SlideShare a Scribd company logo

State of the art logging

Download as PPTX, PDF
BalaBit
BalaBit
Technology
1 of 18
State of the art logging Syslog-ng, journal, CEE/Lumberjack and ELSA Péter Czanik community manager Copyright 2013 BalaBit IT Security Ltd.
Topics • No, it is not about cutting trees :-) • What is syslog? And syslog-ng? • Free-form messages against name-value pairs • The new buzzword: journal • Standardization efforts: CEE/Lumberjack • Name-value pairs at work: ELSA Copyright 2013 BalaBit IT Security Ltd.
What is syslog? • Logging: recording events • Syslog: - Application: collecting events - Protocol: forwarding events Copyright 2013 BalaBit IT Security Ltd.
What is syslog-ng? • “Next Generation” syslog server • “Swiss army knife” of logging • More input sources (files, sockets, and so on) • Better filtering (not only priority, facility) • Processing (rewrite, normalize, correlate, and so on) • More destinations (databases, encrypted network, and so on) Copyright 2013 BalaBit IT Security Ltd.
What is new since 2.0 • 2.0 is best known, but EOL • Most important new features since 2.0: - PatternDB and CSV message parsing - Correlation - SQL and MongoDB destinations - JSON formatting - Modularization - Multi-threading • Next: 3.4 - JSON parsing - More flexible configuration Copyright 2013 BalaBit IT Security Ltd.
Free form log messages • Most logs are in /var/log • Most are from syslog (but also wtmp, apache, and so on) • Most are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 • Text = English sentence with some variable parts • Easy to read Copyright 2013 BalaBit IT Security Ltd.
Why it does not scale? • Few logs (workstation) → easy to find information • Many logs (server) → difficult to find information • Relevant information is presented differently by each application • Difficult to process them with scripts • Answer: structured logging - Events represented as name value pairs Copyright 2013 BalaBit IT Security Ltd.
Solution from syslog-ng: PatternDB • Most messages are static texts with some variable parts embedded • PatternDB parser: - Can extract useful information into name-value pairs - Add status fields based on message text • Example: - user=root - action=login - status=failure • It requires patterns • syslog-ng: name-value pairs inside Copyright 2013 BalaBit IT Security Ltd.
Journal • The logging component of systemd • Name-value pairs inside: - Message - Trusted properties - Any additional name-value pairs • Native support for name-value pair storage Copyright 2013 BalaBit IT Security Ltd.
Journal: the enemy? • FAQ: Q: is journal the enemy? A: No! • Journal is limited to Linux/systemd (syslog-ng: all Linux/BSD/UNIX) • Journal is local only (syslog-ng: client – server) • Journal does not filter or process log messages • Journal + syslog-ng complement each other • Logs forwarded to syslog-ng through: /run/systemd/journal/syslog • syslog-ng can filter, process and forward logs to many different destinations (one day also to journal) Copyright 2013 BalaBit IT Security Ltd.
CEE • Journal, syslog-ng, Windows eventlog, rsyslog, auditd, and so on are based on name- value pairs • All use different field names • Standardization is a must: CEE → Common Event Expression • Events: name-value pairs instead of free-form text - Taxonomy: name-value pairs to describe events (example: status) - Dictionary: name-value pairs for event parameters (example: user) • PatternDB can turn free-form messages into CEE Copyright 2013 BalaBit IT Security Ltd.
Lumberjack • Make CEE happen → implementation • Coordinated by RedHat - CEE (Mitre), syslog-ng, rsyslog, and so on - Open, with high traffic mailing list - https://fedorahosted.org/lumberjack/ • API(s) to make structured logging easier • Work on dictionary, taxonomy, transport issues Copyright 2013 BalaBit IT Security Ltd.
Name-value pairs in action: ELSA • ELSA: Enterprise Log Search and Archive • Based on syslog-ng, PatternDB and MySQL • Simple and powerful web GUI • Extreme scalability • Patterns focused on network security (Cisco, Snort, HTTP, Bro, and so on) Copyright 2013 BalaBit IT Security Ltd.
Some logs Copyright 2013 BalaBit IT Security Ltd.
Diagram Copyright 2013 BalaBit IT Security Ltd.
A few extras Copyright 2013 BalaBit IT Security Ltd.
Questions? • Questions? Copyright 2013 BalaBit IT Security Ltd.
Thank You! Péter Czanik community manager peter.czanik@balabit.com Copyright 2013 BalaBit IT Security Ltd.

