Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton Chuvakin

Anton Chuvakin
Anton ChuvakinSecurity Strategy
Logs: Can’t Hate Them, Won’t Love Them!,[object Object],Dr. Anton Chuvakin,[object Object],Security Warrior Consulting,[object Object],www.securitywarriorconsulting.com,[object Object],April 2010,[object Object]
What Is It?,[object Object],This is a short log analysis and log management class given by Dr. Anton Chuvakin of Security Warrior Consulting at Project HoneynetAnnual Event 2010 in Mexico City, Mexico,[object Object],www.chuvakin.org,[object Object],www.SecurityWarriorConsulting.com,[object Object]
Outline,[object Object],Logs, WTH?,[object Object],Logs and Log Analysis,[object Object],Log Analysis Methods,[object Object],Log Analysis -> Log Management,[object Object],Log Management Mistakes,[object Object],Future Ideas,[object Object],Conclusions,[object Object]
Hilarity!!!,[object Object],“Logs Are Data??! ,[object Object],Bua-ha-ha-ha-ha-haaa!”,[object Object],Aug 11 09:11:19 xx null pif ? exit! 0 ,[object Object]
Log Data Overview,[object Object],From Where?,[object Object],What Logs?,[object Object],[object Object]
Routers/switches
Intrusion detection
Servers, desktops, mainframes
Business applications
Databases
Anti-virus
VPNs
Audit logs
Transaction logs
Intrusion logs
Connection logs
System performance records
User activity logs
Various alerts and other messages,[object Object]
Log Chaos II - Accept?,[object Object],messages:Dec 16 17:28:49 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-notification-00257(traffic): start_time="2002-12-16 17:33:36" duration=5 policy_id=0 service=telnet proto=6 src zone=Trust dst zone=Untrust action=Permit sent=1170 rcvd=1500 src=10.14.94.221 dst=10.14.98.107 src_port=1384 dst_port=23 translated ip=10.14.93.7 port=1206,[object Object],Apr 6 06:06:02 Checkpoint NGX SRC=Any,DEST=ANY,Accept=nosubstitute,Do Not Log,Installspyware,lieonyourtaxes,orbetteryet,dontpaythem,[object Object],Mar 6 06:06:02 winonasu-pix %PIX-6-302013: Built outbound TCP connection 315210 596 for outside:172.196.9.206/1214 (172.196.9.206/1214) to inside:199.17.151.103/1438 (199.17.151.103/1438),[object Object]
SHOCK!!!,[object Object],… and that is BEFORE we even mention application logs!,[object Object]
Log Chaos Everywhere!,[object Object],No standard format,[object Object],No standard schema, no level of details,[object Object],No standard meaning,[object Object],No taxonomy,[object Object],No standard transport,[object Object],No shared knowledge on what to log and how,[object Object],No logging guidance for developers,[object Object],No standard API / libraries for log production,[object Object]
Result?,[object Object],%PIX|ASA-3-713185 Error: Username too long - connection aborted,[object Object],%PIX|ASA-5-501101 User transitioning priv level,[object Object],ERROR: transport error 202: send failed: Success,[object Object],sles10sp1oes oesaudit: type=CWD msg=audit(09/27/07 22:09:45.683:318) :  cwd=/home/user1 ,[object Object]
More results?,[object Object],userenv[error] 1030 RCI-CORPsupx No description available,[object Object],Aug 11 09:11:19 xx null pif ? exit! 0 ,[object Object],Apr 23 23:03:08 support last message repeated 3 times,[object Object],Apr 23 23:04:23 support last message repeated 5 times,[object Object],Apr 23 23:05:38 support last message repeated 5 times,[object Object]
It DOES Suck!,[object Object],Well, it does…,[object Object],… but we need to analyze logs every time an incident occurs and in many other cases!,[object Object]
LOG ANALYSIS,[object Object],We will discuss,[object Object],[object Object]
Some log analysis tools,[object Object]
Log Analysis Basics: Summary,[object Object],Manual,[object Object],Filtering,[object Object],Summarization and reports,[object Object],Simple visualization,[object Object],Log searching,[object Object],Correlation,[object Object],Log Data mining,[object Object]
Log Analysis Basics: Manual,[object Object],Manual log review,[object Object],Just fire your trusty tail, more, notepad, vi, Event Viewer, etc and hop to it! ,[object Object],Pros:,[object Object],Easy, no tools required (neither build nor buy),[object Object],Cons:,[object Object],Try it with 10GB log file one day ,[object Object],Boring as Hell! ,[object Object]
See!?,[object Object],Log for VMware Server, pid=2364, version=e.x.p, build=build-63231, option=BETA, section=2[2007-12-03 14:57:00.931 'App' 4516 info] Current working directory: C:ocuments and Settingsll Userspplication DataMwareMware Server,[object Object],[2007-12-03 14:57:00.946 'BaseLibs' 4516 info] HOSTINFO: Seeing Intel CPU, numCoresPerCPU 2 numThreadsPerCore 1.,[object Object],[2007-12-03 14:57:00.946 'BaseLibs' 4516 info] HOSTINFO: This machine has 1 physical CPUS, 2 total cores, and 2 logical CPUs.,[object Object],[2007-12-03 14:57:00.946 'App' 4516 info] Trying blklistsvc,[object Object],[2007-12-03 14:57:00.946 'App' 4516 info] Trying cimsvc,[object Object],[2007-12-03 14:57:00.946 'App' 4516 info] Trying directorysvc,[object Object],[2007-12-03 14:57:00.946 'App' 4516 info] Trying hostsvc,[object Object],[2007-12-03 14:57:01.571 'NetworkProvider' 4516 info] Using netmap configuration file C:ocuments and Settingsll Userspplication DataMwareMware Serveretmap.conf,[object Object],[2007-12-03 14:57:01.587 'NetworkProvider' 4516 error] VNL_GetBriggeState call failed with status 1.Refreshing network information failed,[object Object],[2007-12-03 14:57:03.165 'NetworkProvider' 4516 info] Active ftp is 1,[object Object],[2007-12-03 14:57:03.165 'NetworkProvider' 