SlideShare ist ein Scribd-Unternehmen logo

NATE-Central-Log

Als PPTX, PDF herunterladen
S
Stefan Coetzee
1 von 21
Central Log Management Senior Technical Specialist Technical Support Services – Computing Platforms University of Cape Town Stefan Coetzee Information & Communication Technology Services
Splunk
Central Log Management Splunk Splunk Enterprise is a solution for collecting, analyzing & monitoring of machine data. It also provides visualization & reporting features and even alerting on the data it gathers.
Central Log Management Splunk Features Collect & Index Machine Data Collect & index data from almost any source, including log files, tcpudp data streams, windows event service, syslog and many more. Search & Investigate Powerful searching and analytics platform to filter through data and correlate events. Monitor & Alert Building on the power of the search engine, build monitors and alerts that trigger on certain events. Trigger emails or 3rd party scripts on alerts. Report & Analyze Build reports and send them to stakeholders. Embed charts into 3rd party applications to give broader accessibility with drilldown support. Custom Views and Dashboard Build dashboards and views that meet the needs of different user groups. Splunk Apps Use prebuild dashboards, views, reports, collectors, monitors & alerts that are bundled into a Splunk App with a quick ROI.
Central Log Management Splunk Features (Cont) Role Based Security Only give access to data as required, audit access to data and integrate with existing LDAP infrastructure for authentication.
Central Log Management Splunk Pros & Cons Pros • Feature rich • Large community • Fast (Very Fast) Cons • Expensive (Very expensive as Enterprise Apps are no longer part of base subscription) • Licensing per GB not server based
Central Log Management Deployment @ UCT
Central Log Management Dashboards - CAS
Central Log Management Dashboards – DC Power
Central Log Management Dashboards - EXIM
Central Log Management Alerts Eduroam Usage Monitors eduroam login sessions and flag users authenticating from too many devices. Alert Triggers email to service desk, working on Service Now integration EXIM Spam Monitors email relaying through EXIM and flags possible exploited servers Alert Triggers email to system owner Exchange UserID Monitors authentication to Exchange and updates PaloAlto username-IP map. Alert Triggers script which send login information (username & IP) to PaloAlto CAS UserID Monitors authentication via CAS (Central Authentication Service) Alert Triggers script which send login information (username & IP) to PaloAlto ADFS UserID Monitors authentication via ADFS (Active Directory Federation Services Alert Triggers script which send login information (username & IP) to PaloAlto
ELK Stack Elasticsearch, Logstash, Kibana
Central Log Management Logstash Logstash is a data pipeline that helps you process your logs and event data and send them to a central system. Input • file, tcp, udp, drupal_dblog, syslog, jmx, etc Filter • grok, geoip, useragent, mutate, date, drop, etc Output • elasticsearch, csv, ganglia, syslog, http, file, etc
Central Log Management Elasticsearch Elasticsearch is a Lucene based distributed full-text search engine with a RESTful web interface and schema-free JSON documents. Cluster A Cluster is a collection of 1 or more nodes that holds data and provides federated indexing. Node A node is a single server that is part of your cluster, stores your data, and participates in the cluster’s indexing and search capabilities Index An index is a collection of documents that have somewhat similar characteristics. Shards & Replicas An index is split up into shards (smaller chunks), which are in turn distributed across the cluster nodes.
Central Log Management Elasticsearch (Cont) Elasticsearch is a Lucene based distributed full-text search engine with a RESTful web interface and schema-free JSON documents. Cluster A Cluster is a collection of 1 or more nodes that holds data and provides federated indexing. Node A node is a single server that is part of your cluster, stores your data, and participates in the cluster’s indexing and search capabilities Index An index is a collection of documents that have somewhat similar characteristics. Shards & Replicas An index is split up into shards (smaller chunks), which are in turn distributed across the cluster nodes. Cluster Node Index Index S0 S0 R2R1 R1 R2 Node Index Index S1 S1 R2R0 R0 R2 Node Index Index S2 S2 R1R0 R0 R1
Central Log Management Kibana Kibana is a visualization and analytics platform designed to work with elasticsearch. Perform advanced data analysis and visualize your data in a variety of charts, tables, and maps.
Central Log Management Why ELK? We needed to archive log entries for perimeter firewall which averages about 4000 tps. Daily index is about 70GB, which is larger than our current splunk license, and was going to cost ±R500 000 to upgrade license
Central Log Management ELK @ UCT syslog Shipper Redis IndexerElasticsearch
Central Log Management Shipper Config input { udp { type => "paloalto-syslog" port => 5514 } } output { redis { host => "127.0.0.1" data_type => "list" key => "paloalto-syslog" } }
Central Log Management Indexer Config input { redis { ... } } filter { if [message] =~ "TRAFFIC" { csv { columns => [ "FUTURE_USE_1", "Receive_Time", "Serial_Number", "Type", "Subtype", "FUTURE_USE_2”, ...] } mutate { remove_field => [ "FUTURE_USE_1", "FUTURE_USE_2", ... ] convert => { "Packets_Sent" => "integer" } ... } } if [message] =~ "THREAT" { ... } ... } output { elasticsearch { ... } }
Thank You

