasticsearch Messaging systems: ● ● Kafka 9

  10. FREE-FORM LOG MESSAGES Most log messages are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 Text = English sentence with some variable parts  Easy to read by a human  Difficult to process them with scripts  10

  11. SOLUTION: STRUCTURED LOGGING  Events represented as name-value pairs  Example: an ssh login: app=sshd user=root source_ip=192.168.123.45  syslog-ng: name-value pairs inside  Date, facility, priority, program name, pid, etc.  Parsers in syslog-ng can turn unstructured and some structured data (CSV, JSON) into name-value pairs 11

  12. SCALING SYSLOG-NG Client – Relay – Server instead of Client – Server  Distribute some of the processing to Client/Relay  12

  13. LOG ROUTING  Based on filtering  Send the right logs to the right places  Message parsing can increase accuracy  E-mail on root logins  Can optimize SIEM / log analyzer tools  Only relevant messages: cheaper licensing  Throttling: evening out peaks 13

  14. WHAT IS NEW IN SYSLOG-NG 3.8 Disk-based buffering  Grouping-by(): correlation independent  of patterndb Parsers written in Rust  Elasticsearch 2.x support  Curl (HTTP) destination  Performance improvements  Many more :-)  14

  15. SYSLOG-NG BENEFITS FOR LARGE ENVIRONMENTS High-performance Simplified Easier-to-use data Lower load on reliable log collection architecture destinations Parsed and presented in a ready-to-use format Single application for both Efficient message filtering syslog and application data and routing 15

  16. JOINING THE COMMUNITY syslog-ng: http://syslog-ng.org/  Source on GitHub: https://github.com/balabit/syslog-ng  Mailing list: https://lists.balabit.hu/pipermail/syslog-ng/  IRC: #syslog-ng on freenode  16

  17. QUESTIONS? My blog: https://www.balabit.com/blog/author/peterczanik/ My e-mail: peter.czanik@balabit.com Twitter: https://twitter.com/PCzanik 17

  18. SAMPLE XML <?xml version='1.0' encoding='UTF-8'?> ● <patterndb version='3' pub_date='2010-07-13'> ● <ruleset name='opensshd' id='2448293e-6d1c-412c-a418-a80025639511'> ● <pattern>sshd</pattern> ● <rules> ● <rule provider="patterndb" id="4dd5a329-da83-4876-a431-ddcb59c2858c" class="system"> ● <patterns> ● <pattern>Accepted @ESTRING:usracct.authmethod: @for @ESTRING:usracct.username: @from @ESTRING:usracct.device: @port @ESTRING:: ● @@ANYSTRING:usracct.service@</pattern> </patterns> ● <examples> ● <example> ● <test_message program="sshd">Accepted password for bazsi from 127.0.0.1 port 48650 ssh2</test_message> ● <test_values> ● <test_value name="usracct.username">bazsi</test_value> ● <test_value name="usracct.authmethod">password</test_value> ● <test_value name="usracct.device">127.0.0.1</test_value> ● <test_value name="usracct.service">ssh2</test_value> ● </test_values> ● </example> ● </examples> ● <values> ● <value name="usracct.type">login</value> ● <value name="usracct.sessionid">$PID</value> ● <value name="usracct.application">$PROGRAM</value> ● <value name="secevt.verdict">ACCEPT</value> ● </values> ● </rule> ● 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Logging IoT Know what your IoT devices are doing FOSDEM 2018 Peter Czanik / Balabit ABOUT ME

Logging IoT Know what your IoT devices are doing FOSDEM 2018 Peter Czanik / Balabit ABOUT ME

Logging IoT Know what your IoT devices are doing FOSDEM 2018 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Evangelist at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy Balabit is an IT

527 views • 34 slides
Secure logging syslog-ng w i t h F o r w a r d i n t e g r i t y a n d c

Secure logging syslog-ng w i t h F o r w a r d i n t e g r i t y a n d c

Secure logging syslog-ng w i t h F o r w a r d i n t e g r i t y a n d c o n f i d e n t i a l i t y o f s y s t e m l o g s S t e p h a n M a r w e d e l F O S D E M 2 0 2

412 views • 16 slides
Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng

520 views • 30 slides
Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It allows separation of the software that generates log messages from the system that

900 views • 15 slides
Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages

Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages

Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It allows separation of the software that generates log messages from the system that stores the

211 views • 19 slides
Using HPC Wales Agenda Infrastructure : An Overview of our Infrastructure Logging in :

Using HPC Wales Agenda Infrastructure : An Overview of our Infrastructure Logging in :

Using HPC Wales Agenda Infrastructure : An Overview of our Infrastructure Logging in : Command Line Interface and File Transfer Linux Basics : Commands and Text Editors Using Modules : Managing Software and the Environment

960 views • 75 slides
Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon rgerhards@hq.adiscon.com 2004-02-24 Status around November 2003 RFC 3164, 3195, syslog-sign and -international each specify message format, transport specifics

511 views • 23 slides
Transaction Logging Unleashed with NVRAM Tianzheng Wang Ryan Johnson No, Im not talking

Transaction Logging Unleashed with NVRAM Tianzheng Wang Ryan Johnson No, Im not talking

Transaction Logging Unleashed with NVRAM Tianzheng Wang Ryan Johnson No, Im not talking about the syslog 1 Write-ahead logging Used by most transactional systems Databases , file systems Reliability Everything goes to

