creating a dedicated log management layer
play

Creating a dedicated log management layer Peter Czanik / syslog-ng, - PowerPoint PPT Presentation

Feb 19, 2023 •540 likes •906 views

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng originally

  1. Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

  2. About me ■ Peter Czanik from Hungary ■ Evangelist at One Identity: syslog-ng upstream ■ syslog-ng packaging, support, advocacy syslog-ng originally developed by Balabit, now part of One Identity 2 One Identity - Restricted

  3. Overview ■ Basics: central log collection ■ Growing complexity: analytics for security & operations ■ Reducing complexity: dedicated log management ■ Implementation using syslog-ng 3 One Identity - Restricted

  4. Back to basics ■ Central log collection 4 #GetIAMRight | One Identity - Restricted - Confjdential

  5. Why central logging? Ease of use Availability Security One place to check Even if the sender Logs are available even machine is down if sender machine instead of many is compromised 5 One Identity - Restricted

  6. Growing and reducing complexity ■ Multiple analytics systems ■ Wasting of resources ■ Consolidating using a unifjed log management layer 6 #GetIAMRight | One Identity - Restricted - Confjdential

  7. Multiple analytics systems ■ Security, developers, operators use different analytics ■ All come with log aggregation tools ■ Some examples:  Elastic: Beats and Logstash  Splunk: forwarders  LaaS: collectors 7 One Identity - Restricted

  8. Log aggregation ■ Elastic stack on top of a local syslog: ■ Also most LaaS adds an additional layer on top of existing log management 8 One Identity - Restricted

  9. Why is it a problem? ■ More computing resources ■ More network bandwidth (cloud!) ■ More human resources ■ More security problems 9 One Identity - Restricted

  10. Using a unifjed log management layer ■ Saves on computing, network & human resources ■ Easier to push through security & operation teams ■ Log management is separate from analytics ■ Bonus: might save on analytics licensing and hardware costs 10 One Identity - Restricted

  11. Implementing log management on syslog-ng ■ What is syslog-ng ■ Four roles: collecting, processing, fjltering, store/forward ■ Modes of operation ■ Confjguration 11 #GetIAMRight | One Identity - Restricted - Confjdential

  12. syslog-ng Logging Recording events, such as: Jan 14 11:38:48 linux-0jbu sshd[7716]: Accepted publickey for root from 127.0.0.1 port 48806 ssh2 syslog-ng Enhanced logging daemon with a focus on portability and high-performance central log collection. Originally developed in C. 12 One Identity - Restricted

  13. Role: data collector Collect system and application logs together: contextual data for either side A wide variety of platform-specifjc sources: ■ /dev/log & co ■ Journal, Sun streams Receive syslog messages over the network: ■ Legacy or RFC5424, UDP/TCP/TLS Logs or any kind of text data from applications: ■ Through fjles, sockets, pipes, application output, etc. Python source: Jolly Joker ■ HTTP server, Kafka source, etc. 13 One Identity - Restricted

  14. Role: processing Classify, normalize, and structure logs with built-in parsers: ■ CSV-parser, PatternDB, JSON parser, key=value parser Rewrite messages: ■ For example: anonymization Reformatting messages using templates: ■ Destination might need a specifjc format (ISO date, JSON, etc.) Enrich data: ■ GeoIP ■ Additional fjelds based on message content Python parser: ■ all of above, enrich logs from databases and also fjltering 14 One Identity - Restricted

  15. Role: data fjltering Main uses: ■ Discarding surplus logs (not storing debug-level messages) ■ Message routing (login events to SIEM) Many possibilities: ■ Based on message content, parameters, or macros ■ Using comparisons, wildcards, regular expressions, and functions ■ Combining all of these with Boolean operators 15 One Identity - Restricted

  16. Role: destinations 16 One Identity - Restricted

  17. MODES OF OPERATION • Client mode: collecting logs from the client and sending them to the remote server (directly or through a relay) • Relay mode: collecting logs from the clients (through the network) and sending them to the remote server (directly or through another relay) • Server mode: collecting logs from the clients and storing them locally or in a database

  18. Why relays? UDP source Scalability Structure Collect as close Distributing A relay for each processing site or department as possible 18 One Identity - Restricted

  19. Freeform log messages Most log messages are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard- interactive/pam for root from 127.0.0.1 port 46048 ssh2 ■ Text = English sentence with some variable parts ■ Easy to read by a human ■ Diffjcult to create alerts or reports 19 One Identity - Restricted

