Soumettre la recherche
Mettre en ligne
Elk its big log season
•
0 j'aime
•
597 vues
Eric Luellen
Suivre
InfoSeCon 2015 presentation by @ericl42 and @brianwilson.
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 24
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Cassandra Day SV 2014: Infinite Session Clustering with Apache Cassandra
Cassandra Day SV 2014: Infinite Session Clustering with Apache Cassandra
DataStax Academy
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
Managing secrets at scale
Managing secrets at scale
Alex Schoof
Icinga 2 at Icinga Camp San Francisco
Icinga 2 at Icinga Camp San Francisco
Icinga
Recommandé
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
clevernetsystemsgeneva
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Cassandra Day SV 2014: Infinite Session Clustering with Apache Cassandra
Cassandra Day SV 2014: Infinite Session Clustering with Apache Cassandra
DataStax Academy
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
Managing secrets at scale
Managing secrets at scale
Alex Schoof
Icinga 2 at Icinga Camp San Francisco
Icinga 2 at Icinga Camp San Francisco
Icinga
Hashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
Why favor Icinga over Nagios @ DebConf15
Why favor Icinga over Nagios @ DebConf15
Icinga
Icinga lsm 2015 copy
Icinga lsm 2015 copy
NETWAYS
Vault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
ChatOps with Icinga and StackStorm
ChatOps with Icinga and StackStorm
Icinga
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015
em_mu
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Steve Loughran
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
HashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
MySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features Summary
Olivier DASINI
Introduction to Shield and kibana
Introduction to Shield and kibana
Knoldus Inc.
Why favour Icinga over Nagios @ FrOSCon 2015
Why favour Icinga over Nagios @ FrOSCon 2015
Icinga
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
AzureEzy1
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Rahul Nath
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
Introducing Vault
Introducing Vault
Ramit Surana
Vault 101
Vault 101
Hazzim Anaya
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
Rails Security
Rails Security
Wen-Tien Chang
Contenu connexe
Tendances
Hashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
Why favor Icinga over Nagios @ DebConf15
Why favor Icinga over Nagios @ DebConf15
Icinga
Icinga lsm 2015 copy
Icinga lsm 2015 copy
NETWAYS
Vault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
ChatOps with Icinga and StackStorm
ChatOps with Icinga and StackStorm
Icinga
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015
em_mu
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Steve Loughran
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
HashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
MySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features Summary
Olivier DASINI
Introduction to Shield and kibana
Introduction to Shield and kibana
Knoldus Inc.
Why favour Icinga over Nagios @ FrOSCon 2015
Why favour Icinga over Nagios @ FrOSCon 2015
Icinga
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
AzureEzy1
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Rahul Nath
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
Introducing Vault
Introducing Vault
Ramit Surana
Vault 101
Vault 101
Hazzim Anaya
Tendances
(20)
Hashicorp Vault ppt
Hashicorp Vault ppt
Why favor Icinga over Nagios @ DebConf15
Why favor Icinga over Nagios @ DebConf15
Icinga lsm 2015 copy
Icinga lsm 2015 copy
Vault - Secret and Key Management
Vault - Secret and Key Management
ChatOps with Icinga and StackStorm
ChatOps with Icinga and StackStorm
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
Shield talk elasticsearch meetup Zurich 27.05.2015
Shield talk elasticsearch meetup Zurich 27.05.2015
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
HashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
MySQL 8.0.18 - New Features Summary
MySQL 8.0.18 - New Features Summary
Introduction to Shield and kibana
Introduction to Shield and kibana
Why favour Icinga over Nagios @ FrOSCon 2015
Why favour Icinga over Nagios @ FrOSCon 2015
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Introducing Vault
Introducing Vault
Vault 101
Vault 101
Similaire à Elk its big log season
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
Rails Security
Rails Security
Wen-Tien Chang
The top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
PROIDEA
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
Jakub Hajek
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
Mark Leith
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Yossi Sassi
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Ali Kheyrollahi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
Aman Kohli
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
Amazon Web Services
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
Rafał Kuć
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
Sematext Group, Inc.
