SlideShare a Scribd company logo

MacSysAdmin Conference 2019 - Logging

Henry Stamerjohann
Henry Stamerjohann

LOGGING - About Needles in the Modern Haystack https://www.macsysadmin.se/program.html Every once in a while you'll read "collect the log files". How will this work with your Cloud Service, Identity provider, and SaaS solution? What's the challenges and what are the options at hand when monitoring macOS effectively for compliance? In this session we talk about practices in storing and retrieving event information for monitoring, and review applications to build and process rich audit trails. This session aims to share our experiences made with commercial and open source backends applied to various client scenarios.

Data & Analytics
1 of 74
Download to read offline
zentral.pro Logging About Needles in the Modern Haystack
• Founded in Q1 2019 • Based in Germany • Small, skilled team • Professional Services
 Research and Development • Business & Enterprises customers • B2B Partners zentral.pro Who are we ?
• Based in Hamburg, Germany • Zentral Pro Services (co-founder) • Started the Zentral open source Event Hub Project with Éric Falconnier 
 (co-founder) • Zentral was first shown in public at MacSysAdmin 2015 Henry Stamerjohann Who am I zentral.pro
zentral.pro Landscape
“A lot more events, from many 
 more sources…” zentral.pro Logs & Events Landscape ‣ Computing / Technology
• Cloud Computing Platforms and SaaS • Linux (incl. ChromeOS) • Microsoft: • Azure, Intune, Windows 10
 (new norm, great integrations) • Apple: • macOS, iOS, iPadOS, tvOS • Client Management & MDM Provider
 (well known challenge w/ integrations) zentral.pro Logs & Events Landscape ‣ Computing / Technology
“Where, when and what ? “ zentral.pro Logs & Events Landscape ‣ Computing / Technology
• Created by apps, systems, network 
 and user activity • Event flow, time stamps, and Frequency • Common use: • Check-based fault detection • Log-based monitoring • Metrics-based monitoring • Collect telemetry data zentral.pro “Where, when 
 and what ? “ Logs & Events Landscape ‣ Computing / Technology
zentral.pro Event sources and types
OS • Installer • MDMclient • LaunchServices Software • Business apps • Other apps • Security Agents • Osquery • Santa • Xnumon zentral.pro On the endpoints Event sources and types ‣ Sources
zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: • OS • Multi Platform (Mac, Linux, Windows) • Cloud Native Foundation Project • Powerful Change Detection • SQL like view of the system Osquery Osquery Based on
zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: • Kernel extension • (soon) Security Extention • Binary Whitelisting / Blacklisting • TLS Server (Backend) • Dynamic Config • Local Log file Santa Google Santa Based on
zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: • Open BSM • Kernel extension • Log Information on • pid • path • ancestory • arguments • code-signing information • Trace activity (good/bad) Xnumon Based onXnumon
zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: System Extensions
zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: System Extensions
zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: • (New) Apple Endpoint Security System • (New) Apple Network Extension framework • Clients can Subscribe to Endpoint Security System and Network Extension • Option to make decisions • New version of Security and Firewall applications Based on System Extensions System Extensions
zentral.pro • Written to File • Written to local Database • Written to a Backend • Transferred by an Agent On the endpoints Event sources and types ‣ Outputs
zentral.pro On the endpoints Event sources and types ‣ Outputs /Library/Logs/… /var/log/… File based - the “classic” use case • mostly with not so well integrated apps • Text data in files (rotated) • Sometimes JSON (1 object per line) ‣ File based
zentral.pro On the endpoints Event sources and types ‣ Outputs ‣ File based
zentral.pro On the endpoints Event sources and types ‣ Outputs OS log facilities - for OS and well behaved / integrated apps • Apple Unified Logging • More structure • JSON output possible • Configurable persistence • Syslog (old in macOS) ‣ OS log facility
zentral.pro On the endpoints Event sources and types ‣ Outputs ‣ Unified Logging In-memory or persist 
 into .tracev3 files
zentral.pro On the endpoints Event sources and types ‣ Outputs ‣ Unified Logging In-memory or persist 
 into .tracev3 files
zentral.pro --predicate Filter element (subsystem type) --debug Details depth Formatting (json)--style On the endpoints Event sources and types ‣ Outputs ‣ Unified Logging
zentral.pro On the endpoints Event sources and types ‣ Outputs OS log facilities - for OS and well behaved / integrated apps • Apple Unified Logging • More structure • JSON output possible • Configurable persistence • Syslog (old in macOS) ‣ Unified Logging Howard Oakley @ Electriclight Company https://eclecticlight.co/ 2018/03/19/macos-unified-log-1- why-what-and-how/
• JSON payload posted on a HTTPS endpoint (Osquery, Santa,…) • Publish to Kafka (Osquery) • Other custom variants… zentral.pro On the endpoints Event sources and types ‣ Outputs ‣ Custom
zentral.pro Server / Cloud Event sources and types ‣ Sources Identity Provider • Sign-ins / Sign-in errors (AzureAD, Okta, …) Inventory • Computer check-in (Jamf Pro, WorkspaceOne, …) • Group changes (SimpleMDM, Jamf Pro, …) MDM (SaaS, open source MDM) • Configuration profile pushed • Device Enrollments Security providers • Malware detected/removed 
 (Microsoft Defender ATP, Malwarebytes)
zentral.pro Server / Cloud Event sources and types ‣ Outputs /var/log/… • File based - for most of the logs • Text data in files (rotated) • Log archives • Service logs (systemd / journalctl)