  20. Solution: structured logging ■ Events represented as name-value pairs . For e xample, an ssh login: ■ app=sshd user=root source_ip=192.168.123.45 ■ syslog-ng: name-value pairs inside ■ Date, facility, priority, program name, pid, etc. ■ Parsers in syslog-ng can turn unstructured and some structured data (CSV, JSON) into name-value pairs ■ ■ Name-value pairs make fjltering more precise 20 One Identity - Restricted

  21. Confjguration ■ “Don't Panic” ■ Simple and logical, even if it looks diffjcult at fjrst ■ Pipeline model: Many different building blocks (sources, destinations, fjlters, parsers, ■ etc.) Connected into a pipeline using “log” statements ■ 21 #GetIAMRight | One Identity - Restricted - Confjdential

  22. syslog-ng.conf: getting started @version:3.18 @include "scl.conf" # this is a comment :) options {fmush_lines (0); keep_hostname (yes);}; source s_sys { system(); internal();}; destination d_mesg { fjle("/var/log/messages"); }; fjlter f_default { level(info..emerg) and not (facility(mail)); }; log { source(s_sys); fjlter(f_default); destination(d_mesg); }; @include "/etc/syslog-ng/conf.d/*.conf" 22 One Identity - Restricted

  23. Suricata.conf: source, JSON parsing # receive Suricata logs source s_suricata { tcp(ip("0.0.0.0") port("514") fmags(no-parse)); }; # parse JSON into name-value pairs parser p_json { json-parser (prefjx("suricata.")); }; 23 One Identity - Restricted

  24. Suricata.conf: GeoIP parser p_geoip2 { geoip2( "${suricata.dest_ip}", prefjx( "parsed.dest." ) database( "/usr/share/GeoIP/GeoLite2-City.mmdb" ) ); }; rewrite r_geoip2 { set( "${parsed.dest.location.latitude},${parsed.dest.location.longitude}", value( "parsed.dest.ll" ), condition(not "${parsed.dest.location.latitude}" == "") ); }; 24 One Identity - Restricted

  25. Suricata.conf: destinations destination d_suricata { fjle("/var/log/suricata.log" template("$(format-json --key suricata.* --key parsed.* --key ISODATE)\n")); }; destination d_elastic { elasticsearch2 ( cluster("syslog-ng") client_mode("http") index("syslog") time-zone(UTC) type("syslog") fmush-limit(1) server("192.168.1.187") template("$(format-json --key suricata.* --key parsed.* --key ISODATE)") persist-name(elasticsearch-syslog) ) }; 25 One Identity - Restricted

  26. Suricata.conf: more parsers # resolve non-local destination IP addresses using Python parser parser p_resolver { python(class("SngResolver")); }; # add-contextual-data based on local IP address parser p_localsrc_info { add-contextual-data(selector("${suricata.src_ip}"), default- selector("unknown"), database("/etc/syslog-ng/conf.d/context-info-db.csv"), prefjx("parsed.src.")); }; 26 One Identity - Restricted

  27. Suricata.conf: inline Python code python { import socket class SngResolver(object): def parse(self, log_message): ipaddr_b = log_message['suricata.dest_ip'] ipaddr = ipaddr_b.decode('utf-8') try: resolved = socket.gethostbyaddr(ipaddr) hostname = resolved[0] log_message['parsed.dest.hostname'] = hostname except: pass return True }; 27 One Identity - Restricted

  28. Suricata.conf: log statement 1. log { # receive Suricata logs source(s_suricata); # parse JSON into name-value pairs parser(p_json); # resolve non-local destination IP addresses # using Python parser if (not match("^192.168" value("suricata.dest_ip"))) { parser(p_resolver); }; 28 One Identity - Restricted

  29. Suricata.conf: log statement 2. # add-contextual-data based on local IP address if (match("^192.168" value("suricata.src_ip"))) { parser(p_localsrc_info); }; # send alert if someone is reading slashdot if (match("slashdot.org" value("suricata.tls.sni"))) { destination { fjle("/var/log/slashdot"); }; # ToDo: change to smtp destination }; 29 One Identity - Restricted