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
Tobias Koprowski
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Tobias Koprowski
Figaro
Figaro
Endpoint Systems
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4
Timothy Spann
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
Andrey Devyatkin
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
Similaire à Elk its big log season
(20)
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Rails Security
Rails Security
The top 10 security issues in web applications
The top 10 security issues in web applications
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Figaro
Figaro
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Introduction to Apache NiFi 1.11.4
Introduction to Apache NiFi 1.11.4
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Dernier
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
SeasiaInfotech2
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Stephanie Beckett
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Dernier
(20)
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Elk its big log season
1.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. ELK: IT'S BIG LOG SEASON LOGGING FROM A TO Z
2.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. WHO WE ARE • Brian Wilson • Information Security Manager at SAS • UNIX Sys Admin, Network Engineer, Infosec Engineer • Family, Mac/Linux, Coding, Automation, Long walks on the beach • @brianwilson / https://github.com/bdwilson • Eric Luellen • Sr. Information Security Engineer at SAS • Open source technologies, network security monitoring, active defenses • Snowboarding, volleyball, basketball, anything away from a computer • @ericl42 / https://github.com/ericl42
3.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. WHY DO WE CARE ABOUT LOGS? • Regulatory & compliance requirements • HIPAA, SOX, PCI • Troubleshooting • Incident Response • Proactive resource planning • Logs are the building blocks of other projects • Prove value of log data for future technology investment!
4.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. SO WHY HAVEN’T WE DONE ANYTHING • Resources – Time, Money, & People • Volume of data • Disparate sources, formatting issues • Application logs don’t follow same standard as OS logs • Cooperation from other groups • Unsure how to obtain and locate sources
5.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. WHAT ARE THE REQUIREMENTS? • Simple to use • The goal is to reduce the reaction time and make it easier to track down a problem, resolve an incident, or search for some data point. • Scalable • As log sources and events/second grow, your solution has to scale as well. • Expandable • Easy to incorporate or feed into other systems. • Notifications/Alerting • Know when your log sources are deviating from defined criteria.
6.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. LOGISTICAL PREPARATION • Identify the data sources • Authentication Failures/Success • UNIX, Windows, DLP, Anti-Virus, Web, Applications… • Configure sources for proper logging • Determine location of syslog collector(s) • DMZ, Cloud... • Open firewall port(s)
7.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. ARCHITECTURE
8.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. HOW DO WE GET THE LOGS THERE? • UNIX • Local syslog settings • auth.*;authpriv.* @syslog.domain.net • Agent based (Nxlog) • Windows • Agent based (Nxlog)
9.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. NXLOG EXAMPLE <Input in> Module im_msvistalog ReadFromLastTrue Query <QueryList> <Query Id="0"> <Select Path="Security">*[System[(EventID='4624')]]</Select> <Select Path="Security">*[System[(EventID='4625')]]</Select> </Query> </QueryList> Exec to_syslog_bsd(); Exec if $raw_event =~ /Account Name:s+S+$s+Account Domain:/ drop(); else if $raw_event =~ /^(.+)Detailed Authentication Information:/ $raw_event = $1; if $raw_event =~ s/t/ /g {} </Input> <Output out> Module om_udp Host X.X.X.X Port 2514 </Output> <Route 1> Path in => out </Route>
10.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Basic aggregation of logs • Filters and funnels logs as needed • Ability to send to various locations • Configured using syslog-ng.conf file
11.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. SYSLOG-NG CONFIGURATION source s_remote_logs_unix { udp(port(514) so_rcvbuf(67108864)); }; destination d_hosts_unix { file("/mnt/logs/UNIX/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); }; destination d_remote_server { udp("192.168.1.20" port(1234) spoof_source(yes) ); }; filter f_trash { (match("some specific expression") or match("asdfjkl;") or host("server1.domain.net") and match("xxx") ); }; log { source(s_remote_logs_unix); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_unix); destination(d_remote_server); }; log { source(s_remote_logs_unix); destination(d_hosts_unix); };
12.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Inputs Processes logs of all shapes and sizes • Filters • Allows you to parse and transform the logs • Can easily support custom log formats • Outputs • Send the new “pretty” logs wherever you want
