SlideShare a Scribd company logo

State of the art logging

Download as PPTX, PDF
BalaBit
BalaBit
Technology
1 of 18
State of the art logging Syslog-ng, journal, CEE/Lumberjack and ELSA Péter Czanik community manager Copyright 2013 BalaBit IT Security Ltd.
Topics • No, it is not about cutting trees :-) • What is syslog? And syslog-ng? • Free-form messages against name-value pairs • The new buzzword: journal • Standardization efforts: CEE/Lumberjack • Name-value pairs at work: ELSA Copyright 2013 BalaBit IT Security Ltd.
What is syslog? • Logging: recording events • Syslog: - Application: collecting events - Protocol: forwarding events Copyright 2013 BalaBit IT Security Ltd.
What is syslog-ng? • “Next Generation” syslog server • “Swiss army knife” of logging • More input sources (files, sockets, and so on) • Better filtering (not only priority, facility) • Processing (rewrite, normalize, correlate, and so on) • More destinations (databases, encrypted network, and so on) Copyright 2013 BalaBit IT Security Ltd.
What is new since 2.0 • 2.0 is best known, but EOL • Most important new features since 2.0: - PatternDB and CSV message parsing - Correlation - SQL and MongoDB destinations - JSON formatting - Modularization - Multi-threading • Next: 3.4 - JSON parsing - More flexible configuration Copyright 2013 BalaBit IT Security Ltd.
Free form log messages • Most logs are in /var/log • Most are from syslog (but also wtmp, apache, and so on) • Most are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 • Text = English sentence with some variable parts • Easy to read Copyright 2013 BalaBit IT Security Ltd.
Why it does not scale? • Few logs (workstation) → easy to find information • Many logs (server) → difficult to find information • Relevant information is presented differently by each application • Difficult to process them with scripts • Answer: structured logging - Events represented as name value pairs Copyright 2013 BalaBit IT Security Ltd.
Solution from syslog-ng: PatternDB • Most messages are static texts with some variable parts embedded • PatternDB parser: - Can extract useful information into name-value pairs - Add status fields based on message text • Example: - user=root - action=login - status=failure • It requires patterns • syslog-ng: name-value pairs inside Copyright 2013 BalaBit IT Security Ltd.
Journal • The logging component of systemd • Name-value pairs inside: - Message - Trusted properties - Any additional name-value pairs • Native support for name-value pair storage Copyright 2013 BalaBit IT Security Ltd.
Journal: the enemy? • FAQ: Q: is journal the enemy? A: No! • Journal is limited to Linux/systemd (syslog-ng: all Linux/BSD/UNIX) • Journal is local only (syslog-ng: client – server) • Journal does not filter or process log messages • Journal + syslog-ng complement each other • Logs forwarded to syslog-ng through: /run/systemd/journal/syslog • syslog-ng can filter, process and forward logs to many different destinations (one day also to journal) Copyright 2013 BalaBit IT Security Ltd.
CEE • Journal, syslog-ng, Windows eventlog, rsyslog, auditd, and so on are based on name- value pairs • All use different field names • Standardization is a must: CEE → Common Event Expression • Events: name-value pairs instead of free-form text - Taxonomy: name-value pairs to describe events (example: status) - Dictionary: name-value pairs for event parameters (example: user) • PatternDB can turn free-form messages into CEE Copyright 2013 BalaBit IT Security Ltd.
Lumberjack • Make CEE happen → implementation • Coordinated by RedHat - CEE (Mitre), syslog-ng, rsyslog, and so on - Open, with high traffic mailing list - https://fedorahosted.org/lumberjack/ • API(s) to make structured logging easier • Work on dictionary, taxonomy, transport issues Copyright 2013 BalaBit IT Security Ltd.
Name-value pairs in action: ELSA • ELSA: Enterprise Log Search and Archive • Based on syslog-ng, PatternDB and MySQL • Simple and powerful web GUI • Extreme scalability • Patterns focused on network security (Cisco, Snort, HTTP, Bro, and so on) Copyright 2013 BalaBit IT Security Ltd.
Some logs Copyright 2013 BalaBit IT Security Ltd.
Diagram Copyright 2013 BalaBit IT Security Ltd.
A few extras Copyright 2013 BalaBit IT Security Ltd.
Questions? • Questions? Copyright 2013 BalaBit IT Security Ltd.
Thank You! Péter Czanik community manager peter.czanik@balabit.com Copyright 2013 BalaBit IT Security Ltd.