Recommended

syslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionsyslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionBalaBit
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...BalaBit
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...BalaBit
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataBalaBit
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngPeter Czanik
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngPeter Czanik
 
gRPC on .NET Core - NDC Sydney 2019
gRPC on .NET Core - NDC Sydney 2019gRPC on .NET Core - NDC Sydney 2019
gRPC on .NET Core - NDC Sydney 2019James Newton-King
 

Recommended

syslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionsyslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionBalaBit
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...BalaBit
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...BalaBit
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataBalaBit
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngPeter Czanik
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngPeter Czanik
 
gRPC on .NET Core - NDC Sydney 2019
gRPC on .NET Core - NDC Sydney 2019gRPC on .NET Core - NDC Sydney 2019
gRPC on .NET Core - NDC Sydney 2019James Newton-King
 
Centralized + Unified Logging
Centralized + Unified LoggingCentralized + Unified Logging
Centralized + Unified LoggingGabor Kozma
 
Fluentd meetup
Fluentd meetupFluentd meetup
Fluentd meetupSadayuki Furuhashi
 
Fluentd vs. Logstash for OpenStack Log Management
Fluentd vs. Logstash for OpenStack Log ManagementFluentd vs. Logstash for OpenStack Log Management
Fluentd vs. Logstash for OpenStack Log ManagementNTT Communications Technology Development
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)Gene Leybzon
 
Fluentd unified logging layer
Fluentd unified logging layerFluentd unified logging layer
Fluentd unified logging layerKiyoto Tamura
 
Like loggly using open source
Like loggly using open sourceLike loggly using open source
Like loggly using open sourceThomas Alrin
 
Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesZabbix
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentdTreasure Data, Inc.
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com琛琳 饶
 
wget, curl and scp
wget, curl and scpwget, curl and scp
wget, curl and scpGaurav Mishra
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentdTreasure Data, Inc.
 
Life of an Fluentd event
Life of an Fluentd eventLife of an Fluentd event
Life of an Fluentd eventKiyoto Tamura
 
IPFS introduction
IPFS introductionIPFS introduction
IPFS introductionGenta M
 
Hydra - Getting Started
Hydra - Getting StartedHydra - Getting Started
Hydra - Getting Startedabramsm
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Zabbix
 
How to admin
How to adminHow to admin
How to adminyalegko
 
IPFS: A Whole New World
IPFS: A Whole New WorldIPFS: A Whole New World
IPFS: A Whole New WorldArcBlock
 
Fluentd meetup #2
Fluentd meetup #2Fluentd meetup #2
Fluentd meetup #2Treasure Data, Inc.
 
Logstash: Get to know your logs
Logstash: Get to know your logsLogstash: Get to know your logs
Logstash: Get to know your logsSmartLogic
 
Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is importantBalaBit
 
The Wix Microservice Stack
The Wix Microservice StackThe Wix Microservice Stack
The Wix Microservice StackTomer Gabel
 

More Related Content

What's hot

Centralized + Unified Logging
Centralized + Unified LoggingCentralized + Unified Logging
Centralized + Unified LoggingGabor Kozma
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)Gene Leybzon
 
Fluentd unified logging layer
Fluentd unified logging layerFluentd unified logging layer
Fluentd unified logging layerKiyoto Tamura
 
Like loggly using open source
Like loggly using open sourceLike loggly using open source
Like loggly using open sourceThomas Alrin
 
Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesZabbix
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com琛琳 饶
 
Life of an Fluentd event
Life of an Fluentd eventLife of an Fluentd event
Life of an Fluentd eventKiyoto Tamura
 
IPFS introduction
IPFS introductionIPFS introduction
IPFS introductionGenta M
 
Hydra - Getting Started
Hydra - Getting StartedHydra - Getting Started
Hydra - Getting Startedabramsm
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Zabbix
 