13.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. CUSTOM LOGSTASH CONFIG input { file { type => "video-syslog" exclude => ["*.gz"] start_position => "end" path => [ "/mnt/logs/video/*.log"] } } filter { grok { overwrite => [ "message", "host" ] match => [ "message", "%{DATESTAMP:timestamp} %{PROG:program} %{WORD:status} %{NUMBER:priority:float} %{GREEDYDATA:creation} %{INT:bytes} %{INT:hitcount} %{GREEDYDATA:url} /disk%{GREEDYDATA:location}", "message", "%{HOST:host} %{GREEDYDATA:url} %{INT:bytes_sent} %{INT:obj_size} %{INT:bytes_recvd} %{WORD:method} %{INT:status} [%{DATA:time_recvd}+0000] %{INT:time_to_serve}“ ] add_tag => [ "bytes", "hitcount", "url", "location" ] tag_on_failure => [] } } output { elasticsearch { protocol => "node" host => "es-server1.domain.net,es-server2.domain.net,es-server3.domain.net" cluster => "my-elasticsearch-cluster" index => "video-%{+YYYY.MM.dd}“ } }
14.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. NETFLOW LOGSTASH CONFIG input { udp { port => 9996 codec => netflow { definitions => "/etc/logstash/logstash-1.4.2/lib/logstash/codecs/netflow/netflow.yaml" } } } output { stdout { codec => rubydebug } if ( [host] =~ "10..*" or [host] =~ "1.1.1.1") { elasticsearch { embedded => "false" protocol => "node" host => "es-server1.domain.net,es-server2.domain.net,es-server3.domain.net" cluster => "my-elasticsearch-cluster" index => "netflow-hq-%{+YYYY.MM.dd}" } } else { elasticsearch { embedded => "false" protocol => "node" host => "es-server1.domain.net,es-server2.domain.net,es-server3.domain.net" cluster => "my-elasticsearch-cluster" index => "netflow-remote-%{+YYYY.MM.dd}" } } }
15.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Architecture • Easily scalable • High availability • Multi-tenancy • Searching • Based off of Lucene • Real time search and analytics engine • RESTful API
16.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Graphical representation of the logs • Provides the user’s “pretty” interface • Customizable dashboards • Connects directly to Elasticsearch
17.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. HTTPD CONFIG <Directory /var/www/html/kibana> SSLRequireSSL </Directory> ProxyRequests off ProxyPass /elasticsearch/ http://192.168.1.10:9200/ <Location /elasticsearch/> ProxyPassReverse / SSLRequireSSL </Location> <AuthnProviderAlias ldap ldap-domain> AuthLDAPURL "ldap://domain:3268/DC=XX,DC=YYY,DC=com?sAMAccountName??(!(user AccountControl:1.2.840.113556.1.4.803:=2))" AuthLDAPBindDN "cn=Bind_Name,cn=Users,dc=XX,dc=YYY,dc=com" AuthLDAPBindPassword ThisIsthePassword </AuthnProviderAlias> <Location /kibana-helpdesk> AuthType Basic AuthName "USE WINDOWS PASSWORD" AuthBasicProvider ldap-domain AuthLDAPRemoteUserAttribute sAMAccountName AuthLDAPBindDN "cn=Bind_Name,cn=Users,dc=XX,dc=YYY,dc=com" AuthLDAPBindPassword ThisIsthePassword AuthLDAPURL "ldap://domain:3268/DC=XX,DC=YYY,DC=com?sAMAccountName" Require ldap-group CN=Help Desk,OU=Groups,DC=XX,DC=YYY,DC=com Require ldap-group CN=Security Team,OU=Groups,DC=XX,DC=YYY,DC=com order allow,deny allow from all
18.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. http://blogs.cisco.com/security/step-by-step-setup-of-elk-for-netflow-analytics
19.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed.
20.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. • Meant to be a HIDS solution • Log analysis • File integrity checking • Policy monitoring • Rootkit detection • Real-time alerting & active response • Has it’s own web UI • Uses basic logic to correlate and alert on specific events
21.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. OSSEC RULE EXAMPLE <rule id="100100" level="0"> <decoded_as>aaa-logins</decoded_as> <description>Group of AAA rules.</description> </rule> <rule id="100101" level="5"> <if_sid>100100</if_sid> <match>Failed-Attempt|Authen failed</match> <description>AAA authentication failures.</description> </rule> <rule id="100102" level="10" frequency="10" timeframe="120"> <if_matched_sid>100101</if_matched_sid> <same_user /> <description>Multiple AAA authentication failures.</description> </rule>
22.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. MAINTENANCE & UPKEEP • Syslog-ng • Bash scripts for combining and aging out files • Elasticsearch • Curator, Elastic HQ, curl scripts • Logstash • Logrotate, init.d scripts to launch instances • OSSEC • Stay up-to-date on rules and create custom rules as needed
23.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed. WHERE DO WE GO FROM HERE? • Everyone has logs and a need to deal with them • Share your solution with the groups that provided logs and support orgs – may require custom pages to limit info • Develop your work plan to review visual and OSSEC alerts • Build response & monitoring capabilities • Show value of logs to the org for future tools
24.
Copyright © 2015,
SAS Institute Inc. All rights reserv ed.
Télécharger maintenant