zentral.pro Server / Cloud Event sources and types ‣ Outputs /var/log/… • File based - for most of the logs • Text data in files (rotated) • Log archives • Service logs (systemd / journalctl)
• API (Jamf Pro, Microsoft Graph SecurityAPI) • Webhooks (Jamf Pro, Okta, …) • Files on a server 
 (i.e.Jamf Pro in custom deployment) • Blobs on a storage service • GUI + manual download • Events in a Message Broker 
 (Azure Event Hubs) zentral.pro Server / Cloud Event sources and types ‣ Outputs
zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ Jamf Pro Search in browser or download
zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ Jamf Pro Search and grep (keywords, errors, …)
zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ Jamf Pro Search and grep (keywords, errors, …)
zentral.pro Event audit trail (sign-ins, edits or changes) Server / Cloud Event sources and types ‣ Outputs ‣ IDP - Okta
zentral.pro Authentications (export json, csv) Server / Cloud Event sources and types ‣ Outputs ‣ IDP - Duo
zentral.pro Sign-in Logs (export json, csv) Server / Cloud Event sources and types ‣ Outputs ‣ IDP - Azure AD
zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ IDP - Azure AD Sign-in Logs (export json, csv)
AV Activity / Remediation (export csv) Server / Cloud Event sources and types ‣ Outputs ‣ ATP Defender zentral.pro
• Build reports from CSV • Analyze/process JSON • Upload and repurpose event data • Share with other Teams • Store for Compliance (Backups) • Use to get support from a Vendor zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ Post processing
zentral.pro Ship and collect the events
zentral.pro Problems / Issues Ship and collect the events ‣ Reality • Many different sources • Many different formats • No single place where to look at events / search for events • Too many events
• Elastic Stack (formerly ELK Stack) • Splunk • Sumo Logic • Stackdriver • Zentral • et.al zentral.pro Existing Solutions Ship and collect the events
zentral.pro Existing Solutions Ship and collect the events ‣ Log Facilities ‣ Stackdriver Logging
zentral.pro Existing Solutions Ship and collect the events ‣ Log Facilities ‣ Stackdriver Logging
zentral.pro Existing Solutions Ship and collect the events ‣ Log Facilities ‣ Stackdriver Logging
• Collect file based logs (by agents) • Run agents directly • RPC / HTTPS Osquery events to 
 Kolide or similar services • Unified logging to Elastic Stack on 
 Mac endpoints (i.e. Filebeat) zentral.pro How to connect the sources Ship and collect the events ‣ Endpoints
zentral.pro How to connect the sources Ship and collect the events ‣ Endpoints ‣ Agents • Read local file based logs • Build-in Modules • Pre-filter, Normalize events • Ship to Elastic Stack (Kibana, Logstash) Based on • Open source code - Beats family • Elastic core component • filebeat.yml config file FileBeat (by Elastic) FileBeat
Ship and collect the events zentral.pro How to connect the sources ‣ Endpoints ‣ Agents Endpoint logs to ElasticStack Subsystem shipped to Elastic Stack
zentral.pro How to connect the sources Ship and collect the events ‣ Server / Cloud • Internal routing 
 (Azure AD monitoring to Azure Sentinel) • Interconnect Services with Message 
 Brokers (Azure Event Hubs connect to Sumo Logic) • Webhooks to push event data 
 (Jamf, SimpleMDM) • API pulling data
 (Custom Apps for Reporting, Dashboards)
• Productive and Research Platform • Collect Events in parallel • Inventory (Jamf, Intune, Munki, et.all…) • Identity Providers (Okta, AzureAD) • Endpoint Agents (Santa, Osquery, Filebeat) • Normalize and attribute Event Data • Historic Data stored in Elastic Search • Connect with other Event Hubs 
 (Azure Event Hub, SIEM Systems) zentral.pro How to connect the sources Ship and collect the events ‣ Dedicated Event Hub Zentral (Open Source)
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing • Binary Auditing with Xnumon • Inspect a Software install and launch • Look into the local log file (JSON) • See process logs, with SHA-256 
 and code sigining informtation • Ship the logs to Elastic Stack (w/ FileBeat) • Run a quick filtering in Zentral • See filtered Events in Kibana UI DEMO #1
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing • Ship same log to a commercial SaaS • Look into events in the SaaS • Next level - interconnecting 
 Event Hubs and normalized event stream • See Events filtered in a SIEM 
 (Security Incident Event Management) DEMO #2
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
zentral.pro How to connect the sources Ship and collect the events ‣ Server / Cloud ‣ Log analytics • Managed Platform • High volume capability • Cost based on volume • SumoLogic • Splunk • DataDog • Elastic Cloud 
 et.al Commercial Log Analytics Benefits
zentral.pro How to connect the sources Ship and collect the events ‣ Server / Cloud ‣ EDR / SIEM Solutions • Managed Platform • High volume capability • ArcSite • Azure Sentinel • Chronicle Security • PaloAlto Cortex XDR • Q-Radar (IBM) 
 et.al Commercial SIEM Benefits
zentral.pro Conclusion
• Better organize event aggregation • Consolidate data in Event Hubs • SIEM alerting, Machine Learning 
 (too many sign-in errors, …) • Bring together the admins and the 
 security engineers zentral.pro What can be improved ‣ Benefits / Next Level Conclusion
zentral.pro What can be improved Conclusion “Bring together the admins and 
 the security engineers“ ‣ Benefits / Next Level
zentral.pro hi@zentral.pro zentral_io Support our open source development Q & A Thank you ! zentral.pro https://github.com/ zentralopensource/ MacSysAdmin-Conference-2019 https://int.zentral.pro https://www.patreon.com/zentral https://int.zentral.pro
zentral.pro MacSysAdmin 2019 zentral.pro

