Suche senden
Hochladen
Elk its big log season
•
0 gefällt mir
•
597 views
Eric Luellen
Folgen
InfoSeCon 2015 presentation by @ericl42 and @brianwilson.
Weniger lesen
Mehr lesen
Technologie
Diashow-Anzeige
Melden
Teilen
Diashow-Anzeige
Melden
Teilen
1 von 24
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Cassandra Day SV 2014: Infinite Session Clustering with Apache Cassandra
Cassandra Day SV 2014: Infinite Session Clustering with Apache Cassandra
DataStax Academy
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
Managing secrets at scale
Managing secrets at scale
Alex Schoof
Icinga 2 at Icinga Camp San Francisco
Icinga 2 at Icinga Camp San Francisco
Icinga
Empfohlen
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Cassandra Day SV 2014: Infinite Session Clustering with Apache Cassandra
Cassandra Day SV 2014: Infinite Session Clustering with Apache Cassandra
DataStax Academy
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
Managing secrets at scale
Managing secrets at scale
Alex Schoof
Icinga 2 at Icinga Camp San Francisco
Icinga 2 at Icinga Camp San Francisco
Icinga
Hashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
Why favor Icinga over Nagios @ DebConf15
Why favor Icinga over Nagios @ DebConf15
Icinga
Icinga lsm 2015 copy
Icinga lsm 2015 copy
NETWAYS
Vault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
ChatOps with Icinga and StackStorm
ChatOps with Icinga and StackStorm
Icinga
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015
em_mu
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Steve Loughran
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
HashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
MySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features Summary
Olivier DASINI
Introduction to Shield and kibana
Introduction to Shield and kibana
Knoldus Inc.
Why favour Icinga over Nagios @ FrOSCon 2015
Why favour Icinga over Nagios @ FrOSCon 2015
Icinga
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
AzureEzy1
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Rahul Nath
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
Introducing Vault
Introducing Vault
Ramit Surana
Vault 101
Vault 101
Hazzim Anaya
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
Rails Security
Rails Security
Wen-Tien Chang
Weitere ähnliche Inhalte
Was ist angesagt?
Hashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
Why favor Icinga over Nagios @ DebConf15
Why favor Icinga over Nagios @ DebConf15
Icinga
Icinga lsm 2015 copy
Icinga lsm 2015 copy
NETWAYS
Vault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
ChatOps with Icinga and StackStorm
ChatOps with Icinga and StackStorm
Icinga
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015
em_mu
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Steve Loughran
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
HashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
MySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features Summary
Olivier DASINI
Introduction to Shield and kibana
Introduction to Shield and kibana
Knoldus Inc.
Why favour Icinga over Nagios @ FrOSCon 2015
Why favour Icinga over Nagios @ FrOSCon 2015
Icinga
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
AzureEzy1
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Rahul Nath
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
Introducing Vault
Introducing Vault
Ramit Surana
Vault 101
Vault 101
Hazzim Anaya
Was ist angesagt?
(20)
Hashicorp Vault ppt
Hashicorp Vault ppt
Why favor Icinga over Nagios @ DebConf15
Why favor Icinga over Nagios @ DebConf15
Icinga lsm 2015 copy
Icinga lsm 2015 copy
Vault - Secret and Key Management
Vault - Secret and Key Management
ChatOps with Icinga and StackStorm
ChatOps with Icinga and StackStorm
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
HashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
MySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features Summary
Introduction to Shield and kibana
Introduction to Shield and kibana
Why favour Icinga over Nagios @ FrOSCon 2015
Why favour Icinga over Nagios @ FrOSCon 2015
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Introducing Vault
Introducing Vault
Vault 101
Vault 101
Ähnlich wie Elk its big log season
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
Rails Security
Rails Security
Wen-Tien Chang
The top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
PROIDEA
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
Jakub Hajek
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
Mark Leith
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Yossi Sassi
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Ali Kheyrollahi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
Aman Kohli
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
Amazon Web Services
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
Rafał Kuć
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
Sematext Group, Inc.
