Download presentation
Presentation is loading. Please wait.
1
1 Vic Hargrave | vichargrave@gmail.com | @vichargrave
2
2 Software Architect for Trend Micro Data Analytics Group Blogger for Trend Micro Security Intelligence and Simply Security Email: vichargrave@gmail.com Website: vichargrave.com Twitter: @vichargrave LinkedIn: www.linkedin.com/in/vichargrave
3
3 commercial or open source SIEM Syslog syslog
4
4 commercial SIEM
5
5 LogstashKibana
6
6
7
Open source, distributed, full text search engine Based on Apache Lucene Stores data as structured JSON documents Supports single system or multi-node clusters Easy to set up and scale – just add more nodes Provides a RESTful API Installs with RPM or DEB packages and is controlled with a service script. 7
8
Index – contains documents, ≅ table Document – contains fields, ≅ row Field – contains string, integer, JSON object, etc. Shard – smaller divisions of data that can be stored across nodes Replica – copy of the primary shard 8
9
9 # default configuration file - /etc/elasticsearch/elasticsearch.yml ######################### Cluster ######################### # Cluster name identifies your cluster for auto-discovery # cluster.name: ossec-mgmt-cluster ########################## Node ########################### # Node names are generated dynamically on startup, so you're relieved # from configuring them manually. You can tie this node to a specific name: # node.name: "es-node-1" # e.g. Elasticsearch nodes numbered 1 – N ########################## Paths ########################## # Path to directory where to store index data allocated for this node. # path.data: /data/0, /data/1
10
Log aggregator and parser Supports transferring parsed data directly to Elasticsearch Controlled by a configuration file that specifies input, filtering (parsing) and output Key to adapting Elasticsearch to other log formats Run logstash in logstash home directory as follows: bin/logstash ––conf 10
11
11 input { # stdin{} udp { port => 9000 type => "syslog" } filter { if [type] == "syslog" { grok { # SEE NEXT SLIDE } mutate { remove_field => [ "syslog_hostname", "syslog_message", "syslog_pid", "message", "@version", "type", "host" ] } output { # stdout { # codec => rubydebug # } elasticsearch_http { host => "10.0.0.1" }
![11 input { # stdin{} udp { port => 9000 type => syslog } filter { if [type] == syslog { grok { # SEE NEXT SLIDE } mutate { remove_field => [ syslog_hostname , syslog_message , syslog_pid , message , type , host ] } output { # stdout { # codec => rubydebug # } elasticsearch_http { host => }](http://images.slideplayer.com/15/4576291/slides/slide_11.jpg "11 input { # stdin{} udp { port => 9000 type => syslog } filter { if [type] == syslog { grok { # SEE NEXT SLIDE } mutate { remove_field => [ syslog_hostname , syslog_message , syslog_pid , message , type , host ] } output { # stdout { # codec => rubydebug # } elasticsearch_http { host => }")
12
OSSEC syslog alert grok { } 12 Jan 7 11:44:30 ossec ossec: Alert Level: 3; Rule: 5402 - Successful sudo to ROOT executed; Location: localhost->/var/log/secure; user: user; Jan 7 11:44:29 localhost sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/bin/su match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}: Alert Level: %{NONNEGINT:Alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:Location}; (srcip: %{IP:Src_IP};%{SPACE})? (dstip: %{IP:Dst_IP};%{SPACE})? (src_port: %{NONNEGINT:Src_Port};%{SPACE})? (dst_port: %{NONNEGINT:Dst_Port};%{SPACE})? (user: %{USER:User};%{SPACE})?%{GREEDYDATA:Details}" } add_field => [ "ossec_server", "%{host}" ]
13
General purpose query UI Javascript implementation Query Elasticsearch without coding Includes many widgets Run Kibana in browser as follows: http:// : / 13
14
14 /** @scratch /configuration/config.js/5 * ==== elasticsearch * * The URL to your elasticsearch server. You almost certainly don't * want +http://localhost:9200+ here. Even if Kibana and Elasticsearch * are on the same host. By default this will attempt to reach ES at the * same host you have kibana installed on. You probably want to set it to * the FQDN of your elasticsearch host */ elasticsearch: http://+" "+":9200",
15
15
16
16
17
17 ElasticHQ Elasticsearch plug-in Install from Elasticsearch home directory: bin/plugin -install royrusso/elasticsearch-HQ Provides cluster and node management metrics and controls
18
18
19
19
20
20
21
21 Free
22
Designed to work in a trusted environment No built in security Easy to erase all the data Use with a proxy that provides authentication and request filtering such as Nginx –http://wiki.nginx.org/Mainhttp://wiki.nginx.org/Main 22 curl –XDELETE http:// :9200/_all
23
Elasticsearch –http://www.elasticsearch.orghttp://www.elasticsearch.org Logstash –http://logstash.nethttp://logstash.net Kibana –http://www.elasticsearch.org/overview/kibana/http://www.elasticsearch.org/overview/kibana/ ElasticHQ –http://elastichq.orghttp://elastichq.org Elasticsearch for Logging –http://vichargrave.com/ossec-log-management-with-elasticsearch/http://vichargrave.com/ossec-log-management-with-elasticsearch/ –http://edgeofsanity.net/article/2012/12/26/elasticsearch-for-logging.htmlhttp://edgeofsanity.net/article/2012/12/26/elasticsearch-for-logging.html 23
24
24
Similar presentations
