Elk its big log season

Copyright © 2015, SAS Institute Inc. All rights reserv ed.
ELK: IT'S BIG LOG SEASON
LOGGING FROM A TO Z

WHO WE ARE
• Brian Wilson
• Information Security Manager at SAS
• UNIX Sys Admin, Network Engineer, Infosec Engineer
• Family, Mac/Linux, Coding, Automation, Long walks on the beach
• @brianwilson / https://github.com/bdwilson
• Eric Luellen
• Sr. Information Security Engineer at SAS
• Open source technologies, network security monitoring, active defenses
• Snowboarding, volleyball, basketball, anything away from a computer
• @ericl42 / https://github.com/ericl42

WHY DO WE CARE ABOUT LOGS?
• Regulatory & compliance requirements
• HIPAA, SOX, PCI
• Troubleshooting
• Incident Response
• Proactive resource planning
• Logs are the building blocks of other projects
• Prove value of log data for future technology investment!

SO WHY HAVEN’T WE DONE ANYTHING
• Resources – Time, Money, & People
• Volume of data
• Disparate sources, formatting issues
• Application logs don’t follow same standard as OS logs
• Cooperation from other groups
• Unsure how to obtain and locate sources

WHAT ARE THE REQUIREMENTS?
• Simple to use
• The goal is to reduce the reaction time and make it easier to track down a
problem, resolve an incident, or search for some data point.
• Scalable
• As log sources and events/second grow, your solution has to scale as well.
• Expandable
• Easy to incorporate or feed into other systems.
• Notifications/Alerting
• Know when your log sources are deviating from defined criteria.

LOGISTICAL PREPARATION
• Identify the data sources
• Authentication Failures/Success
• UNIX, Windows, DLP, Anti-Virus, Web,
Applications…
• Configure sources for proper logging
• Determine location of syslog collector(s)
• DMZ, Cloud...
• Open firewall port(s)

ARCHITECTURE

HOW DO WE GET THE LOGS THERE?
• UNIX
• Local syslog settings
• auth.*;authpriv.* @syslog.domain.net
• Agent based (Nxlog)
• Windows
• Agent based (Nxlog)

NXLOG EXAMPLE
<Input in>
Module im_msvistalog
ReadFromLastTrue
Query <QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID='4624')]]</Select>
<Select Path="Security">*[System[(EventID='4625')]]</Select>
</Query>
</QueryList>
Exec to_syslog_bsd();
Exec if $raw_event =~ /Account Name:s+S+$s+Account Domain:/ drop();
else if $raw_event =~ /^(.+)Detailed Authentication Information:/ $raw_event = $1; if $raw_event =~ s/t/ /g {}
</Input>
<Output out>
Module om_udp
Host X.X.X.X
Port 2514
</Output>
<Route 1>
Path in => out
</Route>

• Basic aggregation of logs
• Filters and funnels logs as needed
• Ability to send to various locations
• Configured using syslog-ng.conf file

SYSLOG-NG CONFIGURATION
source s_remote_logs_unix {
udp(port(514) so_rcvbuf(67108864)); };
destination d_hosts_unix {
file("/mnt/logs/UNIX/$YEAR-$MONTH-$DAY-sys01.log"
dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };
destination d_remote_server {
udp("192.168.1.20" port(1234) spoof_source(yes) ); };
filter f_trash { (match("some specific expression")
or match("asdfjkl;")
or host("server1.domain.net") and match("xxx") ); };
log { source(s_remote_logs_unix); filter(f_trash); destination(d_junk); flags(final); };
log { source(s_remote_logs_unix); destination(d_remote_server); };
log { source(s_remote_logs_unix); destination(d_hosts_unix); };

• Inputs
Processes logs of all shapes and sizes
• Filters
• Allows you to parse and transform the logs
• Can easily support custom log formats
• Outputs
• Send the new “pretty” logs wherever you want

CUSTOM LOGSTASH CONFIG
input {
file {
type => "video-syslog"
exclude => ["*.gz"]
start_position => "end"
path => [ "/mnt/logs/video/*.log"] } }
filter {
grok {
overwrite => [ "message", "host" ]
match => [
"message", "%{DATESTAMP:timestamp} %{PROG:program} %{WORD:status} %{NUMBER:priority:float} %{GREEDYDATA:creation} %{INT:bytes}
%{INT:hitcount} %{GREEDYDATA:url} /disk%{GREEDYDATA:location}",
"message", "%{HOST:host} %{GREEDYDATA:url} %{INT:bytes_sent} %{INT:obj_size} %{INT:bytes_recvd} %{WORD:method} %{INT:status}
[%{DATA:time_recvd}+0000] %{INT:time_to_serve}“ ]
add_tag => [ "bytes", "hitcount", "url", "location" ]
tag_on_failure => [] } }
output {
elasticsearch {
protocol => "node"
host => "es-server1.domain.net,es-server2.domain.net,es-server3.domain.net"
cluster => "my-elasticsearch-cluster"
index => "video-%{+YYYY.MM.dd}“ } }