Empfohlen

Scaling ELK Stack - DevOpsDays Singapore
Scaling ELK Stack - DevOpsDays SingaporeScaling ELK Stack - DevOpsDays Singapore
Scaling ELK Stack - DevOpsDays SingaporeAngad Singh
 
ELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedTin Le
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudRick Bilodeau
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Building Realtime Data Pipelines with Kafka Connect and Spark Streaming
Building Realtime Data Pipelines with Kafka Connect and Spark StreamingBuilding Realtime Data Pipelines with Kafka Connect and Spark Streaming
Building Realtime Data Pipelines with Kafka Connect and Spark StreamingJen Aman
 
What to Expect for Big Data and Apache Spark in 2017
What to Expect for Big Data and Apache Spark in 2017 What to Expect for Big Data and Apache Spark in 2017
What to Expect for Big Data and Apache Spark in 2017 Databricks
 
An Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs AnalysisAn Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs AnalysisJosé Manuel Ciges Regueiro
 

Empfohlen

Scaling ELK Stack - DevOpsDays Singapore
Scaling ELK Stack - DevOpsDays SingaporeScaling ELK Stack - DevOpsDays Singapore
Scaling ELK Stack - DevOpsDays SingaporeAngad Singh
 
ELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedELK at LinkedIn - Kafka, scaling, lessons learned
ELK at LinkedIn - Kafka, scaling, lessons learnedTin Le
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Case Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudCase Study: Elasticsearch Ingest Using StreamSets at Cisco Intercloud
Case Study: Elasticsearch Ingest Using StreamSets at Cisco IntercloudRick Bilodeau
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Building Realtime Data Pipelines with Kafka Connect and Spark Streaming
Building Realtime Data Pipelines with Kafka Connect and Spark StreamingBuilding Realtime Data Pipelines with Kafka Connect and Spark Streaming
Building Realtime Data Pipelines with Kafka Connect and Spark StreamingJen Aman
 
What to Expect for Big Data and Apache Spark in 2017
What to Expect for Big Data and Apache Spark in 2017 What to Expect for Big Data and Apache Spark in 2017
What to Expect for Big Data and Apache Spark in 2017 Databricks
 
An Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs AnalysisAn Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs AnalysisJosé Manuel Ciges Regueiro
 
Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack Cysinfo Cyber Security Community
 
DevOps, Yet Another IT Revolution
DevOps, Yet Another IT RevolutionDevOps, Yet Another IT Revolution
DevOps, Yet Another IT RevolutionRichard Langlois P. Eng.
 