  30. Suricata.conf: log statement 3. # talking to a malware C&C if { fjlter { in-list("/etc/syslog-ng/conf.d/malwarecc.list", value("suricata.dest_ip")) }; rewrite { set("Problem", value("parsed.malware")); }; } else { rewrite { set("OK", value("parsed.malware")); }; }; # add GeoIP information parser(p_geoip2); rewrite(r_geoip2); 30 One Identity - Restricted

  31. Suricata.conf: log statement 4. # save results locally destination(d_suricata); # save results to Elasticsearch destination(d_elastic); }; 31 One Identity - Restricted

Recommend

L T EX3: A Creating the interface layer: xparse Code layer: Using the layers expl3

L T EX3: A Creating the interface layer: xparse Code layer: Using the layers expl3

L A T EX3: Using the layers Frank Mittelbach & Joseph Wright Layers L T EX3: A Creating the interface layer: xparse Code layer: Using the layers expl3 Conclusions Its alright ma, its only witchcraft Frank Mittelbach

660 views • 37 slides
4 Application Layer Protocols Device Management Protocols Application layer protocols offering

4 Application Layer Protocols Device Management Protocols Application layer protocols offering

EPFL, Spring 2017 4 Application Layer Protocols Device Management Protocols Application layer protocols offering remote services for large networks of devices: - Monitoring (health of devices and network, get current state) - Management

1.31k views • 93 slides
1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

1 Transport Layer Transport Layer Outline Message, Segment, Datagram Transport-layer

Transport Layer Transport Layer Chapter 3: Transport Layer Mobile network Our goals: Global ISP understand principles learn about transport Chapter 3 behind transport layer protocols in the Transport Layer Internet: layer

678 views • 5 slides
5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

Network Layer Network Layer Network Layer Network Layer Network Layer Comparison of LS and DV algorithms Message complexity Robustness: what happens 1 Introduction 5 Routing algorithms if router malfunctions? LS: with n nodes, E

325 views • 4 slides
1 We are a New Jersey development firm dedicated to creating world-class communities. 2 For

1 We are a New Jersey development firm dedicated to creating world-class communities. 2 For

1 We are a New Jersey development firm dedicated to creating world-class communities. 2 For more than a decade, Walters has worked with municipalities across the state to create lasting partnerships and thriving communities. 3 We handle all

880 views • 57 slides
Dedicated to empowering American Indian and Alaskan Native communities by creating socio Dedicated

Dedicated to empowering American Indian and Alaskan Native communities by creating socio Dedicated

Dedicated to empowering American Indian and Alaskan Native communities by creating socio Dedicated to empowering American Indian and Alaskan Native communities by creating socio- -economic opportunities economic opportunities MISSION STATEMENT

223 views • 20 slides
1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

Network Layer Network Layer Chapter 4: Network Layer Mobile network Chapter goals: Global ISP understand principles behind network layer Network Layer services: Home network network layer service models Regional ISP forwarding

550 views • 3 slides
7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

Network Layer Network Layer Network Layer Network Layer IP Fragmentation & Reassembly IP Fragmentation and Reassembly network links have MTU length ID fragflag offset (max.transfer size) - largest possible link-level frame.

948 views • 5 slides
Creating Local Energy Who we are REPOWERING is a not-for-profit organisation Creating

Creating Local Energy Who we are REPOWERING is a not-for-profit organisation Creating

Creating Local Energy Who we are REPOWERING is a not-for-profit organisation Creating local energy: We specialise in co-producing community-owned renewable energy projects Our team: Dedicated employees working

593 views • 21 slides
ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent

ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent

ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent Multimedia Transport <draft lim irtf sam alm api 00.txt > p 71 ST IETF SAM RG MEETING, PHILADELPHIA. Lim Boon Ping

230 views • 19 slides
C4 LIS Integrity Services Streamlining LIS Systems and Processes with Dedicated Solutions

C4 LIS Integrity Services Streamlining LIS Systems and Processes with Dedicated Solutions

C4 LIS Integrity Services Streamlining LIS Systems and Processes with Dedicated Solutions Welcome to C4 C4 is dedicated to improving ease of use and ongoing management of LIS systems. We are equally dedicated to communicating in real-time, as

224 views • 6 slides
4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

Network Layer Network Layer Network Layer Network Layer Routing Table Aggregation - > 4 billion Forwarding table Longest prefix matching possible entries Prefix Match Link Interface Destination Address Range Link Interface 11001000