Recommended

Building Serverless Data Infrastructure in the AWS Cloud
Building Serverless Data Infrastructure in the AWS CloudBuilding Serverless Data Infrastructure in the AWS Cloud
Building Serverless Data Infrastructure in the AWS CloudRyan Plant
 
Scala eXchange: Building robust data pipelines in Scala
Scala eXchange: Building robust data pipelines in ScalaScala eXchange: Building robust data pipelines in Scala
Scala eXchange: Building robust data pipelines in ScalaAlexander Dean
 
Scaling horizontally on AWS
Scaling horizontally on AWSScaling horizontally on AWS
Scaling horizontally on AWSBozhidar Bozhanov
 
Serverless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis AnalyticsServerless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis AnalyticsAmazon Web Services
 
To Have Own Data Analytics Platform, Or NOT To
To Have Own Data Analytics Platform, Or NOT ToTo Have Own Data Analytics Platform, Or NOT To
To Have Own Data Analytics Platform, Or NOT ToSATOSHI TAGOMORI
 
IoT & Azure (EventHub)
IoT & Azure (EventHub)IoT & Azure (EventHub)
IoT & Azure (EventHub)Mirco Vanini
 
Techniques for scaling application with security and visibility in cloud
Techniques for scaling application with security and visibility in cloudTechniques for scaling application with security and visibility in cloud
Techniques for scaling application with security and visibility in cloudAkshay Mathur
 
Data Warehouses and Data Lakes
Data Warehouses and Data LakesData Warehouses and Data Lakes
Data Warehouses and Data LakesAmazon Web Services
 

Recommended

Building Serverless Data Infrastructure in the AWS Cloud
Building Serverless Data Infrastructure in the AWS CloudBuilding Serverless Data Infrastructure in the AWS Cloud
Building Serverless Data Infrastructure in the AWS CloudRyan Plant
 
Scala eXchange: Building robust data pipelines in Scala
Scala eXchange: Building robust data pipelines in ScalaScala eXchange: Building robust data pipelines in Scala
Scala eXchange: Building robust data pipelines in ScalaAlexander Dean
 
Scaling horizontally on AWS
Scaling horizontally on AWSScaling horizontally on AWS
Scaling horizontally on AWSBozhidar Bozhanov
 
Serverless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis AnalyticsServerless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis AnalyticsAmazon Web Services
 
To Have Own Data Analytics Platform, Or NOT To
To Have Own Data Analytics Platform, Or NOT ToTo Have Own Data Analytics Platform, Or NOT To
To Have Own Data Analytics Platform, Or NOT ToSATOSHI TAGOMORI
 
IoT & Azure (EventHub)
IoT & Azure (EventHub)IoT & Azure (EventHub)
IoT & Azure (EventHub)Mirco Vanini
 
Techniques for scaling application with security and visibility in cloud
Techniques for scaling application with security and visibility in cloudTechniques for scaling application with security and visibility in cloud
Techniques for scaling application with security and visibility in cloudAkshay Mathur
 
Data Warehouses and Data Lakes
Data Warehouses and Data LakesData Warehouses and Data Lakes
Data Warehouses and Data LakesAmazon Web Services
 
TweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADR
TweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADRTweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADR
TweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADRLucidworks
 
Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"
Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"
Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"Fwdays
 
AWS Glue - let's get stuck in!
AWS Glue - let's get stuck in!AWS Glue - let's get stuck in!
AWS Glue - let's get stuck in!Chris Taylor
 
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...confluent
 
Better, faster, cheaper infrastructure with apache cloud stack and riak cs redux
Better, faster, cheaper infrastructure with apache cloud stack and riak cs reduxBetter, faster, cheaper infrastructure with apache cloud stack and riak cs redux
Better, faster, cheaper infrastructure with apache cloud stack and riak cs reduxJohn Burwell
 
Log Analysis At Scale
Log Analysis At ScaleLog Analysis At Scale
Log Analysis At ScaleAmazon Web Services
 
Kafka and Stream Processing, Taking Analytics Real-time, Mike Spicer
Kafka and Stream Processing, Taking Analytics Real-time, Mike SpicerKafka and Stream Processing, Taking Analytics Real-time, Mike Spicer
Kafka and Stream Processing, Taking Analytics Real-time, Mike Spicerconfluent
 
Perfect Norikra 2nd Season
Perfect Norikra 2nd SeasonPerfect Norikra 2nd Season
Perfect Norikra 2nd SeasonSATOSHI TAGOMORI
 
AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...
AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...
AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...Amazon Web Services
 
Centralised logging with ELK stack
Centralised logging with ELK stackCentralised logging with ELK stack
Centralised logging with ELK stackSimon Hanmer
 
Cloud native data platform
Cloud native data platformCloud native data platform
Cloud native data platformLi Gao
 
Getting started with Azure Event Hubs and Stream Analytics services
Getting started with Azure Event Hubs and Stream Analytics servicesGetting started with Azure Event Hubs and Stream Analytics services
Getting started with Azure Event Hubs and Stream Analytics servicesVladimir Bychkov
 
Logisland "Event Mining at scale"
Logisland "Event Mining at scale"Logisland "Event Mining at scale"
Logisland "Event Mining at scale"Thomas Bailet
 
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin Databricks
 
Introduction to Amazon Athena
Introduction to Amazon AthenaIntroduction to Amazon Athena
Introduction to Amazon AthenaAmazon Web Services
 