4516 info] Allowanyoui is 0,[object Object],[2007-12-03 14:57:03.165 'NetworkProvider' 4516 info] udptimeout is 30,[object Object],[2007-12-03 14:57:03.337 'HostsvcPlugin' 4516 warning] No advanced options found,[object Object],[2007-12-03 14:57:03.368 'Hostsvc::AutoStartManager' 4516 info] VM autostart configuration: C:ocuments and Settingsll Userspplication DataMwareMware ServerostdmAutoStart.xml,[object Object],[2007-12-03 14:57:04.212 'Locale' 4516 info] Locale subsystem initialized from C:rogram FilesMwareMware Serverocale/ with default locale en.,[object Object],[2007-12-03 14:57:04.212 'ResourcePool ha-root-pool' 4516 info] Resource pool instantiated,[object Object],[2007-12-03 14:57:04.212 'ResourcePool ha-root-pool' 4516 info] Refresh interval: 60 seconds,[object Object],[2007-12-03 14:57:04.212 'HostsvcPlugin' 4516 info] Plugin initialized,[object Object],[2007-12-03 14:57:04.212 'App' 4516 info] Trying internalsvc,[object Object],[2007-12-03 14:57:04.259 'App' 4516 info] Trying nfcsvc,[object Object],[2007-12-03 14:57:04.305 'Nfc' 4516 info] Breakpoints disabled,[object Object],[2007-12-03 14:57:04.321 'BaseLibs' 4516 info] Using system libcrypto, version 9070AF,[object Object],[2007-12-03 14:57:06.399 'BaseLibs' 4516 info] [NFC DEBUG] Successfully loaded the diskLib library,[object Object],[2007-12-03 14:57:06.415 'Nfc' 4516 info] Plugin initialized,[object Object],[2007-12-03 14:57:06.415 'App' 4516 info] Trying partitionsvc,[object Object],[2007-12-03 14:57:06.415 'App' 4516 info] Trying proxysvc,[object Object]
Log Analysis Basics: Filtering,[object Object],Log Filtering,[object Object],Just show me the bad stuff; here is the list (positive),[object Object],Just ignore the good stuff; here is the list (negative or Artificial Ignorance),[object Object],Pros:,[object Object],Easy result interpretation: see->act,[object Object],Many tools or write your own,[object Object],Cons:,[object Object],Patterns beyond single messages?,[object Object],Neither good nor bad, but interesting?,[object Object]
Example: How to grep Logs?,[object Object],The easiest log analysis method (Linux/Unix):,[object Object],# grepailure /var/log/messages,[object Object],Filter interesting failure message in messages log,[object Object],# grep –v uccess /var/log/messages,[object Object],Filter messages other than success in messages log,[object Object],# grep –vf LIST /var/log/messages,[object Object],Filter messages other than those listed in FILE,[object Object]
Log Analysis Basics: Summary,[object Object],Summarization and reports,[object Object],Top X Users, Connections by IP, etc ,[object Object],Pros:,[object Object],Dramatically reduces the size of data ,[object Object],Suitable for high-level reporting ,[object Object],Cons:,[object Object],Loss of information by summarizing,[object Object],Which report to pick for a task?,[object Object]
Make A Summary,[object Object],SELECT source, destination, proto, user, COUNT(*) FROMlog_tableWHERE user LIKE ‘an%’ GROUP BY source, destination, proto, user ORDER BY source DESC,[object Object],P.S. Pray tell me, how those nasty logs ended up in a nice database like that? ,[object Object]
Log Analysis Basics: Search,[object Object],Googling Logs,[object Object],User specifies a time period, a log source or all, and an expression; gets back logs that match (regexvs Boolean),[object Object],Pro,[object Object],Easy to understand,[object Object],Quick to do,[object Object],Con,[object Object],What do you search for?,[object Object],A LOT of data back, sometimes,[object Object]
How to Do It: Splunk Search,[object Object]
Log Analysis Basics: Correlation,[object Object],Correlation,[object Object],Rule-based and other 'correlation' and 'Correlation' algorithms,[object Object],Pro,[object Object],Highly automated,[object Object],Con,[object Object],Needs rules written by experts,[object Object],Needs tuning for each site,[object Object]
Example Rule,[object Object],<rule id="40112" level="12" timeframe="240">,[object Object],<if_group>authentication_success</if_group>,[object Object],<if_matched_group>authentication_failures,[object Object], </if_matched_group> ,[object Object],<same_source_ip /> ,[object Object],<description>Multiple authentication failures followed a success.</description> ,[object Object],</rule>,[object Object],OSSEC rule shown; see OSSEC.net for details,[object Object]
Log Analysis Basics: Data Mining,[object Object],Log mining,[object Object],Algorithms that extract meaning from raw data,[object Object],Pro,[object Object],Promises fully-automated analysis ,[object Object],Con,[object Object],Still research-grade technology,[object Object]
Example Ranum NBS,[object Object],Ranum’s “nbs” (never before seen) – the simplest log mining tool.,[object Object],No knowledge about “bad” goes in -> insight comes out!,[object Object],Look Ma, NO RULES!,[object Object],Use the tool to pick up anomalous messages from your log pool,[object Object],See for more: http://www.slideshare.net/anton_chuvakin/log-mining-beyond-log-analysis,[object Object]
Log Analysis Basics: Visualization,[object Object],Visualization, from simple to 4D,[object Object],A pie chart worth a thousand words?,[object Object],Pro,[object Object],You just look at it and know what it means and what to do,[object Object],Con,[object Object],You just look at it, and hmmm…. ,[object Object]
How to Do It: afterglow Tool,[object Object]
Log Analysis Basics: When,[object Object],Real time vs. historical analysis,[object Object],Do you always need real-time?,[object Object],What data cannot be analyzed in real-time?,[object Object],A day later vs. never question,[object Object],Historical analysis for deep insight,[object Object]