Cloud native data platform
Cloud native data platformCloud native data platform
Cloud native data platformLi Gao
 
Cascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User GroupCascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User Groupnathanmarz
 
Superset druid realtime
Superset druid realtimeSuperset druid realtime
Superset druid realtimearupmalakar
 
Presto @ Facebook: Past, Present and Future
Presto @ Facebook: Past, Present and FuturePresto @ Facebook: Past, Present and Future
Presto @ Facebook: Past, Present and FutureDataWorks Summit
 
Presto@Netflix Presto Meetup 03-19-15
Presto@Netflix Presto Meetup 03-19-15Presto@Netflix Presto Meetup 03-19-15
Presto@Netflix Presto Meetup 03-19-15Zhenxiao Luo
 
Presto at Hadoop Summit 2016
Presto at Hadoop Summit 2016Presto at Hadoop Summit 2016
Presto at Hadoop Summit 2016kbajda
 
Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민
Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민
Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민NAVER D2
 
2016 Spark Summit East Keynote: Matei Zaharia
2016 Spark Summit East Keynote: Matei Zaharia2016 Spark Summit East Keynote: Matei Zaharia
2016 Spark Summit East Keynote: Matei ZahariaDatabricks
 
JOSA TechTalk: Realtime monitoring and alerts
JOSA TechTalk: Realtime monitoring and alerts JOSA TechTalk: Realtime monitoring and alerts
JOSA TechTalk: Realtime monitoring and alerts Jordan Open Source Association
 
Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...
Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...
Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...HostedbyConfluent
 
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, VectorizedData Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, VectorizedHostedbyConfluent
 
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin Databricks
 
Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)
Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)
Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)Matt Fuller
 
Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...
Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...
Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...Lviv Startup Club
 
Streamsets and spark in Retail
Streamsets and spark in RetailStreamsets and spark in Retail
Streamsets and spark in RetailHari Shreedharan
 
Small intro to Big Data - Old version
Small intro to Big Data - Old versionSmall intro to Big Data - Old version
Small intro to Big Data - Old versionSoftwareMill
 
Open source big data landscape and possible ITS applications
Open source big data landscape and possible ITS applicationsOpen source big data landscape and possible ITS applications
Open source big data landscape and possible ITS applicationsSoftwareMill
 
Logstash, Elasticsearch and Kibana
Logstash, Elasticsearch and KibanaLogstash, Elasticsearch and Kibana
Logstash, Elasticsearch and KibanaSaroj Panyasrivanit
 
FlexPod_for_HondaTH
FlexPod_for_HondaTHFlexPod_for_HondaTH
FlexPod_for_HondaTHPredee Kajonpai
 
PAN Platform Summary
PAN Platform SummaryPAN Platform Summary
PAN Platform SummaryAltaware, Inc.
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud native data platform
Cloud native data platformCloud native data platform
Cloud native data platformLi Gao
 
Cascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User GroupCascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User Groupnathanmarz
 
Superset druid realtime
Superset druid realtimeSuperset druid realtime
Superset druid realtimearupmalakar
 
Presto @ Facebook: Past, Present and Future
Presto @ Facebook: Past, Present and FuturePresto @ Facebook: Past, Present and Future
Presto @ Facebook: Past, Present and FutureDataWorks Summit
 
Presto@Netflix Presto Meetup 03-19-15
Presto@Netflix Presto Meetup 03-19-15Presto@Netflix Presto Meetup 03-19-15
Presto@Netflix Presto Meetup 03-19-15Zhenxiao Luo
 
Presto at Hadoop Summit 2016
Presto at Hadoop Summit 2016Presto at Hadoop Summit 2016
Presto at Hadoop Summit 2016kbajda
 
Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민
Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민
Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민NAVER D2
 
2016 Spark Summit East Keynote: Matei Zaharia
2016 Spark Summit East Keynote: Matei Zaharia2016 Spark Summit East Keynote: Matei Zaharia
2016 Spark Summit East Keynote: Matei ZahariaDatabricks
 
Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...
Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...
Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...HostedbyConfluent
 
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, VectorizedData Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, VectorizedHostedbyConfluent
 
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin Databricks
 
Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)
Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)
Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)Matt Fuller
 
Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...
Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...
Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...Lviv Startup Club
 
Streamsets and spark in Retail
Streamsets and spark in RetailStreamsets and spark in Retail
Streamsets and spark in RetailHari Shreedharan
 
Small intro to Big Data - Old version
Small intro to Big Data - Old versionSmall intro to Big Data - Old version
Small intro to Big Data - Old versionSoftwareMill
 