288 views • 3 slides
Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by an application in order to persist its state, that is to store and retrieve information using some sort of database management system. Presentation

633 views • 60 slides
The Essential Hip Exam Layer 1- Osteochondral Layer 2- Inert Layer 3- Contractile

The Essential Hip Exam Layer 1- Osteochondral Layer 2- Inert Layer 3- Contractile

12/13/2018 The Layers of the Hip To treat hip pathology- 1 st task is to understand the source of hip pain Bryan Kelly et al Arthroscopy 2012 The Essential Hip Exam Layer 1- Osteochondral Layer 2- Inert Layer 3-

438 views • 9 slides
Now Arriving at Layer 3 Packet Forwarding although layer 2 switches and layer 3 routers

Now Arriving at Layer 3 Packet Forwarding although layer 2 switches and layer 3 routers

Now Arriving at Layer 3 Packet Forwarding although layer 2 switches and layer 3 routers are similar in many ways and ATM/Virtual Circuits are used at layer 2 these days 9/27/06 CS/ECE 438 - UIUC, Fall 2006 1 9/27/06 CS/ECE

514 views • 7 slides
1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

Transport Layer Transport Layer Outline Mobile network Transport-layer Connection-oriented Global ISP services transport: TCP Transport Layer Multiplexing and segment structure Home network demultiplexing reliable data

264 views • 5 slides
Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities and Services Overall: message delivery End-to-end" communications between processes ( i.e. running programs) Communicating

467 views • 17 slides
Managing the New Block Layer Kevin Wolf <kwolf@redhat.com> Max Reitz

Managing the New Block Layer Kevin Wolf <kwolf@redhat.com> Max Reitz

Managing the New Block Layer Kevin Wolf <kwolf@redhat.com> Max Reitz <mreitz@redhat.com> KVM Forum 2017 Part I User management Section 1 The New Block Layer The New Block Layer Block layer role Guest Emulated guest block devices

1.28k views • 68 slides
5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

Data Link Layer Data Link Layer Hubs Switch physical- layer (dumb) repeaters: bits coming in one link go out all other links at same link-layer device: smarter than hubs, take rate active role all nodes connected to hub can

442 views • 5 slides
Characterization of Water Management in PEM Fuel Cells with Microporous Layer Using

Characterization of Water Management in PEM Fuel Cells with Microporous Layer Using

Characterization of Water Management in PEM Fuel Cells with Microporous Layer Using Electrochemical Impedance Spectroscopy Dzmity Malevich, Ela Halliop, Kunal Karan, Brant A Peppley and Jon Pharoah WWW.FCRC.CA Water management in PEM fuel cell

622 views • 20 slides
EPL606 Transport Layer Outline Transport Layer Services TCP Overview Segment

EPL606 Transport Layer Outline Transport Layer Services TCP Overview Segment

EPL606 Transport Layer Outline Transport Layer Services TCP Overview Segment structure Sequence/Acknowledgement numbers TCP connection management RTT acks, events, fast retransmit Flow Control Congestion Control

1.33k views • 119 slides
10 mm Cytoarchitecture and function layer 4: input layer 5: output Motor cortex: expanded layer

10 mm Cytoarchitecture and function layer 4: input layer 5: output Motor cortex: expanded layer

10 mm Cytoarchitecture and function layer 4: input layer 5: output Motor cortex: expanded layer 5, Primary visual cortex: expanded reduced layer 4 layer 4 with three sublayers Korbinian Brodmann ( 1868 - 1918 )

685 views • 46 slides
Routing and Switching End-to-end delivery on layer 3 in TCP/IP terms Network Layer Primary

Routing and Switching End-to-end delivery on layer 3 in TCP/IP terms Network Layer Primary

IN2140: Introduction to Operating Systems and Data Communication Routing and Switching End-to-end delivery on layer 3 in TCP/IP terms Network Layer Primary task from a layer model perspective To provide service to the transport layer

377 views • 9 slides
Designing for Reuse: Creating APIs for the Future Mike Amundsen, Layer 7 / CA @mamund

Designing for Reuse: Creating APIs for the Future Mike Amundsen, Layer 7 / CA @mamund

Designing for Reuse: Creating APIs for the Future Mike Amundsen, Layer 7 / CA @mamund Introduction The Challenge Versioning Content removed by authors request Content removed by authors request Deprecate version after a year Content

1.39k views • 116 slides

More recommend