SlideShare a Scribd company logo

Why proper logging is important

Download as PPTX, PDF
BalaBit
BalaBit
1 of 22
Why proper logging is important... ...in all phases of development? Péter Czanik community manager Copyright 2013 BalaBit IT Security Ltd.
About me • Peter Czanik from Hungary • community manager at BalaBit: syslog-ng upstream • BalaBit is an IT security company with HQ in Budapest, Hungary with 100+ developers • part of the openSUSE testing team • openSUSE syslog-ng package maintainer Copyright 2013 BalaBit IT Security Ltd.
Topics • no, it is not about cutting trees :-) • what is syslog? and syslog-ng? • who uses syslog-ng? • what to log? • free-form messages against name-value pairs • the new buzzword: journal • standardization efforts: CEE/Lumberjack • name-value pairs at work: ELSA Copyright 2013 BalaBit IT Security Ltd.
What is syslog? • logging: recording events • syslog: - application: collecting events - data: the actual log messages - protocol: forwarding events • history: - originally developed as a logging tool for sendmail - quickly many other apps started to use it • syslog-ng: “next generation” syslog server - since 1997 - focus on central log collection Copyright 2013 BalaBit IT Security Ltd.
What is syslog-ng • “Swiss army knife” of logging • OSE vs. PE • high performance • more input sources (files, programs, and so on) • more destinations (databases, encrypted net, etc.) • better filtering (not only priority, facility) • processing (rewrite, parse, correlate, and so on) • JSON output and parser • AMQP Copyright 2013 BalaBit IT Security Ltd.
Who uses syslog-ng? • syslog-ng is the default logging solution in SLES since SLES 10 - Uses 2.0, an ancient version • syslog-ng is the default logging solution in Gentoo • syslog-ng is available in openSUSE (package is maintained by me :-) ) • ...and? Copyright 2013 BalaBit IT Security Ltd.
Who uses syslog-ng? Copyright 2013 BalaBit IT Security Ltd.
What to log? • what: everything :-) • in more detail: SANS Top5 log reports: - authentication, change, resource access, etc. • during development logging is often an afterthought - some/many of the above is missing - aids just coding - difficult to debug or audit in production • logging should be an integral part of development - think also about production :-) - consult with operators → DEVOPS!!! - use a similar logging environment, as in production Copyright 2013 BalaBit IT Security Ltd.
How to log? • short answer: centrally • long: centrally, because: - ease of use: one place to check instead of many - availability: even if the sender machine is down - security: logs are available even if sender machine is compromised Copyright 2013 BalaBit IT Security Ltd.
Free form log messages • most log messages are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 • text = English sentence with some variable parts • easy to read by a human Copyright 2013 BalaBit IT Security Ltd.
Why it does not scale? • few logs (workstation) → easy to find information • many logs (server) → difficult to find information • information is presented differently by each application • difficult to process them with scripts • answer: structured logging - Events represented as name value pairs Copyright 2013 BalaBit IT Security Ltd.
Solution from syslog-ng: PatternDB • syslog-ng: name-value pairs inside - date, facility, priority, program name, pid, etc. • PatternDB parser: - can extract useful information into name-value pairs - add status fields based on message text - message classification • example: an ssh login failure: - user=root, action=login, status=failure - classified as “violation” Copyright 2013 BalaBit IT Security Ltd.
Journal • the logging component of system • name-value pairs inside: - message - trusted properties - sny additional name-value pairs • native support for name-value pair storage • persistent log storage can be disabled • logs can be forwarded to syslog-ng through a socket • syslog-ng can filter, process logs and forward them to central log server Copyright 2013 BalaBit IT Security Ltd.
Journal: the enemy? • FAQ: Q: is journal the enemy? A: No! • Journal is local only (syslog-ng: client – server) • Journal does not filter or process log messages • Journal is limited to Linux/systemd (syslog-ng: all Linux/BSD/UNIX) Copyright 2013 BalaBit IT Security Ltd.
CEE • Journal, syslog-ng, Windows eventlog, rsyslog, auditd, and so on are based on name-value pairs • All use different field names • Standardization is a must: CEE → Common Event Expression • Events: name-value pairs instead of free-form text - Taxonomy: name-value pairs to describe events (example: status) - Dictionary: name-value pairs for event parameters (example: user) • PatternDB can turn free-form messages into CEE Copyright 2013 BalaBit IT Security Ltd.
Name-value pairs in action: ELSA • ELSA: Enterprise Log Search and Archive • based on syslog-ng, PatternDB and MySQL • simple and powerful web GUI • extreme scalability • patterns focused on network security: - firewalls: Cisco, iptables - IDS: Snort, Suricata, Bro - HTTP, Windows logs, etc. Copyright 2013 BalaBit IT Security Ltd.
Search Copyright 2013 BalaBit IT Security Ltd.
Graph Copyright 2013 BalaBit IT Security Ltd.
Map Copyright 2013 BalaBit IT Security Ltd.
So, why syslog-ng? • 15 years of open source development • high performance log management • flexible configuration • excellent documentation • PatternDB message parsing Copyright 2013 BalaBit IT Security Ltd.
Questions? (and some answers) • Questions? • Some useful syslog-ng resources: - Syslog-ng: http://www.balabit.com/network-security/syslog-ng - SANS top5 essential log reports extended: http://chuvakin.blogspot.hu/2010/08/updated-with-community- feedback-sans_06.html - Many books at http://oreilly.com/ - ELSA: http://code.google.com/p/enterprise-log-search-and-archive/ - My blog: http://czanik.blogs.balabit.com/ Copyright 2013 BalaBit IT Security Ltd.
Thank You! Péter Czanik community manager peter.czanik@balabit.com Copyright 2013 BalaBit IT Security Ltd.