Introduction to AWS Glue
Introduction to AWS Glue Introduction to AWS Glue
Introduction to AWS Glue Amazon Web Services
 
Aws meetup 20190427
Aws meetup 20190427Aws meetup 20190427
Aws meetup 20190427Sridevi Murugayen
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data LakesAmazon Web Services
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best PracticesDoiT International
 
How to win skeptics to aggregated logging using Vagrant and ELK
How to win skeptics to aggregated logging using Vagrant and ELKHow to win skeptics to aggregated logging using Vagrant and ELK
How to win skeptics to aggregated logging using Vagrant and ELKSkelton Thatcher Consulting Ltd
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 

More Related Content

What's hot

TweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADR
TweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADRTweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADR
TweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADRLucidworks
 
Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"
Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"
Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"Fwdays
 
AWS Glue - let's get stuck in!
AWS Glue - let's get stuck in!AWS Glue - let's get stuck in!
AWS Glue - let's get stuck in!Chris Taylor
 
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...confluent
 
Better, faster, cheaper infrastructure with apache cloud stack and riak cs redux
Better, faster, cheaper infrastructure with apache cloud stack and riak cs reduxBetter, faster, cheaper infrastructure with apache cloud stack and riak cs redux
Better, faster, cheaper infrastructure with apache cloud stack and riak cs reduxJohn Burwell
 
Kafka and Stream Processing, Taking Analytics Real-time, Mike Spicer
Kafka and Stream Processing, Taking Analytics Real-time, Mike SpicerKafka and Stream Processing, Taking Analytics Real-time, Mike Spicer
Kafka and Stream Processing, Taking Analytics Real-time, Mike Spicerconfluent
 
Perfect Norikra 2nd Season
Perfect Norikra 2nd SeasonPerfect Norikra 2nd Season
Perfect Norikra 2nd SeasonSATOSHI TAGOMORI
 
AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...
AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...
AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...Amazon Web Services
 
Centralised logging with ELK stack
Centralised logging with ELK stackCentralised logging with ELK stack
Centralised logging with ELK stackSimon Hanmer
 
Cloud native data platform
Cloud native data platformCloud native data platform
Cloud native data platformLi Gao
 
Getting started with Azure Event Hubs and Stream Analytics services
Getting started with Azure Event Hubs and Stream Analytics servicesGetting started with Azure Event Hubs and Stream Analytics services
Getting started with Azure Event Hubs and Stream Analytics servicesVladimir Bychkov
 
Logisland "Event Mining at scale"
Logisland "Event Mining at scale"Logisland "Event Mining at scale"
Logisland "Event Mining at scale"Thomas Bailet
 
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin Databricks
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best PracticesDoiT International
 
How to win skeptics to aggregated logging using Vagrant and ELK
How to win skeptics to aggregated logging using Vagrant and ELKHow to win skeptics to aggregated logging using Vagrant and ELK
How to win skeptics to aggregated logging using Vagrant and ELKSkelton Thatcher Consulting Ltd
 

What's hot (20)

TweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADR
TweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADRTweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADR
TweetMogaz - The Arabic Tweets Platform: Presented by Ahmed Adel, BADR
 
Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"
Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"
Дмитрий Лавриненко "Blockchain for Identity Management, based on Fast Big Data"
 
AWS Glue - let's get stuck in!
AWS Glue - let's get stuck in!AWS Glue - let's get stuck in!
AWS Glue - let's get stuck in!
 
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
Simplifying Event Streaming: Tools for Location Transparency and Data Evoluti...
 
Better, faster, cheaper infrastructure with apache cloud stack and riak cs redux
Better, faster, cheaper infrastructure with apache cloud stack and riak cs reduxBetter, faster, cheaper infrastructure with apache cloud stack and riak cs redux
Better, faster, cheaper infrastructure with apache cloud stack and riak cs redux
 
Log Analysis At Scale
Log Analysis At ScaleLog Analysis At Scale
Log Analysis At Scale
 
Kafka and Stream Processing, Taking Analytics Real-time, Mike Spicer
Kafka and Stream Processing, Taking Analytics Real-time, Mike SpicerKafka and Stream Processing, Taking Analytics Real-time, Mike Spicer
Kafka and Stream Processing, Taking Analytics Real-time, Mike Spicer
 
Perfect Norikra 2nd Season
Perfect Norikra 2nd SeasonPerfect Norikra 2nd Season
Perfect Norikra 2nd Season
 
AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...
AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...
AWS re:Invent 2016: Analyzing Streaming Data in Real-time with Amazon Kinesis...
 
Centralised logging with ELK stack
Centralised logging with ELK stackCentralised logging with ELK stack
Centralised logging with ELK stack
 
Cloud native data platform
Cloud native data platformCloud native data platform
Cloud native data platform
 
Getting started with Azure Event Hubs and Stream Analytics services
Getting started with Azure Event Hubs and Stream Analytics servicesGetting started with Azure Event Hubs and Stream Analytics services
Getting started with Azure Event Hubs and Stream Analytics services
 
Logisland "Event Mining at scale"
Logisland "Event Mining at scale"Logisland "Event Mining at scale"
Logisland "Event Mining at scale"
 
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
 
Introduction to Amazon Athena
Introduction to Amazon AthenaIntroduction to Amazon Athena
Introduction to Amazon Athena
 
Introduction to AWS Glue
Introduction to AWS Glue Introduction to AWS Glue
Introduction to AWS Glue
 
Aws meetup 20190427
Aws meetup 20190427Aws meetup 20190427
Aws meetup 20190427
 
Using Data Lakes
Using Data LakesUsing Data Lakes
Using Data Lakes
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
 
