Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Managing Your Security Logs with Elasticsearch

advertisement 
Vic Hargrave | vichargrave@gmail.com | @vichargrave
1
• Software Architect for Trend Micro Data Analytics Group
• Blogger for Trend Micro Security Intelligence and Simply
Security
• Email: vichargrave@gmail.com
• Twitter: @vichargrave
• LinkedIn: www.linkedin.com/in/vichargrave
2
• Open Source SECurity
• Open Source Host-based Intrusion Detection System
• Founded by Daniel Cid
• Log analysis and file integrity monitoring for Windows,
Linux, Mac OS, Solaris and many *nix systems
• Agent – Server architecture
• http://www.ossec.net
3
Syslog
syslog
commercial or
open source
SIEM
Syslog
Syslog
4
commercial
SIEM
5
Logstash
Kibana
6
7
• Open source, distributed, full text search engine
• Based on Apache Lucene
• Stores data as structured JSON documents
• Supports single system or multi-node clusters
• Easy to set up and scale – just add more nodes
• Provides a RESTful API
• Installs with RPM or DEB packages and is controlled
with a service script.
8
• Index – contains documents, ≅ table
• Document – contains fields, ≅ row
• Field – contains string, integer, JSON object, etc.
• Shard – smaller divisions of data that can be stored
across nodes
• Replica – copy of the primary shard
9
# default configuration file - /etc/elasticsearch/elasticsearch.yml
######################### Cluster #########################
# Cluster name identifies your cluster for auto-discovery
#
cluster.name: ossec-mgmt-cluster
########################## Node ###########################
# Node names are generated dynamically on startup, so you're relieved
# from configuring them manually. You can tie this node to a specific name:
#
node.name: "es-node-1"
# e.g. Elasticsearch nodes numbered 1 – N
########################## Paths ##########################
# Path to directory where to store index data allocated for this node.
#
path.data: /data/0, /data/1
10
• Log aggregator and parser
• Supports transferring parsed data directly to
Elasticsearch
• Controlled by a configuration file that specifies input,
filtering (parsing) and output
• Key to adapting Elasticsearch to other log formats
• Run logstash in logstash home directory as follows:
bin/logstash ––conf <logstash config file>
11
input {
#
stdin{}
udp {
port => 9000
type => "syslog"
}
}
filter {
if [type] == "syslog" {
grok {
# SEE NEXT SLIDE
}
mutate {
remove_field => [ "syslog_hostname", "syslog_message", "syslog_pid", "message",
"@version", "type", "host" ]
}
}
}
output {
#
stdout {
#
codec => rubydebug
#
}
elasticsearch_http {
host => "10.0.0.1"
}
}
12
• OSSEC syslog alert
Jan 7 11:44:30 ossec ossec: Alert Level: 3; Rule: 5402 - Successful sudo to ROOT executed; Location:
localhost->/var/log/secure; user: user; Jan 7 11:44:29 localhost sudo: user : TTY=pts/0 ;
PWD=/home/user ; USER=root ; COMMAND=/bin/su
• grok { }
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host}
%{DATA:syslog_program}: Alert Level: %{NONNEGINT:Alert_Level};
Rule: %{NONNEGINT:Rule} - %{DATA:Description};
Location: %{DATA:Location}; (srcip: %{IP:Src_IP};%{SPACE})?
(dstip: %{IP:Dst_IP};%{SPACE})?
(src_port: %{NONNEGINT:Src_Port};%{SPACE})?
(dst_port: %{NONNEGINT:Dst_Port};%{SPACE})?
(user: %{USER:User};%{SPACE})?%{GREEDYDATA:Details}"
}
add_field => [ "ossec_server", "%{host}" ]
13
• General purpose query UI
• Javascript implementation
• Query Elasticsearch without coding
• Includes many widgets
• Run Kibana in browser as follows:
http://<web server ip>:<port>/<kibana path>
14
/** @scratch /configuration/config.js/5
* ==== elasticsearch
*
* The URL to your elasticsearch server. You almost certainly don't
* want +http://localhost:9200+ here. Even if Kibana and Elasticsearch
* are on the same host. By default this will attempt to reach ES at the
* same host you have kibana installed on. You probably want to set it to
* the FQDN of your elasticsearch host
*/
elasticsearch: http://+"<elasticsearch node IP>"+":9200",
15
16
17
• ElasticHQ
• Elasticsearch plug-in
• Install from Elasticsearch home directory:
bin/plugin -install royrusso/elasticsearch-HQ
• Provides cluster and node management metrics and
controls
18
19
20
And now for something
completely different.
The OSSEC virtual
appliance
21
Free
22
• Designed to work in a trusted environment
• No built in security
• Easy to erase all the data
curl –XDELETE http://<server>:9200/_all
• Use with a proxy that provides authentication and
request filtering such as Nginx
– http://wiki.nginx.org/Main
23
• Elasticsearch
– http://www.elasticsearch.org
• Logstash
– http://logstash.net
• Kibana
– http://www.elasticsearch.org/overview/kibana/
• ElasticHQ
– http://elastichq.org
• Elasticsearch for Logging
– http://vichargrave.com/ossec-log-management-with-elasticsearch/
– http://edgeofsanity.net/article/2012/12/26/elasticsearch-for-logging.html
24
25
Related documents
Presentation Title
Presentation Title
Introduction to Elasticsearch on Azure
Introduction to Elasticsearch on Azure
Final Project Report
Final Project Report
Open Source Secuirty Logging
Open Source Secuirty Logging
Hr/Pr Ees- ja Perekonnanimi - NATO Cooperative Cyber Defence
Hr/Pr Ees- ja Perekonnanimi - NATO Cooperative Cyber Defence
NOC TOOLS syslog
NOC TOOLS syslog
Wazuh-with-ELK-Guide
Wazuh-with-ELK-Guide
Windows Azure Blob Storage
Windows Azure Blob Storage
Syslog
Syslog
SNATZ PowerPoint presentation
SNATZ PowerPoint presentation
Brian Nafziger - Data Mining in the Dark Darknet Intelligence Automation (2021, SANS Institute) - libgen.li-3
Brian Nafziger - Data Mining in the Dark Darknet Intelligence Automation (2021, SANS Institute) - libgen.li-3
- Netcomm
- Netcomm
NodeJS
NodeJS
Search,plus - building taxonomy, autoclassification and
Search,plus - building taxonomy, autoclassification and
PowerPoint slides
PowerPoint slides
IntelAcademic_IoT_05_NodeJS
IntelAcademic_IoT_05_NodeJS
Monitoring ElasticSearch (1)
Monitoring ElasticSearch (1)
Elasticsearch - A Complete Guide
Elasticsearch - A Complete Guide
Download
advertisement