Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Started with Elastic Cloud and Beats for Log Analytics

34cbde72de5f384380d5489543294dc5?s=47 Kosho Owa
October 07, 2016
Technology
0
68

Getting Started with Elastic Cloud and Beats for Log Analytics

情報セキュリティワークショップ in 越後湯沢 2016

34cbde72de5f384380d5489543294dc5?s=128

Kosho Owa

October 07, 2016
Tweet

More Decks by Kosho Owa

See All by Kosho Owa
34cbde72de5f384380d5489543294dc5?s=48 kosho
2
11k
34cbde72de5f384380d5489543294dc5?s=48 kosho
1
240
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
250
34cbde72de5f384380d5489543294dc5?s=48 kosho
1
630
34cbde72de5f384380d5489543294dc5?s=48 kosho
1
1.7k
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
130
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
52
34cbde72de5f384380d5489543294dc5?s=48 kosho
0
110
34cbde72de5f384380d5489543294dc5?s=48 kosho
1
96

Other Decks in Technology

See All in Technology
696374755aea172f74c9235387a248ab?s=48 neko314
1
220
B78199b075c1bbf42f205e04eb2bd764?s=48 himidev
6
3.6k
6eb87371ba9a9bb7767af80a5c9f5306?s=48 yhana
0
11k
06986333d704c400f7a2053994058e6e?s=48 cmtamai
0
420
1bfc6e2ed04a895bb36f36b86828b689?s=48 110y
1
240
394576121c6b861048493988254160dd?s=48 tarappo
0
180
44a210d1299a727e9d601a47dfedeabf?s=48 mot_techtalk
0
120
00101a1274d1f92977f4e442ef73be86?s=48 ahana
0
110
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
2.5k
6d161fe47f36ac295189c3b6a0db2a9a?s=48 masahirokawahara
0
290
50bc42471d197d0dbef7171f2ef85bb6?s=48 comucal
PRO
0
4.5k
A645e7c3a6635ead8fa323c583769591?s=48 hololab
0
630

Featured

See All Featured
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
32
3k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
504
37k
245cee81a9c424266e5e401d844ea881?s=48 lara
596
62k
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
78
270k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
58
3.8k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
253
11k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
449
36k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
72
3.9k
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
110
11k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
20k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
415
58k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
190
14k

Transcript

  1. ‹#› Kosho Owa, Solutions Architect, Elastic October 2016 Elastic CloudͱBeatsͰ࢝ΊΔ

    ϩάͷՄࢹԽͱ෼ੳ

  2. 2 Elastic Cloud Security X-Pack Kibana User Interface Elasticsearch Store,

    Index,
 & Analyze Ingest Logstash Beats + Elastic Stack Introducing the Elastic Stack, X-Pack, and Cloud Alerting Monitoring Reporting Graph

  3. Elasticserach: σʔλετΞɺΠϯσοΫεɺ෼ੳ 3 ෼ࢄܕͰ
 εέʔϥϒϧ ճ෮ੑ͕͋ΓߴՄ༻ੑɺεέʔϧΞ΢τΛલఏ ͱͨ͠੡඼σβΠϯ ߏ଄ɺඇߏ଄σʔλΛΠϯσοΫε ։ൃऀ
 ϑϨϯυϦʔ

    εΩʔϚϨε Ϛϧνςφϯτ ๛෋ͳΫϥΠΞϯτϥΠϒϥϦ ݕࡧͱ෼ੳ ϦΞϧλΠϜ શจݕࡧ (FP "HHSFHBUJPO ଟݴޠʹରԠ

  4. Kibana: ՄࢹԽͱ୳ࡧ 4 ൃݟͱಎ࡯ σʔλΛ୳ࡧɺنଇੑΛൃݟͲͷΑ͏ͳϨϕϧ ΁΋υϦϧμ΢ϯ &MBTUJDTFBSDIͷύϫϑϧͳ෼ੳػೳΛར༻ ߏ଄ɺඇߏ଄σʔλ ΧελϚΠζ ͦͯ͠ڞ༗

    όʔνϟʔτɺંΕઢάϥϑɺ෼෍ਤɺ஍ਤɺ ώετάϥϜ μογϡϘʔυΛΛγΣΞ͠ɺӡ༻ϫʔΫϑϩ ʔʹ૊ΈࠐΈ Elastic Stack ΁ͷೖΓޱ ՄࢹԽͷͨΊͷ౷Ұతͳ6* &MBTUJD4UBDLͷӡ༻؅ཧ ϓϥάΠϯՄೳͳΞʔΩςΫνϟͰɺಠࣗͷΞ ϓϦέʔγϣϯ͕࡞੒Մೳ