How to win skeptics to aggregated logging using Vagrant and ELK
How to win skeptics to aggregated logging using Vagrant and ELKHow to win skeptics to aggregated logging using Vagrant and ELK
How to win skeptics to aggregated logging using Vagrant and ELK
 

Similar to MacSysAdmin Conference 2019 - Logging

Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding Splunk
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
SANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceSANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceToni de la Fuente
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout SessionSplunk
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunk
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunk
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
SplunkLive! Munich 2018: Data Onboarding Overview
SplunkLive! Munich 2018: Data Onboarding OverviewSplunkLive! Munich 2018: Data Onboarding Overview
SplunkLive! Munich 2018: Data Onboarding OverviewSplunk
 
SEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsSEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Sumo Logic
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Public private hybrid - cmdb challenge
Public private hybrid - cmdb challengePublic private hybrid - cmdb challenge
Public private hybrid - cmdb challengeryszardsshare
 

Similar to MacSysAdmin Conference 2019 - Logging (20)

Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
Data Onboarding
Data Onboarding Data Onboarding
Data Onboarding
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
SANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceSANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a Service
 
OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
 
Data Onboarding Breakout Session
Data Onboarding Breakout SessionData Onboarding Breakout Session
Data Onboarding Breakout Session
 
SplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with SplunkSplunkLive! Presentation - Data Onboarding with Splunk
SplunkLive! Presentation - Data Onboarding with Splunk
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
SplunkLive! Munich 2018: Data Onboarding Overview
SplunkLive! Munich 2018: Data Onboarding OverviewSplunkLive! Munich 2018: Data Onboarding Overview
SplunkLive! Munich 2018: Data Onboarding Overview
 
SEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsSEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOps
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
Zentral london mac_ad_uk_2017
Zentral london mac_ad_uk_2017Zentral london mac_ad_uk_2017
Zentral london mac_ad_uk_2017
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security Analytics
 
Public private hybrid - cmdb challenge
Public private hybrid - cmdb challengePublic private hybrid - cmdb challenge
Public private hybrid - cmdb challenge
 

More from Henry Stamerjohann

JamfNation Roadshow Frankfurt-2019 - Security & Business Intelligence
JamfNation Roadshow Frankfurt-2019 - Security & Business IntelligenceJamfNation Roadshow Frankfurt-2019 - Security & Business Intelligence
JamfNation Roadshow Frankfurt-2019 - Security & Business IntelligenceHenry Stamerjohann
 
Google Santa In-Depth - a macOS security & logging tool
Google Santa In-Depth - a macOS security & logging toolGoogle Santa In-Depth - a macOS security & logging tool
Google Santa In-Depth - a macOS security & logging toolHenry Stamerjohann
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Henry Stamerjohann
 
Zentral - what's new? - MacDevOps:YVR 2017
Zentral - what's new? - MacDevOps:YVR 2017Zentral - what's new? - MacDevOps:YVR 2017
Zentral - what's new? - MacDevOps:YVR 2017Henry Stamerjohann
 
Zentral presentation MacAdmins meetup Univ. Utah
Zentral presentation MacAdmins meetup Univ. Utah Zentral presentation MacAdmins meetup Univ. Utah
Zentral presentation MacAdmins meetup Univ. Utah Henry Stamerjohann
 
Zentral combine power of osquery_santa
Zentral combine power of osquery_santaZentral combine power of osquery_santa
Zentral combine power of osquery_santaHenry Stamerjohann
 
Ansible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / QuickstartAnsible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / QuickstartHenry Stamerjohann
 

More from Henry Stamerjohann (9)

JamfNation Roadshow Frankfurt-2019 - Security & Business Intelligence
JamfNation Roadshow Frankfurt-2019 - Security & Business IntelligenceJamfNation Roadshow Frankfurt-2019 - Security & Business Intelligence
JamfNation Roadshow Frankfurt-2019 - Security & Business Intelligence
 
Google Santa In-Depth - a macOS security & logging tool
Google Santa In-Depth - a macOS security & logging toolGoogle Santa In-Depth - a macOS security & logging tool
Google Santa In-Depth - a macOS security & logging tool
 
Zentral QueryCon 2018
Zentral QueryCon 2018Zentral QueryCon 2018
Zentral QueryCon 2018
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
 
Zentral - what's new? - MacDevOps:YVR 2017
Zentral - what's new? - MacDevOps:YVR 2017Zentral - what's new? - MacDevOps:YVR 2017
Zentral - what's new? - MacDevOps:YVR 2017
 
Zentral presentation MacAdmins meetup Univ. Utah
Zentral presentation MacAdmins meetup Univ. Utah Zentral presentation MacAdmins meetup Univ. Utah
Zentral presentation MacAdmins meetup Univ. Utah
 
Zentral combine power of osquery_santa
Zentral combine power of osquery_santaZentral combine power of osquery_santa
Zentral combine power of osquery_santa
 
Zentral macaduk conf 2016
Zentral macaduk conf 2016Zentral macaduk conf 2016
Zentral macaduk conf 2016
 
Ansible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / QuickstartAnsible Meetup Hamburg / Quickstart
Ansible Meetup Hamburg / Quickstart
 

Recently uploaded

Digital Marketing Plan, how digital marketing works
Digital Marketing Plan, how digital marketing worksDigital Marketing Plan, how digital marketing works
Digital Marketing Plan, how digital marketing worksdeepakthakur548787
 