Open source big data landscape and possible ITS applications
Open source big data landscape and possible ITS applicationsOpen source big data landscape and possible ITS applications
Open source big data landscape and possible ITS applicationsSoftwareMill
 
Logstash, Elasticsearch and Kibana
Logstash, Elasticsearch and KibanaLogstash, Elasticsearch and Kibana
Logstash, Elasticsearch and KibanaSaroj Panyasrivanit
 

Was ist angesagt? (20)

Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack
 
DevOps, Yet Another IT Revolution
DevOps, Yet Another IT RevolutionDevOps, Yet Another IT Revolution
DevOps, Yet Another IT Revolution
 
Cloud native data platform
Cloud native data platformCloud native data platform
Cloud native data platform
 
Cascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User GroupCascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User Group
 
Superset druid realtime
Superset druid realtimeSuperset druid realtime
Superset druid realtime
 
Presto @ Facebook: Past, Present and Future
Presto @ Facebook: Past, Present and FuturePresto @ Facebook: Past, Present and Future
Presto @ Facebook: Past, Present and Future
 
Presto@Netflix Presto Meetup 03-19-15
Presto@Netflix Presto Meetup 03-19-15Presto@Netflix Presto Meetup 03-19-15
Presto@Netflix Presto Meetup 03-19-15
 
Presto at Hadoop Summit 2016
Presto at Hadoop Summit 2016Presto at Hadoop Summit 2016
Presto at Hadoop Summit 2016
 
Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민
Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민
Elastic v5.0.0 Update uptoalpha3 v0.2 - 김종민
 
2016 Spark Summit East Keynote: Matei Zaharia
2016 Spark Summit East Keynote: Matei Zaharia2016 Spark Summit East Keynote: Matei Zaharia
2016 Spark Summit East Keynote: Matei Zaharia
 
JOSA TechTalk: Realtime monitoring and alerts
JOSA TechTalk: Realtime monitoring and alerts JOSA TechTalk: Realtime monitoring and alerts
JOSA TechTalk: Realtime monitoring and alerts
 
Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...
Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...
Low-latency data applications with Kafka and Agg indexes | Tino Tereshko, Fir...
 
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, VectorizedData Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
 
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
The Key to Machine Learning is Prepping the Right Data with Jean Georges Perrin
 
Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)
Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)
Hello, Enterprise! Meet Presto. (Presto Boston Meetup 10062015)
 
Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...
Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...
Тарас Кльоба "ETL — вже не актуальна; тривалі живі потоки із системою Apache...
 
Streamsets and spark in Retail
Streamsets and spark in RetailStreamsets and spark in Retail
Streamsets and spark in Retail
 
Small intro to Big Data - Old version
Small intro to Big Data - Old versionSmall intro to Big Data - Old version
Small intro to Big Data - Old version
 
Open source big data landscape and possible ITS applications
Open source big data landscape and possible ITS applicationsOpen source big data landscape and possible ITS applications
Open source big data landscape and possible ITS applications
 
Logstash, Elasticsearch and Kibana
Logstash, Elasticsearch and KibanaLogstash, Elasticsearch and Kibana
Logstash, Elasticsearch and Kibana
 

Andere mochten auch

Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networksdtimal
 
Vsphere 4-partner-training180
Vsphere 4-partner-training180Vsphere 4-partner-training180
Vsphere 4-partner-training180Suresh Kumar
 
Vfm website-projects
Vfm website-projectsVfm website-projects
Vfm website-projectsvfmindia
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld
 
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...Netgear Italia
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configurationAlberto Rivai
 
Concepts: Management VLAN
Concepts: Management VLANConcepts: Management VLAN
Concepts: Management VLANJelmer de Reus
 
TechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data BrokerTechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data BrokerRobb Boyd
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-idAlberto Rivai
 
Vfm strategic benefits from caching
Vfm strategic benefits from cachingVfm strategic benefits from caching
Vfm strategic benefits from cachingvfmindia
 
Vfm corporate presentation v1
Vfm corporate presentation v1Vfm corporate presentation v1
Vfm corporate presentation v1vfmindia
 
Vfm palo alto next generation firewall
Vfm palo alto next generation firewallVfm palo alto next generation firewall
Vfm palo alto next generation firewallvfmindia
 