Recommended

syslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionsyslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extraction
BalaBit
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
BalaBit
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
BalaBit
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
BalaBit
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ng
Peter Czanik
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslog
amiable_indian
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ng
Peter Czanik
 
gRPC on .NET Core - NDC Sydney 2019
gRPC on .NET Core - NDC Sydney 2019gRPC on .NET Core - NDC Sydney 2019
gRPC on .NET Core - NDC Sydney 2019
James Newton-King
 

Recommended

syslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionsyslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extraction
BalaBit
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
BalaBit
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
BalaBit
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
BalaBit
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ng
Peter Czanik
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslog
amiable_indian
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ng
Peter Czanik
 
gRPC on .NET Core - NDC Sydney 2019
gRPC on .NET Core - NDC Sydney 2019gRPC on .NET Core - NDC Sydney 2019
gRPC on .NET Core - NDC Sydney 2019
James Newton-King
 
Centralized + Unified Logging
Centralized + Unified LoggingCentralized + Unified Logging
Centralized + Unified Logging
Gabor Kozma
 
Fluentd meetup
Fluentd meetupFluentd meetup
Fluentd meetup
Sadayuki Furuhashi
 
Fluentd vs. Logstash for OpenStack Log Management
Fluentd vs. Logstash for OpenStack Log ManagementFluentd vs. Logstash for OpenStack Log Management
Fluentd vs. Logstash for OpenStack Log Management
NTT Communications Technology Development
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)
Gene Leybzon
 
Fluentd unified logging layer
Fluentd unified logging layerFluentd unified logging layer
Fluentd unified logging layer
Kiyoto Tamura
 
Like loggly using open source
Like loggly using open sourceLike loggly using open source
Like loggly using open source
Thomas Alrin
 
Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent Issues
Zabbix
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
Treasure Data, Inc.
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
琛琳 饶
 
wget, curl and scp
wget, curl and scpwget, curl and scp
wget, curl and scp
Gaurav Mishra
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
Treasure Data, Inc.
 
Life of an Fluentd event
Life of an Fluentd eventLife of an Fluentd event
Life of an Fluentd event
Kiyoto Tamura
 
IPFS introduction
IPFS introductionIPFS introduction
IPFS introduction
Genta M
 
Hydra - Getting Started
Hydra - Getting StartedHydra - Getting Started
Hydra - Getting Started
abramsm
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Zabbix
 
How to admin
How to adminHow to admin
How to admin
yalegko
 
IPFS: A Whole New World
IPFS: A Whole New WorldIPFS: A Whole New World
IPFS: A Whole New World
ArcBlock
 
Fluentd meetup #2
Fluentd meetup #2Fluentd meetup #2
Fluentd meetup #2
Treasure Data, Inc.
 
Logstash: Get to know your logs
Logstash: Get to know your logsLogstash: Get to know your logs
Logstash: Get to know your logs
SmartLogic
 
Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is important
BalaBit
 
The Wix Microservice Stack
The Wix Microservice StackThe Wix Microservice Stack
The Wix Microservice Stack
Tomer Gabel
 

More Related Content

What's hot

Life of an Fluentd event
Life of an Fluentd eventLife of an Fluentd event
Life of an Fluentd event
Kiyoto Tamura
 

What's hot (20)

Centralized + Unified Logging
Centralized + Unified LoggingCentralized + Unified Logging
Centralized + Unified Logging
 
Fluentd meetup
Fluentd meetupFluentd meetup
Fluentd meetup
 
Fluentd vs. Logstash for OpenStack Log Management
Fluentd vs. Logstash for OpenStack Log ManagementFluentd vs. Logstash for OpenStack Log Management
Fluentd vs. Logstash for OpenStack Log Management
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)
 
Fluentd unified logging layer
Fluentd unified logging layerFluentd unified logging layer
Fluentd unified logging layer
 
Like loggly using open source
Like loggly using open sourceLike loggly using open source
Like loggly using open source
 
Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent Issues
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
 
wget, curl and scp
wget, curl and scpwget, curl and scp
wget, curl and scp
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
 