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...Jack Cole
 
Principles and Practices of Data Visualization
Principles and Practices of Data VisualizationPrinciples and Practices of Data Visualization
Principles and Practices of Data VisualizationKianJazayeri1
 
World Economic Forum Metaverse Ecosystem By Utpal Chakraborty.pdf
World Economic Forum Metaverse Ecosystem By Utpal Chakraborty.pdfWorld Economic Forum Metaverse Ecosystem By Utpal Chakraborty.pdf
World Economic Forum Metaverse Ecosystem By Utpal Chakraborty.pdfsimulationsindia
 
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptxmodul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptxaleedritatuxx
 
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdfEnglish-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdfblazblazml
 
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...Dr Arash Najmaei ( Phd., MBA, BSc)
 
Bank Loan Approval Analysis: A Comprehensive Data Analysis Project
Bank Loan Approval Analysis: A Comprehensive Data Analysis ProjectBank Loan Approval Analysis: A Comprehensive Data Analysis Project
Bank Loan Approval Analysis: A Comprehensive Data Analysis ProjectBoston Institute of Analytics
 
Cyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded dataCyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded dataTecnoIncentive
 
Data Analysis Project Presentation: Unveiling Your Ideal Customer, Bank Custo...
Data Analysis Project Presentation: Unveiling Your Ideal Customer, Bank Custo...Data Analysis Project Presentation: Unveiling Your Ideal Customer, Bank Custo...
Data Analysis Project Presentation: Unveiling Your Ideal Customer, Bank Custo...Boston Institute of Analytics
 
Semantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxSemantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxMike Bennett
 
Decoding Patterns: Customer Churn Prediction Data Analysis Project
Decoding Patterns: Customer Churn Prediction Data Analysis ProjectDecoding Patterns: Customer Churn Prediction Data Analysis Project
Decoding Patterns: Customer Churn Prediction Data Analysis ProjectBoston Institute of Analytics
 
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis model
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis modelDecoding Movie Sentiments: Analyzing Reviews with Data Analysis model
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis modelBoston Institute of Analytics
 
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...Boston Institute of Analytics
 
Real-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max PrincetonReal-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max PrincetonTimothy Spann
 
IBEF report on the Insurance market in India
IBEF report on the Insurance market in IndiaIBEF report on the Insurance market in India
IBEF report on the Insurance market in IndiaManalVerma4
 
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptxThe Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptxTasha Penwell
 
Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Seán Kennedy
 

Recently uploaded (20)

Digital Marketing Plan, how digital marketing works
Digital Marketing Plan, how digital marketing worksDigital Marketing Plan, how digital marketing works
Digital Marketing Plan, how digital marketing works
 
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
 
Principles and Practices of Data Visualization
Principles and Practices of Data VisualizationPrinciples and Practices of Data Visualization
Principles and Practices of Data Visualization
 
World Economic Forum Metaverse Ecosystem By Utpal Chakraborty.pdf
World Economic Forum Metaverse Ecosystem By Utpal Chakraborty.pdfWorld Economic Forum Metaverse Ecosystem By Utpal Chakraborty.pdf
World Economic Forum Metaverse Ecosystem By Utpal Chakraborty.pdf
 
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptxmodul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
 
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdfEnglish-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
 
Data Analysis Project: Stroke Prediction
Data Analysis Project: Stroke PredictionData Analysis Project: Stroke Prediction
Data Analysis Project: Stroke Prediction
 
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
 
Bank Loan Approval Analysis: A Comprehensive Data Analysis Project
Bank Loan Approval Analysis: A Comprehensive Data Analysis ProjectBank Loan Approval Analysis: A Comprehensive Data Analysis Project
Bank Loan Approval Analysis: A Comprehensive Data Analysis Project
 
Cyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded dataCyber awareness ppt on the recorded data
Cyber awareness ppt on the recorded data
 
Data Analysis Project Presentation: Unveiling Your Ideal Customer, Bank Custo...
Data Analysis Project Presentation: Unveiling Your Ideal Customer, Bank Custo...Data Analysis Project Presentation: Unveiling Your Ideal Customer, Bank Custo...
Data Analysis Project Presentation: Unveiling Your Ideal Customer, Bank Custo...
 
Semantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxSemantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptx
 
Insurance Churn Prediction Data Analysis Project
Insurance Churn Prediction Data Analysis ProjectInsurance Churn Prediction Data Analysis Project
Insurance Churn Prediction Data Analysis Project
 
Decoding Patterns: Customer Churn Prediction Data Analysis Project
Decoding Patterns: Customer Churn Prediction Data Analysis ProjectDecoding Patterns: Customer Churn Prediction Data Analysis Project
Decoding Patterns: Customer Churn Prediction Data Analysis Project
 
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis model
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis modelDecoding Movie Sentiments: Analyzing Reviews with Data Analysis model
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis model
 
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
 
Real-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max PrincetonReal-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max Princeton
 
IBEF report on the Insurance market in India
IBEF report on the Insurance market in IndiaIBEF report on the Insurance market in India
IBEF report on the Insurance market in India
 
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptxThe Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
 
Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...
 