Palo Alto Virtual firewall deployment Architecture
Palo Alto Virtual firewall deployment Architecture Palo Alto Virtual firewall deployment Architecture
Palo Alto Virtual firewall deployment Architecture Ajeet Singh
 
Palo Alto Networks - Just another Firewall
Palo Alto Networks - Just another FirewallPalo Alto Networks - Just another Firewall
Palo Alto Networks - Just another Firewallpillardata
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configurationAlberto Rivai
 
Palo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortPalo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortTen Sistemas e Redes
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 

Andere mochten auch (20)

FlexPod_for_HondaTH
FlexPod_for_HondaTHFlexPod_for_HondaTH
FlexPod_for_HondaTH
 
PAN Platform Summary
PAN Platform SummaryPAN Platform Summary
PAN Platform Summary
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networks
 
Vsphere 4-partner-training180
Vsphere 4-partner-training180Vsphere 4-partner-training180
Vsphere 4-partner-training180
 
Vfm website-projects
Vfm website-projectsVfm website-projects
Vfm website-projects
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
 
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configuration
 
Concepts: Management VLAN
Concepts: Management VLANConcepts: Management VLAN
Concepts: Management VLAN
 
TechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data BrokerTechWiseTV Workshop: Nexus Data Broker
TechWiseTV Workshop: Nexus Data Broker
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
 
Vfm strategic benefits from caching
Vfm strategic benefits from cachingVfm strategic benefits from caching
Vfm strategic benefits from caching
 
Vfm corporate presentation v1
Vfm corporate presentation v1Vfm corporate presentation v1
Vfm corporate presentation v1
 
Vfm palo alto next generation firewall
Vfm palo alto next generation firewallVfm palo alto next generation firewall
Vfm palo alto next generation firewall
 
Palo Alto Virtual firewall deployment Architecture
Palo Alto Virtual firewall deployment Architecture Palo Alto Virtual firewall deployment Architecture
Palo Alto Virtual firewall deployment Architecture
 
Palo Alto Networks - Just another Firewall
Palo Alto Networks - Just another FirewallPalo Alto Networks - Just another Firewall
Palo Alto Networks - Just another Firewall
 
User id installation and configuration
User id installation and configurationUser id installation and configuration
User id installation and configuration
 
Palo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-shortPalo alto networks_customer_overview_november2011-short
Palo alto networks_customer_overview_november2011-short
 
Palo alto networks
Palo alto networksPalo alto networks
Palo alto networks
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 

Ähnlich wie NATE-Central-Log

Centralization of all log (application, docker, security, ...)
Centralization of all log (application, docker, security, ...)Centralization of all log (application, docker, security, ...)
Centralization of all log (application, docker, security, ...)Thierry Gayet
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
Elasticsearch features and ecosystem
Elasticsearch features and ecosystemElasticsearch features and ecosystem
Elasticsearch features and ecosystemPavel Alexeev
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elkRushika Shah
 
trisulnsm_6.5_datasheet
trisulnsm_6.5_datasheettrisulnsm_6.5_datasheet
trisulnsm_6.5_datasheettrisulnsm
 
Centralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackCentralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackRohit Sharma
 
Logging using ELK Stack for Microservices
Logging using ELK Stack for MicroservicesLogging using ELK Stack for Microservices
Logging using ELK Stack for MicroservicesVineet Sabharwal
 
Introducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit
Introducing Open Distro for Elasticsearch - ADB201 - New York AWS SummitIntroducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit
Introducing Open Distro for Elasticsearch - ADB201 - New York AWS SummitAmazon Web Services
 
Analytics and Visualization in your Secured Infrastructure Network.
Analytics and Visualization in your Secured Infrastructure Network.Analytics and Visualization in your Secured Infrastructure Network.
Analytics and Visualization in your Secured Infrastructure Network.Kapil Sabharwal
 
ExtraHop Product Overview Datasheet
ExtraHop Product Overview DatasheetExtraHop Product Overview Datasheet
ExtraHop Product Overview DatasheetExtraHop Networks
 