Life of an Fluentd event
Life of an Fluentd eventLife of an Fluentd event
Life of an Fluentd event
 
IPFS introduction
IPFS introductionIPFS introduction
IPFS introduction
 
Hydra - Getting Started
Hydra - Getting StartedHydra - Getting Started
Hydra - Getting Started
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
 
How to admin
How to adminHow to admin
How to admin
 
IPFS: A Whole New World
IPFS: A Whole New WorldIPFS: A Whole New World
IPFS: A Whole New World
 
Fluentd meetup #2
Fluentd meetup #2Fluentd meetup #2
Fluentd meetup #2
 
Logstash: Get to know your logs
Logstash: Get to know your logsLogstash: Get to know your logs
Logstash: Get to know your logs
 

Similar to State of the art logging

Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is important
BalaBit
 
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Masahiko Sawada
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
Vibhor Kumar
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
How to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkHow to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with Splunk
Precisely
 

Similar to State of the art logging (20)

Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is important
 
The Wix Microservice Stack
The Wix Microservice StackThe Wix Microservice Stack
The Wix Microservice Stack
 
Scality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup PresentationScality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup Presentation
 
In-memory Databases
In-memory DatabasesIn-memory Databases
In-memory Databases
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQL
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
 
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
 
Why databases cry at night
Why databases cry at nightWhy databases cry at night
Why databases cry at night
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
 
MySQL And Search At Craigslist
MySQL And Search At CraigslistMySQL And Search At Craigslist
MySQL And Search At Craigslist
 
Cassandra Community Webinar: From Mongo to Cassandra, Architectural Lessons
Cassandra Community Webinar: From Mongo to Cassandra, Architectural LessonsCassandra Community Webinar: From Mongo to Cassandra, Architectural Lessons
Cassandra Community Webinar: From Mongo to Cassandra, Architectural Lessons
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
Boltdb - an embedded key value database
Boltdb - an embedded key value databaseBoltdb - an embedded key value database
Boltdb - an embedded key value database
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
 
How to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkHow to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with Splunk
 
"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic
 
Gib 2021 - Intro to BizTalk Migrator
Gib 2021 - Intro to BizTalk MigratorGib 2021 - Intro to BizTalk Migrator
Gib 2021 - Intro to BizTalk Migrator
 
Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018
 

More from BalaBit

NIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationNIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovation
BalaBit
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?
BalaBit
 
Techreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentTechreggeli - Logmenedzsment
Techreggeli - Logmenedzsment
BalaBit
 
Balabit Company Overview
Balabit Company OverviewBalabit Company Overview
Balabit Company Overview
BalaBit
 
BalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációja
BalaBit
 
The Future of Electro Car
The Future of Electro CarThe Future of Electro Car
The Future of Electro Car
BalaBit
 

More from BalaBit (17)

NIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationNIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovation
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?
 
Big Data Science - hype?
Big Data Science - hype?Big Data Science - hype?
Big Data Science - hype?
 
DevAssistant, Docker and You
DevAssistant, Docker and YouDevAssistant, Docker and You
DevAssistant, Docker and You
 
Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?
 
Swift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlSwift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvéről
 
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelDATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
 
eCSI - The Agile IT security
eCSI - The Agile IT securityeCSI - The Agile IT security
eCSI - The Agile IT security
 
Top 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersTop 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged users
 
Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?
 
Regulatory compliance and system logging
Regulatory compliance and system loggingRegulatory compliance and system logging
Regulatory compliance and system logging
 
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeKontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
 
Techreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentTechreggeli - Logmenedzsment
Techreggeli - Logmenedzsment
 
Balabit Company Overview
Balabit Company OverviewBalabit Company Overview
Balabit Company Overview
 
BalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációja
 
The Future of Electro Car
The Future of Electro CarThe Future of Electro Car
The Future of Electro Car
 
Compliance needs transparency
Compliance needs transparencyCompliance needs transparency
Compliance needs transparency
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 