MacSysAdmin Conference 2019 - Logging

  • 1. zentral.pro Logging About Needles in the Modern Haystack
  • 2. • Founded in Q1 2019 • Based in Germany • Small, skilled team • Professional Services
 Research and Development • Business & Enterprises customers • B2B Partners zentral.pro Who are we ?
  • 3. • Based in Hamburg, Germany • Zentral Pro Services (co-founder) • Started the Zentral open source Event Hub Project with Éric Falconnier 
 (co-founder) • Zentral was first shown in public at MacSysAdmin 2015 Henry Stamerjohann Who am I zentral.pro
  • 5. “A lot more events, from many 
 more sources…” zentral.pro Logs & Events Landscape ‣ Computing / Technology
  • 6. • Cloud Computing Platforms and SaaS • Linux (incl. ChromeOS) • Microsoft: • Azure, Intune, Windows 10
 (new norm, great integrations) • Apple: • macOS, iOS, iPadOS, tvOS • Client Management & MDM Provider
 (well known challenge w/ integrations) zentral.pro Logs & Events Landscape ‣ Computing / Technology
  • 7. “Where, when and what ? “ zentral.pro Logs & Events Landscape ‣ Computing / Technology
  • 8. • Created by apps, systems, network 
 and user activity • Event flow, time stamps, and Frequency • Common use: • Check-based fault detection • Log-based monitoring • Metrics-based monitoring • Collect telemetry data zentral.pro “Where, when 
 and what ? “ Logs & Events Landscape ‣ Computing / Technology
  • 10. OS • Installer • MDMclient • LaunchServices Software • Business apps • Other apps • Security Agents • Osquery • Santa • Xnumon zentral.pro On the endpoints Event sources and types ‣ Sources
  • 11. zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: • OS • Multi Platform (Mac, Linux, Windows) • Cloud Native Foundation Project • Powerful Change Detection • SQL like view of the system Osquery Osquery Based on
  • 12. zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: • Kernel extension • (soon) Security Extention • Binary Whitelisting / Blacklisting • TLS Server (Backend) • Dynamic Config • Local Log file Santa Google Santa Based on
  • 13. zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: • Open BSM • Kernel extension • Log Information on • pid • path • ancestory • arguments • code-signing information • Trace activity (good/bad) Xnumon Based onXnumon
  • 14. zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: System Extensions
  • 15. zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: System Extensions
  • 16. zentral.pro On the endpoints Event sources and types ‣ Sources ‣ Security Agents: • (New) Apple Endpoint Security System • (New) Apple Network Extension framework • Clients can Subscribe to Endpoint Security System and Network Extension • Option to make decisions • New version of Security and Firewall applications Based on System Extensions System Extensions
  • 17. zentral.pro • Written to File • Written to local Database • Written to a Backend • Transferred by an Agent On the endpoints Event sources and types ‣ Outputs
  • 18. zentral.pro On the endpoints Event sources and types ‣ Outputs /Library/Logs/… /var/log/… File based - the “classic” use case • mostly with not so well integrated apps • Text data in files (rotated) • Sometimes JSON (1 object per line) ‣ File based
  • 19. zentral.pro On the endpoints Event sources and types ‣ Outputs ‣ File based
  • 20. zentral.pro On the endpoints Event sources and types ‣ Outputs OS log facilities - for OS and well behaved / integrated apps • Apple Unified Logging • More structure • JSON output possible • Configurable persistence • Syslog (old in macOS) ‣ OS log facility
  • 21. zentral.pro On the endpoints Event sources and types ‣ Outputs ‣ Unified Logging In-memory or persist 
 into .tracev3 files
  • 22. zentral.pro On the endpoints Event sources and types ‣ Outputs ‣ Unified Logging In-memory or persist 
 into .tracev3 files
  • 23. zentral.pro --predicate Filter element (subsystem type) --debug Details depth Formatting (json)--style On the endpoints Event sources and types ‣ Outputs ‣ Unified Logging
  • 24. zentral.pro On the endpoints Event sources and types ‣ Outputs OS log facilities - for OS and well behaved / integrated apps • Apple Unified Logging • More structure • JSON output possible • Configurable persistence • Syslog (old in macOS) ‣ Unified Logging Howard Oakley @ Electriclight Company https://eclecticlight.co/ 2018/03/19/macos-unified-log-1- why-what-and-how/
  • 25. • JSON payload posted on a HTTPS endpoint (Osquery, Santa,…) • Publish to Kafka (Osquery) • Other custom variants… zentral.pro On the endpoints Event sources and types ‣ Outputs ‣ Custom
  • 26. zentral.pro Server / Cloud Event sources and types ‣ Sources Identity Provider • Sign-ins / Sign-in errors (AzureAD, Okta, …) Inventory • Computer check-in (Jamf Pro, WorkspaceOne, …) • Group changes (SimpleMDM, Jamf Pro, …) MDM (SaaS, open source MDM) • Configuration profile pushed • Device Enrollments Security providers • Malware detected/removed 
 (Microsoft Defender ATP, Malwarebytes)
  • 27. zentral.pro Server / Cloud Event sources and types ‣ Outputs /var/log/… • File based - for most of the logs • Text data in files (rotated) • Log archives • Service logs (systemd / journalctl)
  • 28. zentral.pro Server / Cloud Event sources and types ‣ Outputs /var/log/… • File based - for most of the logs • Text data in files (rotated) • Log archives • Service logs (systemd / journalctl)
  • 29. • API (Jamf Pro, Microsoft Graph SecurityAPI) • Webhooks (Jamf Pro, Okta, …) • Files on a server 
 (i.e.Jamf Pro in custom deployment) • Blobs on a storage service • GUI + manual download • Events in a Message Broker 
 (Azure Event Hubs) zentral.pro Server / Cloud Event sources and types ‣ Outputs
  • 30. zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ Jamf Pro Search in browser or download
  • 31. zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ Jamf Pro Search and grep (keywords, errors, …)
  • 32. zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ Jamf Pro Search and grep (keywords, errors, …)
