scaling your logging infrastructure using syslog ng
play

SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 - PowerPoint PPT Presentation

Oct 30, 2023 •100 likes •289 views

SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Community Manager at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy Balabit is an

  1. SCALING YOUR LOGGING INFRASTRUCTURE USING SYSLOG-NG FOSDEM 2017 Peter Czanik / Balabit

  2. ABOUT ME Peter Czanik from Hungary  Community Manager at Balabit: syslog-ng  upstream syslog-ng packaging, support, advocacy  Balabit is an IT security company with development HQ in Budapest, Hungary Over 200 employees: the majority are engineers 2

  3. syslog-ng Logging Recording events, such as: Jan 14 11:38:48 linux-0jbu sshd[7716]: Accepted publickey for root from 127.0.0.1 port 48806 ssh2 syslog-ng Enhanced logging daemon with a focus on high-performance central log collection. 3

  4. WHY CENTRAL LOGGING? EASE OF USE AVAILABILITY SECURITY even if the sender logs are available even one place to check machine is down if sender machine instead of many is compromised 4

  5. MAIN SYSLOG-NG ROLES collector processor filter storage (or forwarder) 5

  6. ROLE: DATA COLLECTOR Collect system and application logs together: contextual data for either side A wide variety of platform-specific sources:  /dev/log & co  Journal, Sun streams Receive syslog messages over the network:  Legacy or RFC5424, UDP/TCP/TLS Logs or any kind of data from applications:  Through files, sockets, pipes, etc.  Application output 6

  7. ROLE: PROCESSING Classify, normalize and structure logs with built-in parsers:  CSV-parser, DB-parser (PatternDB), JSON parser, key=value parser and more to come Rewrite messages:  For example anonymization Reformatting messages using templates:  Destination might need a specific format (ISO date, JSON, etc.) Enrich data:  GeoIP  Additional fields based on message content 7

  8. ROLE: DATA FILTERING Main uses:  Discarding surplus logs (not storing debug level messages)  Message routing (login events to SIEM) Many possibilities:  Based on message content, parameters or macros  Using comparisons, wildcards, regular expressions and functions  Combining all of these with Boolean operators 8

  9. ROLE: DESTINATIONS “TRADITIONAL ” File, network, TLS, SQL, etc. ● “BIG DATA” Distributed file systems: ● ● Hadoop NoSQL databases: ● ● MongoDB ● Elasticsearch Messaging systems: ● ● Kafka 9

  10. FREE-FORM LOG MESSAGES Most log messages are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 Text = English sentence with some variable parts  Easy to read by a human  Difficult to process them with scripts  10

  11. SOLUTION: STRUCTURED LOGGING  Events represented as name-value pairs  Example: an ssh login: app=sshd user=root source_ip=192.168.123.45  syslog-ng: name-value pairs inside  Date, facility, priority, program name, pid, etc.  Parsers in syslog-ng can turn unstructured and some structured data (CSV, JSON) into name-value pairs 11

  12. SCALING SYSLOG-NG Client – Relay – Server instead of Client – Server  Distribute some of the processing to Client/Relay  12

  13. LOG ROUTING  Based on filtering  Send the right logs to the right places  Message parsing can increase accuracy  E-mail on root logins  Can optimize SIEM / log analyzer tools  Only relevant messages: cheaper licensing  Throttling: evening out peaks 13

  14. WHAT IS NEW IN SYSLOG-NG 3.8 Disk-based buffering  Grouping-by(): correlation independent  of patterndb Parsers written in Rust  Elasticsearch 2.x support  Curl (HTTP) destination  Performance improvements  Many more :-)  14

  15. SYSLOG-NG BENEFITS FOR LARGE ENVIRONMENTS High-performance Simplified Easier-to-use data Lower load on reliable log collection architecture destinations Parsed and presented in a ready-to-use format Single application for both Efficient message filtering syslog and application data and routing 15

  16. JOINING THE COMMUNITY syslog-ng: http://syslog-ng.org/  Source on GitHub: https://github.com/balabit/syslog-ng  Mailing list: https://lists.balabit.hu/pipermail/syslog-ng/  IRC: #syslog-ng on freenode  16

  17. QUESTIONS? My blog: https://www.balabit.com/blog/author/peterczanik/ My e-mail: peter.czanik@balabit.com Twitter: https://twitter.com/PCzanik 17