How To Start Using The Tools?,[object Object],1. Collect logs,[object Object], Tools: Syslog-ng, standard syslog, etc,[object Object],2. Store logs,[object Object],Tools: MySQL, etc,[object Object],3. Search logs,[object Object], Tools: grep, splunk, etc,[object Object],4. Correlate and alert,[object Object], Tools: OSSEC, OSSIM, sec, nbs, logwatch, etc,[object Object]
Key Points to Remember,[object Object],Techniques review,[object Object],Tools review,[object Object],Any other tool suggestions?,[object Object],Start thinking buy vs. build,[object Object]
From Log Analysis to Log Management,[object Object],We will discuss,[object Object],[object Object]
Log management motivations,[object Object]
Log Analysis to Log Management,[object Object],Files, syslog, other,[object Object],Act,[object Object],Collect,[object Object],Secure,[object Object],Humans still needed!,[object Object],Make ,[object Object],Conclusions,[object Object],SNMP, E-mail, etc,[object Object],Alert,[object Object],Search,[object Object],Report,[object Object],Store,[object Object],Search, Report and Analytics,[object Object],Immutable Logs,[object Object]
Log Management Challenges,[object Object],Not enough data,[object Object],Too much data,[object Object],Diverse records,[object Object],Time out of sync,[object Object],False records,[object Object],Duplicate data,[object Object],Hard to get data,[object Object]
LOG RETENTION – A TRIVIAL MATTER?,[object Object],We will discuss,[object Object],[object Object]
Issues with various log retention technologies,[object Object]
What is NOT Retention?,[object Object],A database that stores a few fields from each log ,[object Object],A tape closet with log data,[object Object],tapes that were never verified,[object Object], – and lurking rats,[object Object],A syslog server that just spools logs into files,[object Object]
Retention Time Question,[object Object],I have the answer!  No, not really.,[object Object],Regulations?,[object Object],Unambiguous: PCI – keep’em for 1 year,[object Object],Tiered retention strategy,[object Object],Online,[object Object],Near line,[object Object],Offline/tape,[object Object]
Example: Retention Strategy,[object Object],Type + network + storage tier,[object Object],IDS + DMZ + online = 90 days,[object Object],Firewall + DMZ + online = 30 days,[object Object],Servers + internal + online = 90 days,[object Object],ALL + DMZ + archive = 3 years,[object Object],Critical + internal + archive = 5 years,[object Object],OTHER + internal + archive = 1 year,[object Object]
How to Create A Log Retention Strategy,[object Object],Assess applicable compliance requirements ,[object Object],Look at risk posture and other needs,[object Object],Look at various log sources and their log volumes,[object Object],Review available storage options,[object Object],Decide on tiers,[object Object]
Log Storage Tiers: Options,[object Object],RDBMS ,[object Object],[object Object],Flat files,[object Object],[object Object],Hybrid,[object Object],[object Object],Proprietary datastore,[object Object],[object Object],Tape,[object Object]
Example: How to Deal with A Trillion Log Messages,[object Object],How to manage a trillion (~1000 billions) log messages?,[object Object],Hundreds of terabytes (1/2 of a petabyte …) of data,[object Object],Which tool to pick?,[object Object],"Sorry, buddy, you are writing your own code here!”,[object Object]
Key Points to Remember,[object Object],What is really log retention?,[object Object],Review log storage option to use (or to buy in a vendor tool),[object Object],Learn about storage challenges,[object Object]
LOGGING MISTAKES,[object Object],We will discuss,[object Object],[object Object],[object Object]
Mistake 1: Not Logging AT ALL …,[object Object],… and its aggravated version: “… and not knowing that you don’t”,[object Object],No logging? -> well, no logs for incident investigation and response, audits, C&A, control validation, compliance,[object Object],Got logs?,[object Object],If your answer is ‘NO' don’t listen further: run and enable logging right now!,[object Object]
Example: Oracle,[object Object],Defaults: ,[object Object],minimum system logging,[object Object],minimum database server access,[object Object],no data access logging,[object Object],So, where is …,[object Object],data access audit,[object Object],schema and data change audit,[object Object],configuration change audit,[object Object]
Mistake 2: Not looking at logs,[object Object],Collection of logs has value!,[object Object],But review boosts the value 10-fold(numbersare estimates ),[object Object],More in-depth analysis boosts it a lot more!,[object Object],Two choices here …,[object Object],Review after an incident ,[object Object],Ongoing review,[object Object]
Example Log Review Priorities,[object Object],DMZ NIDS,[object Object],DMZ firewall,[object Object],DMZ servers with applications,[object Object],Critical internal servers,[object Object],Other servers,[object Object],Select critical application,[object Object],Other applications,[object Object]
Mistake 3: Storing logs for too short a time,[object Object],You are saying you HAD logs? And how is it useful?,[object Object],Retention question is a hard one. Truly, nobody has the answer!,[object Object],Seven years? A year? 90 days? A week? Until the disk runs out?,[object Object],Common: 90 days online and up to 1-3 years near line or offline,[object Object]
1 of 64

Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton Chuvakin

Technology

Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton Chuvakin

Anton Chuvakin
Anton ChuvakinSecurity Strategy

Recommended

Log management principle and usage by
Log management principle and usageLog management principle and usage
Log management principle and usageBikrant Gautam
1.5K views19 slides
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin by
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinEnterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Enterprise Logging and Log Management: Hot Topics by Dr. Anton ChuvakinAnton Chuvakin
3.7K views24 slides
Choosing Your Log Management Approach: Buy, Build or Outsource by
Choosing Your Log Management Approach: Buy, Build or OutsourceChoosing Your Log Management Approach: Buy, Build or Outsource
Choosing Your Log Management Approach: Buy, Build or OutsourceAnton Chuvakin
3.8K views18 slides
Log Management Systems by
Log Management SystemsLog Management Systems
Log Management SystemsMehdi Hamidi
573 views40 slides
NIST 800-92 Log Management Guide in the Real World by
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldAnton Chuvakin
8.9K views36 slides
Anton's Log Management 'Worst Practices' by
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton Chuvakin
5.2K views25 slides

More Related Content

What's hot

Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser by
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
3.7K views1 slide
Information Security: Advanced SIEM Techniques by
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
2K views19 slides
Understanding the Event Log by
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
7K views82 slides
Implementing and Running SIEM: Approaches and Lessons by
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
12.8K views37 slides
SANS 20 Security Controls by
SANS 20 Security ControlsSANS 20 Security Controls
SANS 20 Security ControlsCasey Wimmer
430 views48 slides
Tips on SIEM Ops 2015 by
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Anton Chuvakin
365 views21 slides

What's hot(20)

Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser by Anton Chuvakin
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Anton Chuvakin3.7K views
Information Security: Advanced SIEM Techniques by ReliaQuest
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
ReliaQuest2K views
Understanding the Event Log by chuckbt
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt7K views
Implementing and Running SIEM: Approaches and Lessons by Anton Chuvakin
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin12.8K views
SANS 20 Security Controls by Casey Wimmer
SANS 20 Security ControlsSANS 20 Security Controls
SANS 20 Security Controls
Casey Wimmer430 views
Tips on SIEM Ops 2015 by Anton Chuvakin
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
Anton Chuvakin365 views
Log Standards & Future Trends by Dr. Anton Chuvakin by Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinLog Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton Chuvakin
Anton Chuvakin2.2K views
Security Information and Event Management (SIEM) by k33a
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a43.1K views
RuSIEM overview (english version) by Olesya Shelestova
RuSIEM overview (english version)RuSIEM overview (english version)
RuSIEM overview (english version)
Olesya Shelestova696 views
Effective Cyber Security – the difference between “point in time” and “period... by akquinet enterprise solutions GmbH
Effective Cyber Security – the difference between “point in time” and “period...Effective Cyber Security – the difference between “point in time” and “period...
Effective Cyber Security – the difference between “point in time” and “period...
akquinet enterprise solutions GmbH63 views
Generic siem how_2017 by Anton Chuvakin
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
Anton Chuvakin1K views
Qradar as a SOC core by Mona Arkhipova
Qradar as a SOC coreQradar as a SOC core
Qradar as a SOC core
Mona Arkhipova1.5K views
What's New in AlienVault v3.0? by AlienVault
What's New in AlienVault v3.0?What's New in AlienVault v3.0?
What's New in AlienVault v3.0?
AlienVault2.3K views
Windows Event Analysis - Correlation for Investigation by Mahendra Pratap Singh
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for Investigation
Mahendra Pratap Singh4.7K views
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova by OWASP Russia
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
OWASP Russia2.1K views
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain by Priyanka Aash
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Priyanka Aash1.6K views
Five SIEM Futures (2012) by Anton Chuvakin
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
Anton Chuvakin609 views
NextGen Endpoint Security for Dummies by Atif Ghauri
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri2.4K views
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin14K views
Achieving Defendable Architectures Via Threat Driven Methodologies by Priyanka Aash
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
Priyanka Aash1.4K views

Viewers also liked

Centralized logging by
Centralized loggingCentralized logging
Centralized loggingblessYahu
1.6K views39 slides
SIEM vs Log Management - Data Security Solutions 2011 by
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 Andris Soroka
12.2K views36 slides
Dump a Log by
Dump a LogDump a Log
Dump a LogNick Wiatrak
165 views6 slides
Error Handling Framework in Mule ESB by
Error Handling Framework in Mule ESBError Handling Framework in Mule ESB
Error Handling Framework in Mule ESBSashidhar Rao GDS
2.2K views9 slides
Nagios Conference 2014 - Scott Wilkerson - Log Monitoring and Log Management ... by
Nagios Conference 2014 - Scott Wilkerson - Log Monitoring and Log Management ...Nagios Conference 2014 - Scott Wilkerson - Log Monitoring and Log Management ...
Nagios Conference 2014 - Scott Wilkerson - Log Monitoring and Log Management ...Nagios
2.7K views34 slides
Log management with Graylog2 - FrOSCon 2012 by
Log management with Graylog2 - FrOSCon 2012Log management with Graylog2 - FrOSCon 2012
Log management with Graylog2 - FrOSCon 2012lennartkoopmann
15.1K views49 slides

Viewers also liked(16)

Centralized logging by blessYahu
Centralized loggingCentralized logging
Centralized logging
blessYahu1.6K views
SIEM vs Log Management - Data Security Solutions 2011 by Andris Soroka
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011
Andris Soroka12.2K views
Dump a Log by Nick Wiatrak
Dump a LogDump a Log
Dump a Log
Nick Wiatrak165 views
Error Handling Framework in Mule ESB by Sashidhar Rao GDS
Error Handling Framework in Mule ESBError Handling Framework in Mule ESB
Error Handling Framework in Mule ESB
Sashidhar Rao GDS2.2K views
Nagios Conference 2014 - Scott Wilkerson - Log Monitoring and Log Management ... by Nagios
Nagios Conference 2014 - Scott Wilkerson - Log Monitoring and Log Management ...Nagios Conference 2014 - Scott Wilkerson - Log Monitoring and Log Management ...
Nagios Conference 2014 - Scott Wilkerson - Log Monitoring and Log Management ...
Nagios2.7K views
Log management with Graylog2 - FrOSCon 2012 by lennartkoopmann
Log management with Graylog2 - FrOSCon 2012Log management with Graylog2 - FrOSCon 2012
Log management with Graylog2 - FrOSCon 2012
lennartkoopmann15.1K views
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin10K views
Centralized Logging System Using ELK Stack by Rohit Sharma
Centralized Logging System Using ELK StackCentralized Logging System Using ELK Stack
Centralized Logging System Using ELK Stack
Rohit Sharma3.3K views
Open Source Logging and Monitoring Tools by Phase2
Open Source Logging and Monitoring ToolsOpen Source Logging and Monitoring Tools
Open Source Logging and Monitoring Tools
Phase212.4K views
SIEM for Beginners: Everything You Wanted to Know About Log Management but We... by AlienVault
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault5.2K views
SIEM - Your Complete IT Security Arsenal by ManageEngine EventLog Analyzer
SIEM - Your Complete IT Security ArsenalSIEM - Your Complete IT Security Arsenal
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer4.2K views
Best practises for log management by Brian Honan
Best practises for log managementBest practises for log management
Best practises for log management
Brian Honan6.7K views
QRadar, ArcSight and Splunk by M sharifi
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi21.4K views
Beginner's Guide to SIEM by AlienVault
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault24.8K views
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a... by Anton Chuvakin
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
SIEM: Is It What Is SIEMs? Security Information and Event Management Summit a...
Anton Chuvakin15.3K views
Well logging by Geology Department, Faculty of Science, Tanta University
Well loggingWell logging
Well logging
Geology Department, Faculty of Science, Tanta University66.9K views