  5. Beats: ElasticsearchͷͨΊͷσʔλγούʔ 5 Filebeat ϩάऩूΤʔδΣϯτͷ࣍ੈ୅ελϯμʔυ Winlogbeat 8JOEPXTγεςϜɺΞϓϦέʔγϣϯɺηΩ ϡϦςΟϩά Metricbeat "QBDIF

    .POHP%# .Z42- /HJOY 3FEJT  ;PPLFFQFSɺ04ͳͲͷϝτϦοΫ Packetbeat )551 .Z42- $BTTBOESB %/4ͳͲͷωοτ ϫʔΫύέοτΛϦΞϧλΠϜͰղੳ Libbeat ΧελϜzCFBUTz։ൃ༻ϥΠϒϥϦʔ

  6. ੒ޭ͢Δϩά෼ੳ σʔλऩू BeatsͰσʔλऩूͱElasticsearch΁ͷ౤ೖ μογϡϘʔυͷςϯϓϨʔτΛಉࠝ JSONߏ଄ԽϩάΛFilebeatͰऩूɺΠϯσοΫε ΠϯετʔϧͱηοτΞοϓ Elastic CloudͰΫϥελʔΛ਺ΫϦοΫͰల։ ৗʹ࠷৽൛ɺΞοϓάϨʔυ΋؆୯ʹ ӡ༻

    X-PackΛ׆༻ͯ͠ɺಛఆͷΠϕϯτʹରͯ͠Ξϥʔτ σʔλͷΞΫηε੍ޚ ElasticsearchΫϥελʔࣗ਎΋ϞχλϦϯά 6

  7. 7 Performance Metrics Application Logs Filebeat ϩάऩू Packetbeat ύέοτ؂ࢹ Elasticsearch

    σʔλετΞ ݕࡧΤϯδϯ Kibana ՄࢹԽ Network Interfaces Metricbeat ϝτϦοΫऩू

  8. JSONߏ଄ԽϩΪϯά - Apache 8 LogFormat "{ \"clientip\": \"%h\", \"ident\": \"%l\",

    \"auth\": \"%u\", \"timestamp\": \"%{%FT%T%z}t\", \"verb\": \"%m\", \"request\": \"%U%q\", \"httpversion\": \"%H\", \"response\": %>s, \"bytes\": %b, \"referer\": \"% {Referer}i\", \"agent\": \"%{User-agent}i\" }" combinedjson CustomLog logs/access_log.js combinedjson - input_type: log paths: - /var/log/httpd/access_log.js document_type: apache json.keys_under_root: true json.add_error_key: true httpd.conf filebeat.yml

  9. JSONߏ଄ԽϩΪϯά - Squid 9 logformat combinedjson { "clientip": "%>a", "ident":

    "%ui", "uname": "%un", "timestamp": "%{%FT%T%z}tg", "verb": "%rm", "request": "%ru", "httpversion": "HTTP/%rv", "response": %>Hs, "bytes": %<st, "referer": "%{Referer}>h", "agent": "%{User-Agent}>h", "request_status": "%Sh", "hierarchy_status": "%Sh" } access_log /var/log/squid/access_log.js combinedjson - input_type: log paths: - /var/log/squid/access_log.js document_type: squid json.keys_under_root: true json.add_error_key: true squid.conf filebeat.yml

  10. Metricbeat - OSɺΞϓϦέʔγϣϯͷϝτϦοΫऩू 10 ϦΞϧλΠϜϞχλϦϯά • OS΍αʔϏεͷϝτϦοΫΛϞχλʔ αʔϏεͷύϑΥʔϚϯε෼ੳ • System:

    CPU, load, IO, filesystem, memory, network, process • Apache, HAProxy, MongoDB, MySQL, Nginx, Redis, ZookeeperʹରԠ ElasticsearchʹసૹɺKibanaͰՄࢹԽ • αϯϓϧDashboardͰ͙͢ʹར༻Մೳ

  11. Packetbeat - ωοτϫʔΫύέοοτͷղੳͱऩू 11 ϦΞϧλΠϜϞχλϦϯά • ΞϓϦέʔγϣϯͷ஗ԆɺΤϥʔɺԠ ౴࣌ؒͳͲΛϞχλʔ ωοτϫʔΫτϥϑΟοΫͷݕࡧͱ෼ੳ •

    ICMP, DNS, HTTP, AMQP, Cassandra, MySQL, PostgreSQL, Redis, Thrift- RPC, MongoDB, MemcacheʹରԠ ElasticsearchʹసૹɺKibanaͰՄࢹԽ • αϯϓϧDashboardͰ͙͢ʹར༻Մೳ