How to admin
How to adminHow to admin
How to adminyalegko
 
IPFS: A Whole New World
IPFS: A Whole New WorldIPFS: A Whole New World
IPFS: A Whole New WorldArcBlock
 
Logstash: Get to know your logs
Logstash: Get to know your logsLogstash: Get to know your logs
Logstash: Get to know your logsSmartLogic
 

What's hot (20)

Centralized + Unified Logging
Centralized + Unified LoggingCentralized + Unified Logging
Centralized + Unified Logging
 
Fluentd meetup
Fluentd meetupFluentd meetup
Fluentd meetup
 
Fluentd vs. Logstash for OpenStack Log Management
Fluentd vs. Logstash for OpenStack Log ManagementFluentd vs. Logstash for OpenStack Log Management
Fluentd vs. Logstash for OpenStack Log Management
 
InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)InterPlanetary File System (IPFS)
InterPlanetary File System (IPFS)
 
Fluentd unified logging layer
Fluentd unified logging layerFluentd unified logging layer
Fluentd unified logging layer
 
Like loggly using open source
Like loggly using open sourceLike loggly using open source
Like loggly using open source
 
Volker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent IssuesVolker Fröhlich - How to Debug Common Agent Issues
Volker Fröhlich - How to Debug Common Agent Issues
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
ELK stack at weibo.com
ELK stack at weibo.comELK stack at weibo.com
ELK stack at weibo.com
 
wget, curl and scp
wget, curl and scpwget, curl and scp
wget, curl and scp
 
The basics of fluentd
The basics of fluentdThe basics of fluentd
The basics of fluentd
 
Life of an Fluentd event
Life of an Fluentd eventLife of an Fluentd event
Life of an Fluentd event
 
IPFS introduction
IPFS introductionIPFS introduction
IPFS introduction
 
Hydra - Getting Started
Hydra - Getting StartedHydra - Getting Started
Hydra - Getting Started
 
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
Rihards Olups - Encrypting Daemon Traffic With Zabbix 3.0
 
How to admin
How to adminHow to admin
How to admin
 
IPFS: A Whole New World
IPFS: A Whole New WorldIPFS: A Whole New World
IPFS: A Whole New World
 
Fluentd meetup #2
Fluentd meetup #2Fluentd meetup #2
Fluentd meetup #2
 
Logstash: Get to know your logs
Logstash: Get to know your logsLogstash: Get to know your logs
Logstash: Get to know your logs
 

Similar to State of the art logging

Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is importantBalaBit
 
The Wix Microservice Stack
The Wix Microservice StackThe Wix Microservice Stack
The Wix Microservice StackTomer Gabel
 
Scality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup PresentationScality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup PresentationScality
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLMasahiko Sawada
 
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB
 
Why databases cry at night
Why databases cry at nightWhy databases cry at night
Why databases cry at nightMichael Yarichuk
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Masahiko Sawada
 
MySQL And Search At Craigslist
MySQL And Search At CraigslistMySQL And Search At Craigslist
MySQL And Search At CraigslistJeremy Zawodny
 
Cassandra Community Webinar: From Mongo to Cassandra, Architectural Lessons
Cassandra Community Webinar: From Mongo to Cassandra, Architectural LessonsCassandra Community Webinar: From Mongo to Cassandra, Architectural Lessons
Cassandra Community Webinar: From Mongo to Cassandra, Architectural LessonsDataStax
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
Boltdb - an embedded key value database
Boltdb - an embedded key value databaseBoltdb - an embedded key value database
Boltdb - an embedded key value databaseManoj Awasthi
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB
 
How to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkHow to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkPrecisely
 
"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo LogicSumo Logic
 
Gib 2021 - Intro to BizTalk Migrator
Gib 2021 - Intro to BizTalk MigratorGib 2021 - Intro to BizTalk Migrator
Gib 2021 - Intro to BizTalk MigratorDaniel Toomey
 
Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018Laure Vergeron
 

Similar to State of the art logging (20)

Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is important
 
The Wix Microservice Stack
The Wix Microservice StackThe Wix Microservice Stack
The Wix Microservice Stack
 
Scality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup PresentationScality S3 Server: Node js Meetup Presentation
Scality S3 Server: Node js Meetup Presentation
 