Recommended

Protect your private data with ORC column encryption
Protect your private data with ORC column encryptionProtect your private data with ORC column encryption
Protect your private data with ORC column encryptionOwen O'Malley
 
Building a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patentsBuilding a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patentsOpenSource Connections
 
Core Principles Of Ci
Core Principles Of CiCore Principles Of Ci
Core Principles Of CiOpenSource Connections
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionSteve Loughran
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Structor - Automated Building of Virtual Hadoop Clusters
Structor - Automated Building of Virtual Hadoop ClustersStructor - Automated Building of Virtual Hadoop Clusters
Structor - Automated Building of Virtual Hadoop ClustersOwen O'Malley
 
ION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David FreedmanION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David FreedmanDeploy360 Programme (Internet Society)
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer GuideDeon Huang
 

Recommended

Protect your private data with ORC column encryption
Protect your private data with ORC column encryptionProtect your private data with ORC column encryption
Protect your private data with ORC column encryptionOwen O'Malley
 
Building a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patentsBuilding a lightweight discovery interface for Chinese patents
Building a lightweight discovery interface for Chinese patentsOpenSource Connections
 
Core Principles Of Ci
Core Principles Of CiCore Principles Of Ci
Core Principles Of CiOpenSource Connections
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionSteve Loughran
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Structor - Automated Building of Virtual Hadoop Clusters
Structor - Automated Building of Virtual Hadoop ClustersStructor - Automated Building of Virtual Hadoop Clusters
Structor - Automated Building of Virtual Hadoop ClustersOwen O'Malley
 
ION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David FreedmanION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David FreedmanDeploy360 Programme (Internet Society)
 
NiFi Developer Guide
NiFi Developer GuideNiFi Developer Guide
NiFi Developer GuideDeon Huang
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview Hortonworks
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Cloudera, Inc.
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureUwe Printz
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowDataWorks Summit
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataRommel Garcia
 
Dataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataWorks Summit
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
Scale your Alfresco Solutions
Scale your Alfresco Solutions Scale your Alfresco Solutions
Scale your Alfresco Solutions Alfresco Software
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Redis for Security Data : SecurityScorecard JVM Redis Usage
Redis for Security Data : SecurityScorecard JVM Redis UsageRedis for Security Data : SecurityScorecard JVM Redis Usage
Redis for Security Data : SecurityScorecard JVM Redis UsageTimothy Spann
 
PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?Ohyama Masanori
 
State of the art logging
State of the art loggingState of the art logging
State of the art loggingBalaBit
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxEncrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxNeo4j
 
London Devops #9 - Security at a startup
London Devops #9 - Security at a startupLondon Devops #9 - Security at a startup
London Devops #9 - Security at a startupNeil Saunders
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Ruby Meditation
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Masahiko Sawada
 

More Related Content

What's hot

Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview Hortonworks
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Cloudera, Inc.
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureUwe Printz
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowDataWorks Summit
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big DataRommel Garcia
 
Dataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataWorks Summit
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
Scale your Alfresco Solutions
Scale your Alfresco Solutions Scale your Alfresco Solutions
Scale your Alfresco Solutions Alfresco Software
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Redis for Security Data : SecurityScorecard JVM Redis Usage
Redis for Security Data : SecurityScorecard JVM Redis UsageRedis for Security Data : SecurityScorecard JVM Redis Usage
Redis for Security Data : SecurityScorecard JVM Redis UsageTimothy Spann
 
PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?Ohyama Masanori
 

What's hot (13)

Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, Future
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and Tomorrow
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Dataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFi
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
Scale your Alfresco Solutions
Scale your Alfresco Solutions Scale your Alfresco Solutions
Scale your Alfresco Solutions
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
 
Redis for Security Data : SecurityScorecard JVM Redis Usage
Redis for Security Data : SecurityScorecard JVM Redis UsageRedis for Security Data : SecurityScorecard JVM Redis Usage
Redis for Security Data : SecurityScorecard JVM Redis Usage
 
PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?
 

Similar to Why proper logging is important

State of the art logging
State of the art loggingState of the art logging
State of the art loggingBalaBit
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxEncrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxNeo4j
 
London Devops #9 - Security at a startup
London Devops #9 - Security at a startupLondon Devops #9 - Security at a startup
London Devops #9 - Security at a startupNeil Saunders
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Ruby Meditation
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Masahiko Sawada
 
The Wix Microservice Stack
The Wix Microservice StackThe Wix Microservice Stack
The Wix Microservice StackTomer Gabel
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityPaul Morse
 
2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest management2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest managementDaliya Spasova
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
How to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkHow to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkPrecisely
 
Technology behind-real-time-log-analytics
Technology behind-real-time-log-analytics Technology behind-real-time-log-analytics
Technology behind-real-time-log-analytics Data Science Thailand
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
Centralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackCentralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackRohit Sharma
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLMasahiko Sawada
 
Mining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through VisualizationMining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through VisualizationRaffael Marty
 
Ruby and Distributed Storage Systems
Ruby and Distributed Storage SystemsRuby and Distributed Storage Systems
Ruby and Distributed Storage SystemsSATOSHI TAGOMORI
 

Similar to Why proper logging is important (20)

State of the art logging
State of the art loggingState of the art logging
State of the art logging
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxEncrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptx
 
London Devops #9 - Security at a startup
London Devops #9 - Security at a startupLondon Devops #9 - Security at a startup
London Devops #9 - Security at a startup
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
 
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...Transparent Data Encryption in PostgreSQL and Integration with Key Management...
Transparent Data Encryption in PostgreSQL and Integration with Key Management...
 
The Wix Microservice Stack
The Wix Microservice StackThe Wix Microservice Stack
The Wix Microservice Stack
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest management2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest management
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
How to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with SplunkHow to Get IBM i Security and Operational Insights with Splunk
How to Get IBM i Security and Operational Insights with Splunk
 
Technology behind-real-time-log-analytics
Technology behind-real-time-log-analytics Technology behind-real-time-log-analytics
Technology behind-real-time-log-analytics
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
Centralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackCentralized Logging System Using ELK Stack
Centralized Logging System Using ELK Stack
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQL
 
Mining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through VisualizationMining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through Visualization
 
Ruby and Distributed Storage Systems
Ruby and Distributed Storage SystemsRuby and Distributed Storage Systems
Ruby and Distributed Storage Systems
 

More from BalaBit

SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataBalaBit
 
NIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationNIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationBalaBit
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?BalaBit
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...BalaBit
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...BalaBit
 