Similar to Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton Chuvakin

Application Logging Good Bad Ugly ... Beautiful? by
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin
6.2K views26 slides
Making Logs Sexy Again: Can We Finally Lose The Regexes? by
Making Logs Sexy Again: Can We Finally Lose The Regexes?Making Logs Sexy Again: Can We Finally Lose The Regexes?
Making Logs Sexy Again: Can We Finally Lose The Regexes?Anton Chuvakin
2.4K views41 slides
Practical operability techniques for teams - Matthew Skelton - Agile in the C... by
Practical operability techniques for teams - Matthew Skelton - Agile in the C...Practical operability techniques for teams - Matthew Skelton - Agile in the C...
Practical operability techniques for teams - Matthew Skelton - Agile in the C...Skelton Thatcher Consulting Ltd
1.1K views83 slides
Six Mistakes of Log Management 2008 by
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
2.1K views31 slides
Practical operability techniques for distributed systems - Velocity EU 2017 by
Practical operability techniques for distributed systems - Velocity EU 2017Practical operability techniques for distributed systems - Velocity EU 2017
Practical operability techniques for distributed systems - Velocity EU 2017Skelton Thatcher Consulting Ltd
1.3K views85 slides
OSSEC Holidaycon 2020.pdf by
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfMohamed Taoufik TEKAYA
46 views219 slides

Similar to Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton Chuvakin(20)

Application Logging Good Bad Ugly ... Beautiful? by Anton Chuvakin
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin6.2K views
Making Logs Sexy Again: Can We Finally Lose The Regexes? by Anton Chuvakin
Making Logs Sexy Again: Can We Finally Lose The Regexes?Making Logs Sexy Again: Can We Finally Lose The Regexes?
Making Logs Sexy Again: Can We Finally Lose The Regexes?
Anton Chuvakin2.4K views
Practical operability techniques for teams - Matthew Skelton - Agile in the C... by Skelton Thatcher Consulting Ltd
Practical operability techniques for teams - Matthew Skelton - Agile in the C...Practical operability techniques for teams - Matthew Skelton - Agile in the C...
Practical operability techniques for teams - Matthew Skelton - Agile in the C...
Skelton Thatcher Consulting Ltd1.1K views
Six Mistakes of Log Management 2008 by Anton Chuvakin
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
Anton Chuvakin2.1K views
Practical operability techniques for distributed systems - Velocity EU 2017 by Skelton Thatcher Consulting Ltd
Practical operability techniques for distributed systems - Velocity EU 2017Practical operability techniques for distributed systems - Velocity EU 2017
Practical operability techniques for distributed systems - Velocity EU 2017
Skelton Thatcher Consulting Ltd1.3K views
OSSEC Holidaycon 2020.pdf by Mohamed Taoufik TEKAYA
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
Mohamed Taoufik TEKAYA46 views
Ultimate Free SQL Server Toolkit by Kevin Kline
Ultimate Free SQL Server ToolkitUltimate Free SQL Server Toolkit
Ultimate Free SQL Server Toolkit
Kevin Kline2.8K views
High Availability in 37 Easy Steps by Tim Serong
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy Steps
Tim Serong6.7K views
20 Windows Tools Every SysAdmin Should Know by Power Admin LLC
20 Windows Tools Every SysAdmin Should Know20 Windows Tools Every SysAdmin Should Know
20 Windows Tools Every SysAdmin Should Know
Power Admin LLC2.2K views
Windows logging cheat sheet by Michael Gough
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough8.2K views
Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick? by Jim Czuprynski
Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?
Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?
Jim Czuprynski118 views
Semantic logging with etw and slab from DCC 10/16 by Chris Holwerda
Semantic logging with etw and slab from DCC 10/16Semantic logging with etw and slab from DCC 10/16
Semantic logging with etw and slab from DCC 10/16
Chris Holwerda560 views
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und... by rschuppe
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
rschuppe647 views
Pentesting iOS Apps by Herman Duarte
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
Herman Duarte3.3K views
From nothing to Prometheus : one year after by Antoine Leroyer
From nothing to Prometheus : one year afterFrom nothing to Prometheus : one year after
From nothing to Prometheus : one year after
Antoine Leroyer800 views
Practical operability techniques for teams - IPEXPO 2017 by Skelton Thatcher Consulting Ltd
Practical operability techniques for teams - IPEXPO 2017Practical operability techniques for teams - IPEXPO 2017
Practical operability techniques for teams - IPEXPO 2017
Skelton Thatcher Consulting Ltd549 views
Beyond Breakpoints: A Tour of Dynamic Analysis by C4Media
Beyond Breakpoints: A Tour of Dynamic AnalysisBeyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic Analysis
C4Media777 views
Webinar replay: MySQL Query Tuning Trilogy: Query tuning process and tools by Severalnines
Webinar replay: MySQL Query Tuning Trilogy: Query tuning process and toolsWebinar replay: MySQL Query Tuning Trilogy: Query tuning process and tools
Webinar replay: MySQL Query Tuning Trilogy: Query tuning process and tools
Severalnines413 views
Practical, team-focused operability techniques for distributed systems - DevO... by Matthew Skelton
Practical, team-focused operability techniques for distributed systems - DevO...Practical, team-focused operability techniques for distributed systems - DevO...
Practical, team-focused operability techniques for distributed systems - DevO...
Matthew Skelton392 views
LogChaos: Challenges and Opportunities of Security Log Standardization by Anton Chuvakin
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log Standardization
Anton Chuvakin2.2K views