Sql server lesson12
Sql server lesson12Sql server lesson12
Sql server lesson12Ala Qunaibi
 
Sql server lesson12
Sql server lesson12Sql server lesson12
Sql server lesson12Ala Qunaibi
 
Building a Modern, Scalable Cyber Intelligence Platform with Apache Kafka | J...
Building a Modern, Scalable Cyber Intelligence Platform with Apache Kafka | J...Building a Modern, Scalable Cyber Intelligence Platform with Apache Kafka | J...
Building a Modern, Scalable Cyber Intelligence Platform with Apache Kafka | J...HostedbyConfluent
 
ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020Ashnikbiz
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsANKIT GUPTA
 
OPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATIONOPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATIONSUMIT KUMAR
 

Ähnlich wie NATE-Central-Log (20)

Centralization of all log (application, docker, security, ...)
Centralization of all log (application, docker, security, ...)Centralization of all log (application, docker, security, ...)
Centralization of all log (application, docker, security, ...)
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Elasticsearch features and ecosystem
Elasticsearch features and ecosystemElasticsearch features and ecosystem
Elasticsearch features and ecosystem
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elk
 
trisulnsm_6.5_datasheet
trisulnsm_6.5_datasheettrisulnsm_6.5_datasheet
trisulnsm_6.5_datasheet
 
Centralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackCentralized Logging System Using ELK Stack
Centralized Logging System Using ELK Stack
 
Logging using ELK Stack for Microservices
Logging using ELK Stack for MicroservicesLogging using ELK Stack for Microservices
Logging using ELK Stack for Microservices
 
CRYPTTECH PRODUCTS
CRYPTTECH PRODUCTSCRYPTTECH PRODUCTS
CRYPTTECH PRODUCTS
 
Introducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit
Introducing Open Distro for Elasticsearch - ADB201 - New York AWS SummitIntroducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit
Introducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit
 
Analytics and Visualization in your Secured Infrastructure Network.
Analytics and Visualization in your Secured Infrastructure Network.Analytics and Visualization in your Secured Infrastructure Network.
Analytics and Visualization in your Secured Infrastructure Network.
 
ExtraHop Product Overview Datasheet
ExtraHop Product Overview DatasheetExtraHop Product Overview Datasheet
ExtraHop Product Overview Datasheet
 
Elasticsearch
ElasticsearchElasticsearch
Elasticsearch
 
Sql server lesson12
Sql server lesson12Sql server lesson12
Sql server lesson12
 
Sql server lesson12
Sql server lesson12Sql server lesson12
Sql server lesson12
 
Building a Modern, Scalable Cyber Intelligence Platform with Apache Kafka | J...
Building a Modern, Scalable Cyber Intelligence Platform with Apache Kafka | J...Building a Modern, Scalable Cyber Intelligence Platform with Apache Kafka | J...
Building a Modern, Scalable Cyber Intelligence Platform with Apache Kafka | J...
 
File access auditing
File access auditingFile access auditing
File access auditing
 
ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020ELK Solutions Enablement Session - 17th March'2020
ELK Solutions Enablement Session - 17th March'2020
 
Internship msc cs
Internship msc csInternship msc cs
Internship msc cs
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analytics
 
OPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATIONOPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATION
 