Big Data Science - hype?
Big Data Science - hype?Big Data Science - hype?
Big Data Science - hype?BalaBit
 
DevAssistant, Docker and You
DevAssistant, Docker and YouDevAssistant, Docker and You
DevAssistant, Docker and YouBalaBit
 
Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?BalaBit
 
Swift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlSwift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlBalaBit
 
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelDATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelBalaBit
 
syslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionsyslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionBalaBit
 
eCSI - The Agile IT security
eCSI - The Agile IT securityeCSI - The Agile IT security
eCSI - The Agile IT securityBalaBit
 
Top 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersTop 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersBalaBit
 
Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?BalaBit
 
Regulatory compliance and system logging
Regulatory compliance and system loggingRegulatory compliance and system logging
Regulatory compliance and system loggingBalaBit
 
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeKontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeBalaBit
 
Techreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentTechreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentBalaBit
 
Balabit Company Overview
Balabit Company OverviewBalabit Company Overview
Balabit Company OverviewBalaBit
 
BalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit
 
The Future of Electro Car
The Future of Electro CarThe Future of Electro Car
The Future of Electro CarBalaBit
 

More from BalaBit (20)

SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
 
NIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationNIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovation
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
 
Big Data Science - hype?
Big Data Science - hype?Big Data Science - hype?
Big Data Science - hype?
 
DevAssistant, Docker and You
DevAssistant, Docker and YouDevAssistant, Docker and You
DevAssistant, Docker and You
 
Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?
 
Swift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlSwift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvéről
 
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelDATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
 
syslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionsyslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extraction
 
eCSI - The Agile IT security
eCSI - The Agile IT securityeCSI - The Agile IT security
eCSI - The Agile IT security
 
Top 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersTop 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged users
 
Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?
 
Regulatory compliance and system logging
Regulatory compliance and system loggingRegulatory compliance and system logging
Regulatory compliance and system logging
 
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeKontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
 
Techreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentTechreggeli - Logmenedzsment
Techreggeli - Logmenedzsment
 
Balabit Company Overview
Balabit Company OverviewBalabit Company Overview
Balabit Company Overview
 
BalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációja
 
The Future of Electro Car
The Future of Electro CarThe Future of Electro Car
The Future of Electro Car
 