452 views • 23 slides
Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

CSE/ISE 311: Systems Administra5on Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems Administra5on Outline Introduc$on Finding log files Syslog:

547 views • 21 slides
Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik /

Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik /

Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support,

1.22k views • 100 slides
Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017 Motivation

Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017 Motivation

Motivation Starting Position Local Improvements Remote Logging Conclusion Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017 Motivation Starting Position Local Improvements Remote Logging Conclusion Agenda

741 views • 34 slides
Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng originally

906 views • 35 slides
GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik

GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik

GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Evangelist at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy

548 views • 36 slides
Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business, one of the things that you have to do is to learn about heavy equipment. Robert VanNatta, Logging History of Columbia County Database Management

534 views • 26 slides
Laying the Foundations for Successful Scaling | In Infrastructure Scale Up Conference | Purdue,

Laying the Foundations for Successful Scaling | In Infrastructure Scale Up Conference | Purdue,

Laying the Foundations for Successful Scaling | In Infrastructure Scale Up Conference | Purdue, IN| Sept 27 , 2018 Holger A. Kray | Head, Africa Agriculture Policy Unit | hkray@worldbank.org | @krayberry 1 Benefits of Infrastructure: Complex

318 views • 4 slides
Debugging &amp; Logging Java Logging Java has built-in support for logging Logs contain

Debugging &amp; Logging Java Logging Java has built-in support for logging Logs contain

Debugging &amp; Logging Java Logging Java has built-in support for logging Logs contain messages that provide information to Software developers (e.g., debugging) System administrators Customer support agents Programs send

254 views • 10 slides
Track fitting, vertex fitting and Track fitting, vertex fitting and Track fitting, vertex fitting

Track fitting, vertex fitting and Track fitting, vertex fitting and Track fitting, vertex fitting

Track fitting, vertex fitting and Track fitting, vertex fitting and Track fitting, vertex fitting and Track fitting, vertex fitting and Detector alignment Detector alignment Detector alignment Detector alignment Salvador Mart-Garca

978 views • 65 slides
CSE 599B: Technology-Enabled Misinformation Franziska (Franzi) Roesner franzi@cs.washington.edu

CSE 599B: Technology-Enabled Misinformation Franziska (Franzi) Roesner franzi@cs.washington.edu

CSE 599B: Technology-Enabled Misinformation Franziska (Franzi) Roesner franzi@cs.washington.edu Fall 2018 Third-Party Tracking Trackers included in other sites use third-party cookies containing unique identifiers to create browsing profiles.

448 views • 21 slides
Smartphone-based User Location Tracking in Indoor Environment Team Members: Viet-Cuong Ta 1,2 ,

Smartphone-based User Location Tracking in Indoor Environment Team Members: Viet-Cuong Ta 1,2 ,

Smartphone-based User Location Tracking in Indoor Environment Team Members: Viet-Cuong Ta 1,2 , Dominique Vaufreydaz 1 , Trung-Kien Dao 1 , Eric Castelli 2 1 1 Pervasive Interaction/LIG, CNRS, University of Grenoble-Alpes, Inria, France 2 MICA

435 views • 15 slides
Resilient Collaborative Privacy for Location-Based Services Hongyu Jin and Panos Papadimitratos

Resilient Collaborative Privacy for Location-Based Services Hongyu Jin and Panos Papadimitratos

Resilient Collaborative Privacy for Location-Based Services Hongyu Jin and Panos Papadimitratos Networked Systems Security Group KTH Royal Institute of Technology Stockholm, Sweden www.ee.kth.se/nss NordSec October 20, 2015 1 / 16

186 views • 16 slides
Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu

Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu

Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu Percona Enterprise-Grade Support For Any Database Percona Server for MySQL Percona XtraDB Cluster Percona Server for MongoDB

521 views • 16 slides
Gauge: An Interactive Data-Driven Visualization Tool for HPC Application I/O Performance Analysis

Gauge: An Interactive Data-Driven Visualization Tool for HPC Application I/O Performance Analysis

Gauge: An Interactive Data-Driven Visualization Tool for HPC Application I/O Performance Analysis Eliakin del Rosario, Mikaela Currier, Sandeep Madireddy, Prasanna Balaprakash, Mihailo Isakov, Michel A. Kinsy Philip Carns, Robert B. Ross

694 views • 12 slides
Engineering Streaming Algorithms Graham Cormode University of Warwick G.Cormode@Warwick.ac.uk

Engineering Streaming Algorithms Graham Cormode University of Warwick G.Cormode@Warwick.ac.uk

Engineering Streaming Algorithms Graham Cormode University of Warwick G.Cormode@Warwick.ac.uk Computational scalability and big data Most work on massive data tries to scale up the computation Many great technical ideas: Use many

721 views • 24 slides
SplitFS: Reducing Software Overhead in File Systems for Persistent Memory Rohan Kadekodi, Se Kwon

SplitFS: Reducing Software Overhead in File Systems for Persistent Memory Rohan Kadekodi, Se Kwon

SplitFS: Reducing Software Overhead in File Systems for Persistent Memory Rohan Kadekodi, Se Kwon Lee, Sanidhya Kashyap*, Taesoo Kim, Aasheesh Kolli, Vijay Chidambaram * on the job market 1 Persistent Memory (PM) Non-volatile Fast

1.47k views • 109 slides

More recommend