In-memory Databases
In-memory DatabasesIn-memory Databases
In-memory Databases
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQL
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
 
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep DiveMongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
MongoDB .local London 2019: MongoDB Atlas Data Lake Technical Deep Dive
 
Why databases cry at night
Why databases cry at nightWhy databases cry at night
Why databases cry at night
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
 
MySQL And Search At Craigslist
MySQL And Search At CraigslistMySQL And Search At Craigslist
MySQL And Search At Craigslist
 
Cassandra Community Webinar: From Mongo to Cassandra, Architectural Lessons
Cassandra Community Webinar: From Mongo to Cassandra, Architectural LessonsCassandra Community Webinar: From Mongo to Cassandra, Architectural Lessons
Cassandra Community Webinar: From Mongo to Cassandra, Architectural Lessons
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
Boltdb - an embedded key value database
Boltdb - an embedded key value databaseBoltdb - an embedded key value database
Boltdb - an embedded key value database
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
 
How to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkHow to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with Splunk
 
"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic"How to" Webinar: Sending Data to Sumo Logic
"How to" Webinar: Sending Data to Sumo Logic
 
Gib 2021 - Intro to BizTalk Migrator
Gib 2021 - Intro to BizTalk MigratorGib 2021 - Intro to BizTalk Migrator
Gib 2021 - Intro to BizTalk Migrator
 
Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018
 

More from BalaBit

NIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationNIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationBalaBit
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?BalaBit
 
Big Data Science - hype?
Big Data Science - hype?Big Data Science - hype?
Big Data Science - hype?BalaBit
 
DevAssistant, Docker and You
DevAssistant, Docker and YouDevAssistant, Docker and You
DevAssistant, Docker and YouBalaBit
 
Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?BalaBit
 
Swift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlSwift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlBalaBit
 
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelDATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelBalaBit
 
eCSI - The Agile IT security
eCSI - The Agile IT securityeCSI - The Agile IT security
eCSI - The Agile IT securityBalaBit
 
Top 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersTop 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersBalaBit
 
Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?BalaBit
 
Regulatory compliance and system logging
Regulatory compliance and system loggingRegulatory compliance and system logging
Regulatory compliance and system loggingBalaBit
 
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeKontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeBalaBit
 
Techreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentTechreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentBalaBit
 
Balabit Company Overview
Balabit Company OverviewBalabit Company Overview
Balabit Company OverviewBalaBit
 
BalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit
 
The Future of Electro Car
The Future of Electro CarThe Future of Electro Car
The Future of Electro CarBalaBit
 
Compliance needs transparency
Compliance needs transparencyCompliance needs transparency
Compliance needs transparencyBalaBit
 

More from BalaBit (17)

NIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationNIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovation
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?
 
Big Data Science - hype?
Big Data Science - hype?Big Data Science - hype?
Big Data Science - hype?
 
DevAssistant, Docker and You
DevAssistant, Docker and YouDevAssistant, Docker and You
DevAssistant, Docker and You
 
Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?
 
Swift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlSwift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvéről
 
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelDATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
 
eCSI - The Agile IT security
eCSI - The Agile IT securityeCSI - The Agile IT security
eCSI - The Agile IT security
 
Top 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersTop 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged users
 
Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?
 
Regulatory compliance and system logging
Regulatory compliance and system loggingRegulatory compliance and system logging
Regulatory compliance and system logging
 
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeKontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
 
Techreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentTechreggeli - Logmenedzsment
Techreggeli - Logmenedzsment
 
Balabit Company Overview
Balabit Company OverviewBalabit Company Overview
Balabit Company Overview
 
BalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációja
 
The Future of Electro Car
The Future of Electro CarThe Future of Electro Car
The Future of Electro Car
 
Compliance needs transparency
Compliance needs transparencyCompliance needs transparency
Compliance needs transparency
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