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
Tobias Koprowski
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Tobias Koprowski
Figaro
Figaro
Endpoint Systems
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4
Timothy Spann
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
Andrey Devyatkin
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
Ähnlich wie Elk its big log season
(20)
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Rails Security
Rails Security
The top 10 security issues in web applications
The top 10 security issues in web applications
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Figaro
Figaro
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Kürzlich hochgeladen
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Kürzlich hochgeladen
(20)
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Elk its big log season
1.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. ELK: IT'S BIG LOG SEASON LOGGING FROM A TO Z
2.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. WHO WE ARE • Brian Wilson • Information Security Manager at SAS • UNIX Sys Admin, Network Engineer, Infosec Engineer • Family, Mac/Linux, Coding, Automation, Long walks on the beach • @brianwilson / https://github.com/bdwilson • Eric Luellen • Sr. Information Security Engineer at SAS • Open source technologies, network security monitoring, active defenses • Snowboarding, volleyball, basketball, anything away from a computer • @ericl42 / https://github.com/ericl42
3.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. WHY DO WE CARE ABOUT LOGS? • Regulatory & compliance requirements • HIPAA, SOX, PCI • Troubleshooting • Incident Response • Proactive resource planning • Logs are the building blocks of other projects • Prove value of log data for future technology investment!
4.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. SO WHY HAVEN’T WE DONE ANYTHING • Resources – Time, Money, & People • Volume of data • Disparate sources, formatting issues • Application logs don’t follow same standard as OS logs • Cooperation from other groups • Unsure how to obtain and locate sources
5.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. WHAT ARE THE REQUIREMENTS? • Simple to use • The goal is to reduce the reaction time and make it easier to track down a problem, resolve an incident, or search for some data point. • Scalable • As log sources and events/second grow, your solution has to scale as well. • Expandable • Easy to incorporate or feed into other systems. • Notifications/Alerting • Know when your log sources are deviating from defined criteria.
6.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. LOGISTICAL PREPARATION • Identify the data sources • Authentication Failures/Success • UNIX, Windows, DLP, Anti-Virus, Web, Applications… • Configure sources for proper logging • Determine location of syslog collector(s) • DMZ, Cloud... • Open firewall port(s)
7.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. ARCHITECTURE
8.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. HOW DO WE GET THE LOGS THERE? • UNIX • Local syslog settings • auth.*;authpriv.* @syslog.domain.net • Agent based (Nxlog) • Windows • Agent based (Nxlog)
9.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. NXLOG EXAMPLE <Input in> Module im_msvistalog ReadFromLastTrue Query <QueryList> <Query Id="0"> <Select Path="Security">*[System[(EventID='4624')]]</Select> <Select Path="Security">*[System[(EventID='4625')]]</Select> </Query> </QueryList> Exec to_syslog_bsd(); Exec if $raw_event =~ /Account Name:s+S+$s+Account Domain:/ drop(); else if $raw_event =~ /^(.+)Detailed Authentication Information:/ $raw_event = $1; if $raw_event =~ s/t/ /g {} </Input> <Output out> Module om_udp Host X.X.X.X Port 2514 </Output> <Route 1> Path in => out </Route>
10.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Basic aggregation of logs • Filters and funnels logs as needed • Ability to send to various locations • Configured using syslog-ng.conf file
11.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. SYSLOG-NG CONFIGURATION source s_remote_logs_unix { udp(port(514) so_rcvbuf(67108864)); }; destination d_hosts_unix { file("/mnt/logs/UNIX/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); }; destination d_remote_server { udp("192.168.1.20" port(1234) spoof_source(yes) ); }; filter f_trash { (match("some specific expression") or match("asdfjkl;") or host("server1.domain.net") and match("xxx") ); }; log { source(s_remote_logs_unix); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_unix); destination(d_remote_server); }; log { source(s_remote_logs_unix); destination(d_hosts_unix); };
12.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Inputs Processes logs of all shapes and sizes • Filters • Allows you to parse and transform the logs • Can easily support custom log formats • Outputs • Send the new “pretty” logs wherever you want