More from Anton Chuvakin

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En... by
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
33 views22 slides
SOC Lessons from DevOps and SRE by Anton Chuvakin by
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
271 views18 slides
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth by
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
139 views10 slides
20 Years of SIEM - SANS Webinar 2022 by
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
283 views21 slides
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin by
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
403 views25 slides
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends by
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
286 views14 slides

More from Anton Chuvakin(20)

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En... by Anton Chuvakin
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin33 views
SOC Lessons from DevOps and SRE by Anton Chuvakin by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
Anton Chuvakin271 views
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth by Anton Chuvakin
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin139 views
20 Years of SIEM - SANS Webinar 2022 by Anton Chuvakin
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin283 views
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin by Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin403 views
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends by Anton Chuvakin
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin286 views
SOCstock 2021 The Cloud-native SOC by Anton Chuvakin
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin430 views
Modern SOC Trends 2020 by Anton Chuvakin
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
Anton Chuvakin758 views
Anton's 2020 SIEM Best and Worst Practices - in Brief by Anton Chuvakin
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin340 views
RSA 2016 Security Analytics Presentation by Anton Chuvakin
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
Anton Chuvakin497 views
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin3.4K views
SIEM Primer: by Anton Chuvakin
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin4.7K views
Log management and compliance: What's the real story? by Dr. Anton Chuvakin by Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin1.5K views
On Content-Aware SIEM by Dr. Anton Chuvakin by Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
Anton Chuvakin1.7K views
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin by Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin2.6K views
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin by Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin1.2K views
How to Gain Visibility and Control: Compliance Mandates, Security Threats and... by Anton Chuvakin
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
Anton Chuvakin934 views
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec... by Anton Chuvakin
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Anton Chuvakin995 views
Zero Day Response: Strategies for the Security Innovation in Corporate Defens... by Anton Chuvakin
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Anton Chuvakin1.1K views
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin by Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
Anton Chuvakin1.8K views

Recently uploaded

Initiating and Advancing Your Strategic GIS Governance Strategy by
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance StrategySafe Software
184 views68 slides
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueShapeBlue
207 views54 slides
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... by
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...ShapeBlue
162 views25 slides
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream by
Evaluation of Quality of Experience of ABR Schemes in Gaming StreamEvaluation of Quality of Experience of ABR Schemes in Gaming Stream
Evaluation of Quality of Experience of ABR Schemes in Gaming StreamAlpen-Adria-Universität
38 views34 slides
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... by
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...ShapeBlue
129 views10 slides
Business Analyst Series 2023 - Week 4 Session 8 by
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8DianaGray10
145 views13 slides

Recently uploaded(20)