  18. SAMPLE XML <?xml version='1.0' encoding='UTF-8'?> ● <patterndb version='3' pub_date='2010-07-13'> ● <ruleset name='opensshd' id='2448293e-6d1c-412c-a418-a80025639511'> ● <pattern>sshd</pattern> ● <rules> ● <rule provider="patterndb" id="4dd5a329-da83-4876-a431-ddcb59c2858c" class="system"> ● <patterns> ● <pattern>Accepted @ESTRING:usracct.authmethod: @for @ESTRING:usracct.username: @from @ESTRING:usracct.device: @port @ESTRING:: ● @@ANYSTRING:usracct.service@</pattern> </patterns> ● <examples> ● <example> ● <test_message program="sshd">Accepted password for bazsi from 127.0.0.1 port 48650 ssh2</test_message> ● <test_values> ● <test_value name="usracct.username">bazsi</test_value> ● <test_value name="usracct.authmethod">password</test_value> ● <test_value name="usracct.device">127.0.0.1</test_value> ● <test_value name="usracct.service">ssh2</test_value> ● </test_values> ● </example> ● </examples> ● <values> ● <value name="usracct.type">login</value> ● <value name="usracct.sessionid">$PID</value> ● <value name="usracct.application">$PROGRAM</value> ● <value name="secevt.verdict">ACCEPT</value> ● </values> ● </rule> ● 18

Recommend

Logging IoT Know what your IoT devices are doing FOSDEM 2018 Peter Czanik / Balabit ABOUT ME

Logging IoT Know what your IoT devices are doing FOSDEM 2018 Peter Czanik / Balabit ABOUT ME

Logging IoT Know what your IoT devices are doing FOSDEM 2018 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Evangelist at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy Balabit is an IT

527 views • 34 slides
Secure logging syslog-ng w i t h F o r w a r d i n t e g r i t y a n d c

Secure logging syslog-ng w i t h F o r w a r d i n t e g r i t y a n d c

Secure logging syslog-ng w i t h F o r w a r d i n t e g r i t y a n d c o n f i d e n t i a l i t y o f s y s t e m l o g s S t e p h a n M a r w e d e l F O S D E M 2 0 2

412 views • 16 slides
Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity

Extending syslog-ng in Python: Best of both worlds Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng

520 views • 30 slides
Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for

Configuring Syslog Server on Cisco Routers with Cisco SDM Syslog Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It allows separation of the software that generates log messages from the system that

900 views • 15 slides
Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages

Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages

Configuring Syslog Server On Cisco Routers Syslog Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It allows separation of the software that generates log messages from the system that stores the

211 views • 19 slides
Using HPC Wales Agenda Infrastructure : An Overview of our Infrastructure Logging in :

Using HPC Wales Agenda Infrastructure : An Overview of our Infrastructure Logging in :

Using HPC Wales Agenda Infrastructure : An Overview of our Infrastructure Logging in : Command Line Interface and File Transfer Linux Basics : Commands and Text Editors Using Modules : Managing Software and the Environment

961 views • 75 slides
Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon

Layered Syslog Architecture (syslog-protocol draft) Rainer Gerhards Adiscon rgerhards@hq.adiscon.com 2004-02-24 Status around November 2003 RFC 3164, 3195, syslog-sign and -international each specify message format, transport specifics

511 views • 23 slides
Transaction Logging Unleashed with NVRAM Tianzheng Wang Ryan Johnson No, Im not talking

Transaction Logging Unleashed with NVRAM Tianzheng Wang Ryan Johnson No, Im not talking

Transaction Logging Unleashed with NVRAM Tianzheng Wang Ryan Johnson No, Im not talking about the syslog 1 Write-ahead logging Used by most transactional systems Databases , file systems Reliability Everything goes to

452 views • 23 slides
Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems

CSE/ISE 311: Systems Administra5on Logging Por$ons courtesy Ellen Liu CSE/ISE 311: Systems Administra5on Outline Introduc$on Finding log files Syslog:

547 views • 21 slides
Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik /

Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik /

Syslog-ng, getting started, parsing messages, storing in Elasticsearch Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support,

1.22k views • 100 slides
Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017 Motivation

Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017 Motivation

Motivation Starting Position Local Improvements Remote Logging Conclusion Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017 Motivation Starting Position Local Improvements Remote Logging Conclusion Agenda

741 views • 34 slides
Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business

Creating a dedicated log management layer Peter Czanik / syslog-ng, a One Identity business About me Peter Czanik from Hungary Evangelist at One Identity: syslog-ng upstream syslog-ng packaging, support, advocacy syslog-ng originally

906 views • 35 slides
GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik

GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik

GET THE MOST OUT OF YOUR SECURITY LOGS USING SYSLOG-NG Libre Software Meeting 2017 Peter Czanik / Balabit ABOUT ME Peter Czanik from Hungary Evangelist at Balabit: syslog-ng upstream syslog-ng packaging, support, advocacy