NATE-Central-Log

  • 1. Central Log Management Senior Technical Specialist Technical Support Services – Computing Platforms University of Cape Town Stefan Coetzee Information & Communication Technology Services
  • 3. Central Log Management Splunk Splunk Enterprise is a solution for collecting, analyzing & monitoring of machine data. It also provides visualization & reporting features and even alerting on the data it gathers.
  • 4. Central Log Management Splunk Features Collect & Index Machine Data Collect & index data from almost any source, including log files, tcpudp data streams, windows event service, syslog and many more. Search & Investigate Powerful searching and analytics platform to filter through data and correlate events. Monitor & Alert Building on the power of the search engine, build monitors and alerts that trigger on certain events. Trigger emails or 3rd party scripts on alerts. Report & Analyze Build reports and send them to stakeholders. Embed charts into 3rd party applications to give broader accessibility with drilldown support. Custom Views and Dashboard Build dashboards and views that meet the needs of different user groups. Splunk Apps Use prebuild dashboards, views, reports, collectors, monitors & alerts that are bundled into a Splunk App with a quick ROI.
  • 5. Central Log Management Splunk Features (Cont) Role Based Security Only give access to data as required, audit access to data and integrate with existing LDAP infrastructure for authentication.
  • 6. Central Log Management Splunk Pros & Cons Pros • Feature rich • Large community • Fast (Very Fast) Cons • Expensive (Very expensive as Enterprise Apps are no longer part of base subscription) • Licensing per GB not server based
  • 11. Central Log Management Alerts Eduroam Usage Monitors eduroam login sessions and flag users authenticating from too many devices. Alert Triggers email to service desk, working on Service Now integration EXIM Spam Monitors email relaying through EXIM and flags possible exploited servers Alert Triggers email to system owner Exchange UserID Monitors authentication to Exchange and updates PaloAlto username-IP map. Alert Triggers script which send login information (username & IP) to PaloAlto CAS UserID Monitors authentication via CAS (Central Authentication Service) Alert Triggers script which send login information (username & IP) to PaloAlto ADFS UserID Monitors authentication via ADFS (Active Directory Federation Services Alert Triggers script which send login information (username & IP) to PaloAlto
  • 13. Central Log Management Logstash Logstash is a data pipeline that helps you process your logs and event data and send them to a central system. Input • file, tcp, udp, drupal_dblog, syslog, jmx, etc Filter • grok, geoip, useragent, mutate, date, drop, etc Output • elasticsearch, csv, ganglia, syslog, http, file, etc
  • 14. Central Log Management Elasticsearch Elasticsearch is a Lucene based distributed full-text search engine with a RESTful web interface and schema-free JSON documents. Cluster A Cluster is a collection of 1 or more nodes that holds data and provides federated indexing. Node A node is a single server that is part of your cluster, stores your data, and participates in the cluster’s indexing and search capabilities Index An index is a collection of documents that have somewhat similar characteristics. Shards & Replicas An index is split up into shards (smaller chunks), which are in turn distributed across the cluster nodes.
  • 15. Central Log Management Elasticsearch (Cont) Elasticsearch is a Lucene based distributed full-text search engine with a RESTful web interface and schema-free JSON documents. Cluster A Cluster is a collection of 1 or more nodes that holds data and provides federated indexing. Node A node is a single server that is part of your cluster, stores your data, and participates in the cluster’s indexing and search capabilities Index An index is a collection of documents that have somewhat similar characteristics. Shards & Replicas An index is split up into shards (smaller chunks), which are in turn distributed across the cluster nodes. Cluster Node Index Index S0 S0 R2R1 R1 R2 Node Index Index S1 S1 R2R0 R0 R2 Node Index Index S2 S2 R1R0 R0 R1
  • 16. Central Log Management Kibana Kibana is a visualization and analytics platform designed to work with elasticsearch. Perform advanced data analysis and visualize your data in a variety of charts, tables, and maps.
  • 17. Central Log Management Why ELK? We needed to archive log entries for perimeter firewall which averages about 4000 tps. Daily index is about 70GB, which is larger than our current splunk license, and was going to cost ±R500 000 to upgrade license
  • 18. Central Log Management ELK @ UCT syslog Shipper Redis IndexerElasticsearch
  • 19. Central Log Management Shipper Config input { udp { type => "paloalto-syslog" port => 5514 } } output { redis { host => "127.0.0.1" data_type => "list" key => "paloalto-syslog" } }
  • 20. Central Log Management Indexer Config input { redis { ... } } filter { if [message] =~ "TRAFFIC" { csv { columns => [ "FUTURE_USE_1", "Receive_Time", "Serial_Number", "Type", "Subtype", "FUTURE_USE_2”, ...] } mutate { remove_field => [ "FUTURE_USE_1", "FUTURE_USE_2", ... ] convert => { "Packets_Sent" => "integer" } ... } } if [message] =~ "THREAT" { ... } ... } output { elasticsearch { ... } }