Initiating and Advancing Your Strategic GIS Governance Strategy by Safe Software
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance Strategy
Safe Software184 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue207 views
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... by ShapeBlue
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
ShapeBlue162 views
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream by Alpen-Adria-Universität
Evaluation of Quality of Experience of ABR Schemes in Gaming StreamEvaluation of Quality of Experience of ABR Schemes in Gaming Stream
Evaluation of Quality of Experience of ABR Schemes in Gaming Stream
Alpen-Adria-Universität38 views
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... by ShapeBlue
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
ShapeBlue129 views
Business Analyst Series 2023 - Week 4 Session 8 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10145 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue137 views
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash162 views
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ... by ShapeBlue
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
ShapeBlue120 views
Generative AI: Shifting the AI Landscape by Deakin University
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI Landscape
Deakin University67 views
Why and How CloudStack at weSystems - Stephan Bienek - weSystems by ShapeBlue
Why and How CloudStack at weSystems - Stephan Bienek - weSystemsWhy and How CloudStack at weSystems - Stephan Bienek - weSystems
Why and How CloudStack at weSystems - Stephan Bienek - weSystems
ShapeBlue247 views
Qualifying SaaS, IaaS.pptx by Sachin Bhandari
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptx
Sachin Bhandari1.1K views
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... by ShapeBlue
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
ShapeBlue196 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue224 views
CryptoBotsAI by chandureddyvadala199
CryptoBotsAICryptoBotsAI
CryptoBotsAI
chandureddyvadala19942 views
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And... by ShapeBlue
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
ShapeBlue108 views
The Power of Generative AI in Accelerating No Code Adoption.pdf by Saeed Al Dhaheri
The Power of Generative AI in Accelerating No Code Adoption.pdfThe Power of Generative AI in Accelerating No Code Adoption.pdf
The Power of Generative AI in Accelerating No Code Adoption.pdf
Saeed Al Dhaheri39 views
LLMs in Production: Tooling, Process, and Team Structure by Aggregage
LLMs in Production: Tooling, Process, and Team StructureLLMs in Production: Tooling, Process, and Team Structure
LLMs in Production: Tooling, Process, and Team Structure
Aggregage57 views
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De... by Moses Kemibaro
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Don’t Make A Human Do A Robot’s Job! : 6 Reasons Why AI Will Save Us & Not De...
Moses Kemibaro35 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue178 views

Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton Chuvakin

Editor's Notes

  1. The easiest log analysis method (Linux/Unix):# grepailure /var/log/messagesLook for interesting failure message in messages log. It makes sense to also look for “ailed.” We are losing the first letter to not worry about the case sensitive. You can also switch grep to a case insensitive mode by typing “grep -i” (for ignore case) instead.# grepanton /var/log/messagesLook for particular user actions; this will definitely miss more than a few user actions, and so manual review of logs is needed. For example, some messages will not be marked with that use, such as when a user becomes “root” via “sudo” command.More Examples:grepsshd” *.log | (looks for all logs with “sshd” string in them)grep –i user messages (looks for “user”, “USER”, “User”, etc in “messages” files)grep –v sendmailsyslog(looks for all log lines without “sendmail” in them)===This slides reminds Unix people and teaches Windows people about the “grep” command that can be used to manually filter logs.grepsshd” *.log | process_ssh.shFilters all logs with “sshd” string in them and sends them to another programgrep –i user messages | grep –v ailureFilter for “user”, “USER”, “User”, messages which are not failuresgrep –v sendmailsyslog(looks for all log lines without “sendmail” in them)Using ”grep” is an example of positive filtering mentioned on the previous slide:, trying to focus on the bad things that one needs to see, investigate, and then act on: attacks, failures, etc. “-v” option showcases negative filtering.
  2. So how easy is it to data mine with Splunk? In the above example I told Splunk I was interested in all log entries that contained the word “failed”. This refreshed the screen and showed me 25 entries that matched this keyword. Looking through the list I noticed that one of the entries was for a failed logon attempt. At that point I clicked the “similar” hyperlink for the log entry which produced the screen shown above. Note:it is showing us that we have ten failed logon attempts in the log file (four are not shown as they are off the bottom of the screen). So in less than 60 seconds I was able to identify all of the failed logon attempts for my network.
  3. OSSEC rule shown
  4. Marcus Ranum’s “nbs” tool can be obtained at http://www.ranum.com/security/computer_security/code/index.htmlThe description says: “Never Before Seen Anomaly detection driver. This utility creates a fast database of things that have been seen, and includes tools to print and update the database. Includes PDF documentation and walkthroughs.”Use the tool to pick up anomalous messages from your log pool.One can also build the same using grep, awk and other shell tools: ‘grep –v –f’ can be used to look for log entries excluding ones stored in file.
  5. This slide shows one of the open source visualization tools , afterglow (that can be found at http://afterglow.sourceforge.net/ or at http://www.secviz.org/)The tool has been successfully used to visualize many types of log data.
  6. Here we learn how to start using the tools we just discussed for taking control of your logs.Start by collecting logs; use syslog-ng or whatever syslog variant is available on your systems. To combine these with Windows logs use Snare or LASSO, which convert Windows logs to syslog.Store logs in files (compressed or not) or in a database such as open source MySQL.To start peeking at logs use search logs such as free “grep” or “splunk” that we mentioned above.When ready to move to correlation and alerting, get OSSEC or other tools. At this point, you gain a degree of awareness of what is going on in your environment.