State of the art logging

  • 1. State of the art logging Syslog-ng, journal, CEE/Lumberjack and ELSA Péter Czanik community manager Copyright 2013 BalaBit IT Security Ltd.
  • 2. Topics • No, it is not about cutting trees :-) • What is syslog? And syslog-ng? • Free-form messages against name-value pairs • The new buzzword: journal • Standardization efforts: CEE/Lumberjack • Name-value pairs at work: ELSA Copyright 2013 BalaBit IT Security Ltd.
  • 3. What is syslog? • Logging: recording events • Syslog: - Application: collecting events - Protocol: forwarding events Copyright 2013 BalaBit IT Security Ltd.
  • 4. What is syslog-ng? • “Next Generation” syslog server • “Swiss army knife” of logging • More input sources (files, sockets, and so on) • Better filtering (not only priority, facility) • Processing (rewrite, normalize, correlate, and so on) • More destinations (databases, encrypted network, and so on) Copyright 2013 BalaBit IT Security Ltd.
  • 5. What is new since 2.0 • 2.0 is best known, but EOL • Most important new features since 2.0: - PatternDB and CSV message parsing - Correlation - SQL and MongoDB destinations - JSON formatting - Modularization - Multi-threading • Next: 3.4 - JSON parsing - More flexible configuration Copyright 2013 BalaBit IT Security Ltd.
  • 6. Free form log messages • Most logs are in /var/log • Most are from syslog (but also wtmp, apache, and so on) • Most are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 • Text = English sentence with some variable parts • Easy to read Copyright 2013 BalaBit IT Security Ltd.
  • 7. Why it does not scale? • Few logs (workstation) → easy to find information • Many logs (server) → difficult to find information • Relevant information is presented differently by each application • Difficult to process them with scripts • Answer: structured logging - Events represented as name value pairs Copyright 2013 BalaBit IT Security Ltd.
  • 8. Solution from syslog-ng: PatternDB • Most messages are static texts with some variable parts embedded • PatternDB parser: - Can extract useful information into name-value pairs - Add status fields based on message text • Example: - user=root - action=login - status=failure • It requires patterns • syslog-ng: name-value pairs inside Copyright 2013 BalaBit IT Security Ltd.
  • 9. Journal • The logging component of systemd • Name-value pairs inside: - Message - Trusted properties - Any additional name-value pairs • Native support for name-value pair storage Copyright 2013 BalaBit IT Security Ltd.
  • 10. Journal: the enemy? • FAQ: Q: is journal the enemy? A: No! • Journal is limited to Linux/systemd (syslog-ng: all Linux/BSD/UNIX) • Journal is local only (syslog-ng: client – server) • Journal does not filter or process log messages • Journal + syslog-ng complement each other • Logs forwarded to syslog-ng through: /run/systemd/journal/syslog • syslog-ng can filter, process and forward logs to many different destinations (one day also to journal) Copyright 2013 BalaBit IT Security Ltd.
  • 11. CEE • Journal, syslog-ng, Windows eventlog, rsyslog, auditd, and so on are based on name- value pairs • All use different field names • Standardization is a must: CEE → Common Event Expression • Events: name-value pairs instead of free-form text - Taxonomy: name-value pairs to describe events (example: status) - Dictionary: name-value pairs for event parameters (example: user) • PatternDB can turn free-form messages into CEE Copyright 2013 BalaBit IT Security Ltd.
  • 12. Lumberjack • Make CEE happen → implementation • Coordinated by RedHat - CEE (Mitre), syslog-ng, rsyslog, and so on - Open, with high traffic mailing list - https://fedorahosted.org/lumberjack/ • API(s) to make structured logging easier • Work on dictionary, taxonomy, transport issues Copyright 2013 BalaBit IT Security Ltd.
  • 13. Name-value pairs in action: ELSA • ELSA: Enterprise Log Search and Archive • Based on syslog-ng, PatternDB and MySQL • Simple and powerful web GUI • Extreme scalability • Patterns focused on network security (Cisco, Snort, HTTP, Bro, and so on) Copyright 2013 BalaBit IT Security Ltd.
  • 14. Some logs Copyright 2013 BalaBit IT Security Ltd.
  • 15. Diagram Copyright 2013 BalaBit IT Security Ltd.
  • 16. A few extras Copyright 2013 BalaBit IT Security Ltd.
  • 17. Questions? • Questions? Copyright 2013 BalaBit IT Security Ltd.
  • 18. Thank You! Péter Czanik community manager peter.czanik@balabit.com Copyright 2013 BalaBit IT Security Ltd.