NETFLOW LOGSTASH CONFIG
input {
udp {
port => 9996
codec => netflow {
definitions => "/etc/logstash/logstash-1.4.2/lib/logstash/codecs/netflow/netflow.yaml" } } }
output {
stdout { codec => rubydebug }
if ( [host] =~ "10..*" or [host] =~ "1.1.1.1") {
elasticsearch {
embedded => "false"
protocol => "node"
index => "netflow-hq-%{+YYYY.MM.dd}" } }
else {
elasticsearch {
embedded => "false"
protocol => "node"
index => "netflow-remote-%{+YYYY.MM.dd}" } } }

• Architecture
• Easily scalable
• High availability
• Multi-tenancy
• Searching
• Based off of Lucene
• Real time search and analytics engine
• RESTful API

• Graphical representation of the logs
• Provides the user’s “pretty” interface
• Customizable dashboards
• Connects directly to Elasticsearch

HTTPD CONFIG
<Directory /var/www/html/kibana>
SSLRequireSSL
</Directory>
ProxyRequests off
ProxyPass /elasticsearch/ http://192.168.1.10:9200/
<Location /elasticsearch/>
ProxyPassReverse /
SSLRequireSSL
</Location>
<AuthnProviderAlias ldap ldap-domain>
AuthLDAPURL
"ldap://domain:3268/DC=XX,DC=YYY,DC=com?sAMAccountName??(!(user
AccountControl:1.2.840.113556.1.4.803:=2))"
AuthLDAPBindDN "cn=Bind_Name,cn=Users,dc=XX,dc=YYY,dc=com"
AuthLDAPBindPassword ThisIsthePassword
</AuthnProviderAlias>
<Location /kibana-helpdesk>
AuthType Basic
AuthName "USE WINDOWS PASSWORD"
AuthBasicProvider ldap-domain
AuthLDAPRemoteUserAttribute sAMAccountName
AuthLDAPBindDN "cn=Bind_Name,cn=Users,dc=XX,dc=YYY,dc=com"
AuthLDAPBindPassword ThisIsthePassword
AuthLDAPURL
"ldap://domain:3268/DC=XX,DC=YYY,DC=com?sAMAccountName"
Require ldap-group CN=Help Desk,OU=Groups,DC=XX,DC=YYY,DC=com
Require ldap-group CN=Security
Team,OU=Groups,DC=XX,DC=YYY,DC=com
order allow,deny
allow from all

• Meant to be a HIDS solution
• Log analysis
• File integrity checking
• Policy monitoring
• Rootkit detection
• Real-time alerting & active response
• Has it’s own web UI
• Uses basic logic to correlate and alert on specific events

OSSEC RULE EXAMPLE
<rule id="100100" level="0">
<decoded_as>aaa-logins</decoded_as>
<description>Group of AAA rules.</description>
</rule>
<rule id="100101" level="5">
<if_sid>100100</if_sid>
<match>Failed-Attempt|Authen failed</match>
<description>AAA authentication failures.</description>
</rule>
<rule id="100102" level="10" frequency="10" timeframe="120">
<if_matched_sid>100101</if_matched_sid>
<same_user />
<description>Multiple AAA authentication failures.</description>
</rule>

MAINTENANCE & UPKEEP
• Syslog-ng
• Bash scripts for combining and aging
out files
• Elasticsearch
• Curator, Elastic HQ, curl scripts
• Logstash
• Logrotate, init.d scripts to launch instances
• OSSEC
• Stay up-to-date on rules and create custom rules as needed

WHERE DO WE GO FROM HERE?
• Everyone has logs and a need to deal with them
• Share your solution with the groups that provided logs and
support orgs – may require custom pages to limit info
• Develop your work plan to review visual and OSSEC alerts
• Build response & monitoring capabilities
• Show value of logs to the org for future tools

Elk its big log season

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Elk its big log season

Ähnlich wie Elk its big log season (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Elk its big log season