Why proper logging is important

  • 1. Why proper logging is important... ...in all phases of development? Péter Czanik community manager Copyright 2013 BalaBit IT Security Ltd.
  • 2. About me • Peter Czanik from Hungary • community manager at BalaBit: syslog-ng upstream • BalaBit is an IT security company with HQ in Budapest, Hungary with 100+ developers • part of the openSUSE testing team • openSUSE syslog-ng package maintainer Copyright 2013 BalaBit IT Security Ltd.
  • 3. Topics • no, it is not about cutting trees :-) • what is syslog? and syslog-ng? • who uses syslog-ng? • what to log? • free-form messages against name-value pairs • the new buzzword: journal • standardization efforts: CEE/Lumberjack • name-value pairs at work: ELSA Copyright 2013 BalaBit IT Security Ltd.
  • 4. What is syslog? • logging: recording events • syslog: - application: collecting events - data: the actual log messages - protocol: forwarding events • history: - originally developed as a logging tool for sendmail - quickly many other apps started to use it • syslog-ng: “next generation” syslog server - since 1997 - focus on central log collection Copyright 2013 BalaBit IT Security Ltd.
  • 5. What is syslog-ng • “Swiss army knife” of logging • OSE vs. PE • high performance • more input sources (files, programs, and so on) • more destinations (databases, encrypted net, etc.) • better filtering (not only priority, facility) • processing (rewrite, parse, correlate, and so on) • JSON output and parser • AMQP Copyright 2013 BalaBit IT Security Ltd.
  • 6. Who uses syslog-ng? • syslog-ng is the default logging solution in SLES since SLES 10 - Uses 2.0, an ancient version • syslog-ng is the default logging solution in Gentoo • syslog-ng is available in openSUSE (package is maintained by me :-) ) • ...and? Copyright 2013 BalaBit IT Security Ltd.
  • 7. Who uses syslog-ng? Copyright 2013 BalaBit IT Security Ltd.
  • 8. What to log? • what: everything :-) • in more detail: SANS Top5 log reports: - authentication, change, resource access, etc. • during development logging is often an afterthought - some/many of the above is missing - aids just coding - difficult to debug or audit in production • logging should be an integral part of development - think also about production :-) - consult with operators → DEVOPS!!! - use a similar logging environment, as in production Copyright 2013 BalaBit IT Security Ltd.
  • 9. How to log? • short answer: centrally • long: centrally, because: - ease of use: one place to check instead of many - availability: even if the sender machine is down - security: logs are available even if sender machine is compromised Copyright 2013 BalaBit IT Security Ltd.
  • 10. Free form log messages • most log messages are: date + hostname + text Mar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2 • text = English sentence with some variable parts • easy to read by a human Copyright 2013 BalaBit IT Security Ltd.
  • 11. Why it does not scale? • few logs (workstation) → easy to find information • many logs (server) → difficult to find information • information is presented differently by each application • difficult to process them with scripts • answer: structured logging - Events represented as name value pairs Copyright 2013 BalaBit IT Security Ltd.
  • 12. Solution from syslog-ng: PatternDB • syslog-ng: name-value pairs inside - date, facility, priority, program name, pid, etc. • PatternDB parser: - can extract useful information into name-value pairs - add status fields based on message text - message classification • example: an ssh login failure: - user=root, action=login, status=failure - classified as “violation” Copyright 2013 BalaBit IT Security Ltd.
  • 13. Journal • the logging component of system • name-value pairs inside: - message - trusted properties - sny additional name-value pairs • native support for name-value pair storage • persistent log storage can be disabled • logs can be forwarded to syslog-ng through a socket • syslog-ng can filter, process logs and forward them to central log server Copyright 2013 BalaBit IT Security Ltd.
  • 14. Journal: the enemy? • FAQ: Q: is journal the enemy? A: No! • Journal is local only (syslog-ng: client – server) • Journal does not filter or process log messages • Journal is limited to Linux/systemd (syslog-ng: all Linux/BSD/UNIX) Copyright 2013 BalaBit IT Security Ltd.
  • 15. CEE • Journal, syslog-ng, Windows eventlog, rsyslog, auditd, and so on are based on name-value pairs • All use different field names • Standardization is a must: CEE → Common Event Expression • Events: name-value pairs instead of free-form text - Taxonomy: name-value pairs to describe events (example: status) - Dictionary: name-value pairs for event parameters (example: user) • PatternDB can turn free-form messages into CEE Copyright 2013 BalaBit IT Security Ltd.
  • 16. Name-value pairs in action: ELSA • ELSA: Enterprise Log Search and Archive • based on syslog-ng, PatternDB and MySQL • simple and powerful web GUI • extreme scalability • patterns focused on network security: - firewalls: Cisco, iptables - IDS: Snort, Suricata, Bro - HTTP, Windows logs, etc. Copyright 2013 BalaBit IT Security Ltd.
  • 17. Search Copyright 2013 BalaBit IT Security Ltd.
  • 18. Graph Copyright 2013 BalaBit IT Security Ltd.
  • 19. Map Copyright 2013 BalaBit IT Security Ltd.
  • 20. So, why syslog-ng? • 15 years of open source development • high performance log management • flexible configuration • excellent documentation • PatternDB message parsing Copyright 2013 BalaBit IT Security Ltd.
  • 21. Questions? (and some answers) • Questions? • Some useful syslog-ng resources: - Syslog-ng: http://www.balabit.com/network-security/syslog-ng - SANS top5 essential log reports extended: http://chuvakin.blogspot.hu/2010/08/updated-with-community- feedback-sans_06.html - Many books at http://oreilly.com/ - ELSA: http://code.google.com/p/enterprise-log-search-and-archive/ - My blog: http://czanik.blogs.balabit.com/ Copyright 2013 BalaBit IT Security Ltd.
  • 22. Thank You! Péter Czanik community manager peter.czanik@balabit.com Copyright 2013 BalaBit IT Security Ltd.