State of the art logging

  • 1. State of the art logging Syslog-ng, journal, CEE/Lumberjack and ELSA Péter Czanik community manager Copyright 2013 BalaBit IT Security Ltd.
  • 2. Topics • No, it is not about cutting trees :-) • What is syslog? And syslog-ng? • Free-form messages against name-value pairs • The new buzzword: journal • Standardization efforts: CEE/Lumberjack • Name-value pairs at work: ELSA Copyright 2013 BalaBit IT Security Ltd.
  • 3. What is syslog? • Logging: recording events • Syslog: - Application: collecting events - Protocol: forwarding events Copyright 2013 BalaBit IT Security Ltd.
  • 4. What is syslog-ng? • “Next Generation” syslog server • “Swiss army knife” of logging • More input sources (files, sockets, and so on) • Better filtering (not only priority, facility) • Processing (rewrite, normalize, correlate, and so on) • More destinations (databases, encrypted network, and so on) Copyright 2013 BalaBit IT Security Ltd.
  • 5. What is new since 2.0 • 2.0 is best known, but EOL • Most important new features since 2.0: - PatternDB and CSV message parsing - Correlation - SQL and MongoDB destinations - JSON formatting - Modularization - Multi-threading • Next: 3.4 - JSON parsing - More flexible configuration Copyright 2013 BalaBit IT Security Ltd.
  • 6. Free form log messages • Most logs are in /var/log • Most are from syslog (but also wtmp, apache, and so on) • Most are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 • Text = English sentence with some variable parts • Easy to read Copyright 2013 BalaBit IT Security Ltd.
  • 7. Why it does not scale? • Few logs (workstation) → easy to find information • Many logs (server) → difficult to find information • Relevant information is presented differently by each application • Difficult to process them with scripts • Answer: structured logging - Events represented as name value pairs Copyright 2013 BalaBit IT Security Ltd.
  • 8. Solution from syslog-ng: PatternDB • Most messages are static texts with some variable parts embedded • PatternDB parser: - Can extract useful information into name-value pairs - Add status fields based on message text • Example: - user=root - action=login - status=failure • It requires patterns • syslog-ng: name-value pairs inside Copyright 2013 BalaBit IT Security Ltd.
  • 9. Journal • The logging component of systemd • Name-value pairs inside: - Message - Trusted properties - Any additional name-value pairs • Native support for name-value pair storage Copyright 2013 BalaBit IT Security Ltd.
  • 10. Journal: the enemy? • FAQ: Q: is journal the enemy? A: No! • Journal is limited to Linux/systemd (syslog-ng: all Linux/BSD/UNIX) • Journal is local only (syslog-ng: client – server) • Journal does not filter or process log messages • Journal + syslog-ng complement each other • Logs forwarded to syslog-ng through: /run/systemd/journal/syslog • syslog-ng can filter, process and forward logs to many different destinations (one day also to journal) Copyright 2013 BalaBit IT Security Ltd.
  • 11. CEE • Journal, syslog-ng, Windows eventlog, rsyslog, auditd, and so on are based on name- value pairs • All use different field names • Standardization is a must: CEE → Common Event Expression • Events: name-value pairs instead of free-form text - Taxonomy: name-value pairs to describe events (example: status) - Dictionary: name-value pairs for event parameters (example: user) • PatternDB can turn free-form messages into CEE Copyright 2013 BalaBit IT Security Ltd.
  • 12. Lumberjack • Make CEE happen → implementation • Coordinated by RedHat - CEE (Mitre), syslog-ng, rsyslog, and so on - Open, with high traffic mailing list - https://fedorahosted.org/lumberjack/ • API(s) to make structured logging easier • Work on dictionary, taxonomy, transport issues Copyright 2013 BalaBit IT Security Ltd.
  • 13. Name-value pairs in action: ELSA • ELSA: Enterprise Log Search and Archive • Based on syslog-ng, PatternDB and MySQL • Simple and powerful web GUI • Extreme scalability • Patterns focused on network security (Cisco, Snort, HTTP, Bro, and so on) Copyright 2013 BalaBit IT Security Ltd.
  • 14. Some logs Copyright 2013 BalaBit IT Security Ltd.
  • 15. Diagram Copyright 2013 BalaBit IT Security Ltd.
  • 16. A few extras Copyright 2013 BalaBit IT Security Ltd.
  • 17. Questions? • Questions? Copyright 2013 BalaBit IT Security Ltd.
  • 18. Thank You! Péter Czanik community manager peter.czanik@balabit.com Copyright 2013 BalaBit IT Security Ltd.