13.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. CUSTOM LOGSTASH CONFIG input { file { type => "video-syslog" exclude => ["*.gz"] start_position => "end" path => [ "/mnt/logs/video/*.log"] } } filter { grok { overwrite => [ "message", "host" ] match => [ "message", "%{DATESTAMP:timestamp} %{PROG:program} %{WORD:status} %{NUMBER:priority:float} %{GREEDYDATA:creation} %{INT:bytes} %{INT:hitcount} %{GREEDYDATA:url} /disk%{GREEDYDATA:location}", "message", "%{HOST:host} %{GREEDYDATA:url} %{INT:bytes_sent} %{INT:obj_size} %{INT:bytes_recvd} %{WORD:method} %{INT:status} [%{DATA:time_recvd}+0000] %{INT:time_to_serve}“ ] add_tag => [ "bytes", "hitcount", "url", "location" ] tag_on_failure => [] } } output { elasticsearch { protocol => "node" host => "es-server1.domain.net,es-server2.domain.net,es-server3.domain.net" cluster => "my-elasticsearch-cluster" index => "video-%{+YYYY.MM.dd}“ } }
14.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. NETFLOW LOGSTASH CONFIG input { udp { port => 9996 codec => netflow { definitions => "/etc/logstash/logstash-1.4.2/lib/logstash/codecs/netflow/netflow.yaml" } } } output { stdout { codec => rubydebug } if ( [host] =~ "10..*" or [host] =~ "1.1.1.1") { elasticsearch { embedded => "false" protocol => "node" host => "es-server1.domain.net,es-server2.domain.net,es-server3.domain.net" cluster => "my-elasticsearch-cluster" index => "netflow-hq-%{+YYYY.MM.dd}" } } else { elasticsearch { embedded => "false" protocol => "node" host => "es-server1.domain.net,es-server2.domain.net,es-server3.domain.net" cluster => "my-elasticsearch-cluster" index => "netflow-remote-%{+YYYY.MM.dd}" } } }
15.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Architecture • Easily scalable • High availability • Multi-tenancy • Searching • Based off of Lucene • Real time search and analytics engine • RESTful API
16.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Graphical representation of the logs • Provides the user’s “pretty” interface • Customizable dashboards • Connects directly to Elasticsearch
17.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. HTTPD CONFIG <Directory /var/www/html/kibana> SSLRequireSSL </Directory> ProxyRequests off ProxyPass /elasticsearch/ http://192.168.1.10:9200/ <Location /elasticsearch/> ProxyPassReverse / SSLRequireSSL </Location> <AuthnProviderAlias ldap ldap-domain> AuthLDAPURL "ldap://domain:3268/DC=XX,DC=YYY,DC=com?sAMAccountName??(!(user AccountControl:1.2.840.113556.1.4.803:=2))" AuthLDAPBindDN "cn=Bind_Name,cn=Users,dc=XX,dc=YYY,dc=com" AuthLDAPBindPassword ThisIsthePassword </AuthnProviderAlias> <Location /kibana-helpdesk> AuthType Basic AuthName "USE WINDOWS PASSWORD" AuthBasicProvider ldap-domain AuthLDAPRemoteUserAttribute sAMAccountName AuthLDAPBindDN "cn=Bind_Name,cn=Users,dc=XX,dc=YYY,dc=com" AuthLDAPBindPassword ThisIsthePassword AuthLDAPURL "ldap://domain:3268/DC=XX,DC=YYY,DC=com?sAMAccountName" Require ldap-group CN=Help Desk,OU=Groups,DC=XX,DC=YYY,DC=com Require ldap-group CN=Security Team,OU=Groups,DC=XX,DC=YYY,DC=com order allow,deny allow from all
18.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. http://blogs.cisco.com/security/step-by-step-setup-of-elk-for-netflow-analytics
19.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed.
20.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Meant to be a HIDS solution • Log analysis • File integrity checking • Policy monitoring • Rootkit detection • Real-time alerting & active response • Has it’s own web UI • Uses basic logic to correlate and alert on specific events
21.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. OSSEC RULE EXAMPLE <rule id="100100" level="0"> <decoded_as>aaa-logins</decoded_as> <description>Group of AAA rules.</description> </rule> <rule id="100101" level="5"> <if_sid>100100</if_sid> <match>Failed-Attempt|Authen failed</match> <description>AAA authentication failures.</description> </rule> <rule id="100102" level="10" frequency="10" timeframe="120"> <if_matched_sid>100101</if_matched_sid> <same_user /> <description>Multiple AAA authentication failures.</description> </rule>
22.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. MAINTENANCE & UPKEEP • Syslog-ng • Bash scripts for combining and aging out files • Elasticsearch • Curator, Elastic HQ, curl scripts • Logstash • Logrotate, init.d scripts to launch instances • OSSEC • Stay up-to-date on rules and create custom rules as needed
23.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. WHERE DO WE GO FROM HERE? • Everyone has logs and a need to deal with them • Share your solution with the groups that provided logs and support orgs – may require custom pages to limit info • Develop your work plan to review visual and OSSEC alerts • Build response & monitoring capabilities • Show value of logs to the org for future tools
24.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed.
Jetzt herunterladen