  • 33. zentral.pro Event audit trail (sign-ins, edits or changes) Server / Cloud Event sources and types ‣ Outputs ‣ IDP - Okta
  • 34. zentral.pro Authentications (export json, csv) Server / Cloud Event sources and types ‣ Outputs ‣ IDP - Duo
  • 35. zentral.pro Sign-in Logs (export json, csv) Server / Cloud Event sources and types ‣ Outputs ‣ IDP - Azure AD
  • 36. zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ IDP - Azure AD Sign-in Logs (export json, csv)
  • 37. AV Activity / Remediation (export csv) Server / Cloud Event sources and types ‣ Outputs ‣ ATP Defender zentral.pro
  • 38. • Build reports from CSV • Analyze/process JSON • Upload and repurpose event data • Share with other Teams • Store for Compliance (Backups) • Use to get support from a Vendor zentral.pro Server / Cloud Event sources and types ‣ Outputs ‣ Post processing
  • 40. zentral.pro Problems / Issues Ship and collect the events ‣ Reality • Many different sources • Many different formats • No single place where to look at events / search for events • Too many events
  • 41. • Elastic Stack (formerly ELK Stack) • Splunk • Sumo Logic • Stackdriver • Zentral • et.al zentral.pro Existing Solutions Ship and collect the events
  • 42. zentral.pro Existing Solutions Ship and collect the events ‣ Log Facilities ‣ Stackdriver Logging
  • 43. zentral.pro Existing Solutions Ship and collect the events ‣ Log Facilities ‣ Stackdriver Logging
  • 44. zentral.pro Existing Solutions Ship and collect the events ‣ Log Facilities ‣ Stackdriver Logging
  • 45. • Collect file based logs (by agents) • Run agents directly • RPC / HTTPS Osquery events to 
 Kolide or similar services • Unified logging to Elastic Stack on 
 Mac endpoints (i.e. Filebeat) zentral.pro How to connect the sources Ship and collect the events ‣ Endpoints
  • 46. zentral.pro How to connect the sources Ship and collect the events ‣ Endpoints ‣ Agents • Read local file based logs • Build-in Modules • Pre-filter, Normalize events • Ship to Elastic Stack (Kibana, Logstash) Based on • Open source code - Beats family • Elastic core component • filebeat.yml config file FileBeat (by Elastic) FileBeat
  • 47. Ship and collect the events zentral.pro How to connect the sources ‣ Endpoints ‣ Agents Endpoint logs to ElasticStack Subsystem shipped to Elastic Stack
  • 48. zentral.pro How to connect the sources Ship and collect the events ‣ Server / Cloud • Internal routing 
 (Azure AD monitoring to Azure Sentinel) • Interconnect Services with Message 
 Brokers (Azure Event Hubs connect to Sumo Logic) • Webhooks to push event data 
 (Jamf, SimpleMDM) • API pulling data
 (Custom Apps for Reporting, Dashboards)
  • 49. • Productive and Research Platform • Collect Events in parallel • Inventory (Jamf, Intune, Munki, et.all…) • Identity Providers (Okta, AzureAD) • Endpoint Agents (Santa, Osquery, Filebeat) • Normalize and attribute Event Data • Historic Data stored in Elastic Search • Connect with other Event Hubs 
 (Azure Event Hub, SIEM Systems) zentral.pro How to connect the sources Ship and collect the events ‣ Dedicated Event Hub Zentral (Open Source)
  • 50. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing • Binary Auditing with Xnumon • Inspect a Software install and launch • Look into the local log file (JSON) • See process logs, with SHA-256 
 and code sigining informtation • Ship the logs to Elastic Stack (w/ FileBeat) • Run a quick filtering in Zentral • See filtered Events in Kibana UI DEMO #1
  • 51. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
  • 52. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
  • 53. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
  • 54. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
  • 55. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
  • 56. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 1 Binary Auditing
  • 57. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing • Ship same log to a commercial SaaS • Look into events in the SaaS • Next level - interconnecting 
 Event Hubs and normalized event stream • See Events filtered in a SIEM 
 (Security Incident Event Management) DEMO #2
  • 58. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 59. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 60. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 61. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 62. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 63. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 64. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 65. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 66. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 67. zentral.pro How to connect the sources Ship and collect the events ‣ Demo 2 Binary Auditing
  • 68. zentral.pro How to connect the sources Ship and collect the events ‣ Server / Cloud ‣ Log analytics • Managed Platform • High volume capability • Cost based on volume • SumoLogic • Splunk • DataDog • Elastic Cloud 
 et.al Commercial Log Analytics Benefits
  • 69. zentral.pro How to connect the sources Ship and collect the events ‣ Server / Cloud ‣ EDR / SIEM Solutions • Managed Platform • High volume capability • ArcSite • Azure Sentinel • Chronicle Security • PaloAlto Cortex XDR • Q-Radar (IBM) 
 et.al Commercial SIEM Benefits
  • 71. • Better organize event aggregation • Consolidate data in Event Hubs • SIEM alerting, Machine Learning 
 (too many sign-in errors, …) • Bring together the admins and the 
 security engineers zentral.pro What can be improved ‣ Benefits / Next Level Conclusion
  • 72. zentral.pro What can be improved Conclusion “Bring together the admins and 
 the security engineers“ ‣ Benefits / Next Level
  • 73. zentral.pro hi@zentral.pro zentral_io Support our open source development Q & A Thank you ! zentral.pro https://github.com/ zentralopensource/ MacSysAdmin-Conference-2019 https://int.zentral.pro https://www.patreon.com/zentral https://int.zentral.pro