  12. Hosted Elasticsearch & Kibana on AWS • Elasticͷ੡඼܈ͱಉظͨ͠࠷৽൛ͷఏڙ • εέʔϧΞ΢τɾΞοϓάϨʔυΛΫϦοΫૢ࡞

    Ͱ • ແྉͷKibanaΠϯελϯεͱ30෼͝ͱͷόοΫΞ οϓ • X-Packػೳ (Security, Alerting, Monitoring, Reporting) • ݄ʑ45USD͔Β • SLAϕʔεͷαϙʔτΦϓγϣϯ 12 Elastic Stackͷ։ൃऀʹΑΔ།Ұͷ ެࣜ Elasticsearch as a Service

  13. X-Pack: Elastic Stackͷ෇ՃՁ஋ػೳ 13 \ ηΩϡϦςΟ෼ੳ ϩά෼ੳ ϝτϦοΫε ෼ੳ ӡ༻෼ੳ

    υΩϡϝϯτݕࡧ ΞϓϦέʔγϣϯ ݕࡧ ϩοΫμ΢ϯͱ ΞΫηε؂ࢹ σʔλͷมߋʹ
 ର͢Δ௨஌ Elasticsearch
 Ϋϥελͷ؂ࢹ σʔλ͔Βҙຯͷ
 ͋Δؔ܎Λൃݟ PDFΛ࡞੒ͯ͠ ൃݟΛγΣΞ Security Alerting Monitoring Graph Analytics Reporting

  14. X-Pack: Security - ҉߸ԽͱϩʔϧϕʔεͷΞΫηε੍ޚ 14 ҉߸Խ • KibanaɺElasticsearchͷΤϯυϙΠ ϯτ΁ͷHTTPS௨৴ •

    Ϋϥελʔ಺ͷ௨৴ ΞΫηε੍ޚ • ID/PasswordʹΑΔϢʔβೝূ • ωΠςΟϒɺLDAPɺAD࿈ܞ • KibanaͷϩάΠϯμΠΞϩά • ϩʔϧ͝ͱʹΠϯσοΫεɺAPI΁ͷ ΞΫηεΛ੍ݶ

  15. X-Pack: Alerting - σʔλͷมԽΛ௨஌ 15 εέδϡʔϧ • ಛఆͷ࣌ؒɺΠϯλʔόϧɺ Crontabॻࣜ ίϯσΟγϣϯ

    • Elasticsearchͷ͢΂ͯͷΫΤϦʔͱ ΞάϦήʔγϣϯΛαϙʔτ • ෳ਺ͷιʔεΛ૊Έ߹Θͤ ΞΫγϣϯ • ΠϯσοΫεɺϩάɺϝʔϧɺ΢Σ ϒϑοΫͳͲ

  16. Monitoring - ΫϥελʔɺϊʔυɺΠϯσοΫεͷ؂ࢹ • ElasticsearchΫϥελʔɺϊʔυɺ ΠϯσοΫεͷϝτϦοΫΛϦΞϧ λΠϜͰ؂ࢹ • ӡ༻্ͷ܏޲Λ೺Ѳɺ໰୊Λൃݟ •

    ΫϥελʔɺΞϓϦέʔγϣϯͷ࠷ దԽ • ΩϟύγςΟϓϥχϯά 16

  17. X-Pack: Graph - σʔλؒͷؔ܎ΛՄࢹԽ 17 • Elasticsearchͷsearch΍relevancyͷػ ೳΛ࢖༻ͯ͠ҙຯͷ͋Δؔ܎Λൃݟ • طଘͷΠϯσοΫεΛར༻

    • ϦΞϧλΠϜ͔ͭεέʔϥϒϧ

  18. X-Pack: Reporting - DashboardΛΤΫεϙʔτ 18 Earthquake - Depth Timeseries Earthquake

    - Heatmap Earthquake — Sun, Jan 1, 2006 12:00 AM to Fri, Sep 2, 2016 5:54 AM • PDF΋͘͠͸CSVΛੜ੒ • ඇKibanaϢʔβͱڞ༗ • खಈɺ΋͘͠͸Alertingͱͷ૊Έ߹Θ ͤͰεέδϡʔϧɺ΋͘͠͸ಛఆͷΠ ϕϯτ͕ൃੜͨ͠৔߹ʹ࡞੒ N ew in V5

  19. elastic.co/jp: ೔ຊޠ৘ใ΋͝ར༻Լ͍͞ 19 • ੡඼৘ใ • αϒεΫϦϓγϣϯ • ಋೖࣄྫ •

    ύʔτφʔ • ϋϯζΦϯϫʔΫγϣοϓ • ϒϩά • νϡʔτϦΞϧϏσΦ • ͓໰͍߹Θͤ