548 views • 36 slides
Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business, one of the things that you have to do is to learn about heavy equipment. Robert VanNatta, Logging History of Columbia County Database Management

534 views • 26 slides
Laying the Foundations for Successful Scaling | In Infrastructure Scale Up Conference | Purdue,

Laying the Foundations for Successful Scaling | In Infrastructure Scale Up Conference | Purdue,

Laying the Foundations for Successful Scaling | In Infrastructure Scale Up Conference | Purdue, IN| Sept 27 , 2018 Holger A. Kray | Head, Africa Agriculture Policy Unit | hkray@worldbank.org | @krayberry 1 Benefits of Infrastructure: Complex

318 views • 4 slides
Debugging &amp; Logging Java Logging Java has built-in support for logging Logs contain

Debugging &amp; Logging Java Logging Java has built-in support for logging Logs contain

Debugging &amp; Logging Java Logging Java has built-in support for logging Logs contain messages that provide information to Software developers (e.g., debugging) System administrators Customer support agents Programs send

254 views • 10 slides
TomskGAZPROMgeofjzika Company Profjle { Logging while drilling { Production logging for reservoir

TomskGAZPROMgeofjzika Company Profjle { Logging while drilling { Production logging for reservoir

TomskGAZPROMgeofjzika Geophysical Services We provide full range of well logging and mud logging op- erations, cement quality control, MWD and well engineering services throughout Western and Eastern Siberia. Over 15 years of top quality

554 views • 31 slides
LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

Outline Launching of t he LHC Logging proj ect Mandat e, scope and obj ect ives LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic f unct ionalit ies Filt ering of dat a I nt erf acing t o ot

667 views • 3 slides
DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING AND RECOVERY PROTOCOLS 2 TODAYS AGENDA Logging Schemes Crash Course on ARIES protocol Physical Logging Logical Logging 3 LOGGING &amp;

1.64k views • 125 slides
A Cloud Infrastructure for Scaling Innovation Across Autonomous Teams henning.jacobs@zalando.de /

A Cloud Infrastructure for Scaling Innovation Across Autonomous Teams henning.jacobs@zalando.de /

A Cloud Infrastructure for Scaling Innovation Across Autonomous Teams henning.jacobs@zalando.de / @try_except_ GOTO Amsterdam 2015 AGENDA ABOUT US HISTORY RADICAL AGILITY ARCHITECTURE INFRASTRUCTURE ABOUT ME Henning Jacobs STUPS

943 views • 58 slides
Logging into the Grid (certificates) NorduGrid Tutorial, LCSC 2002 1 Grid Security

Logging into the Grid (certificates) NorduGrid Tutorial, LCSC 2002 1 Grid Security

NorduGrid Tutorial Logging into the Grid (certificates) NorduGrid Tutorial, LCSC 2002 1 Grid Security Infrastructure The Grid uses public key security infrastructure PKI X.509 infrastructure every user, services, resources must posess a

286 views • 10 slides
USING SCL TO SIMPLIFY SYSLOG-NG CONFIGURATION Libre Software Meeting 2017 Peter Czanik / Balabit

USING SCL TO SIMPLIFY SYSLOG-NG CONFIGURATION Libre Software Meeting 2017 Peter Czanik / Balabit

USING SCL TO SIMPLIFY SYSLOG-NG CONFIGURATION Libre Software Meeting 2017 Peter Czanik / Balabit SCL syslog-ng configuration library Reusable configuration blocks Hide away complexity of configuration 2 apache-accesslog-parser()

341 views • 7 slides
Managing Network Services 181.063 VU 2.0 AKIK3 181.085 SE 2.0 Seminar aus Informatik

Managing Network Services 181.063 VU 2.0 AKIK3 181.085 SE 2.0 Seminar aus Informatik

Gerald Pfeifer Managing Network Services 181.063 VU 2.0 AKIK3 181.085 SE 2.0 Seminar aus Informatik 181.101 SE 2.0 Informations und Komm.sys Keywords: Domainsregistrierung, cfengine, logging (syslog, access_log,...), monitoring

842 views • 61 slides
Using Syslog Message Sequences for Predicting Disk Failures Wes Featherstun and Errin Fulp Wake

Using Syslog Message Sequences for Predicting Disk Failures Wes Featherstun and Errin Fulp Wake

Using Syslog Message Sequences for Predicting Disk Failures Wes Featherstun and Errin Fulp Wake Forest University Department of Computer Science Winston-Salem, NC USA November 11, 2010 Wes Featherstun and Errin Fulp Using Syslog Message

489 views • 20 slides

More recommend