Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Logs hunting

418997665c4a3368515ecf9c3d746b95?s=47 Olivier Dolbeau
April 09, 2015
Programming
1
2.5k

Logs hunting

Talk given at sfLive 2015 Paris

418997665c4a3368515ecf9c3d746b95?s=128

Olivier Dolbeau

April 09, 2015
Tweet

More Decks by Olivier Dolbeau

See All by Olivier Dolbeau
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
180
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
2
310
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
40
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
290
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
80
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
710
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
4
690
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
310
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
410

Other Decks in Programming

See All in Programming
33ef4c1ebe619115b552db9a9f9a3509?s=48 sadnessojisan
0
330
5237fad157563f7a9f90351a430624b7?s=48 ergofriend
0
320
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
13
15k
F9d1e7c494103e9ad73723d4496334f9?s=48 mattdclarke
0
180
2102a6b8760bd6f57f672805723dd83a?s=48 line_developers_tw
PRO
0
270
461346ac617a22f5bf6346e28d7c7202?s=48 bassbone
0
280
4a0e3afe85259f2973dbc9386b6a4bb3?s=48 ikumatadokoro
6
790
84931a5617d844ecfda982721de3a9e9?s=48 grace2riku
0
190
2a67c9a199a83a5eada6276f20630cb1?s=48 ohr486
3
160
4a0e3afe85259f2973dbc9386b6a4bb3?s=48 ikumatadokoro
1
110
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
0
230
F9d1e7c494103e9ad73723d4496334f9?s=48 mattdclarke
0
190

Featured

See All Featured
5f83ef806155b403c3393160ce51f955?s=48 jlugia
219
16k
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
33
3.2k
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
17
1k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
100
15k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
92
4.4k
72a2082c6a4dd79ad68befb3db911616?s=48 mraible
PRO
8
3.9k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
149
20k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
6
1k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
499
110k
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
45
2.6k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
89
5.4k
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
656
120k

Transcript

  1. LOGS HUNTING 1

  2. WHO AM I? Olivier Dolbeau @odolbeau Work at BlaBlaCar 2

  3. THIS IS AN ELK 3

  4. 4

  5. 5

  6. 6

  7. Inputs Filters Outputs 41 inputs • syslog • udp •

    varnishlog • gelf • … 50 filters • date • geoip • i18n • urldecode • … 55 outputs • elasticsearch • redis • email • graphite • … And there are also some codecs 7

  8. Kibana 8

  9. 9

  10. 10

  11. Which logs are we
 talking about? 11

  12. 12 Access Logs Population: High Difficulty: Easy Weapon

  13. 13 Application logs Population: Medium / Low Difficulty: Medium Weapon

    Monolog <3

  14. syslog 14 Syslog Population: Medium Difficulty: Easy Weapon RSYSLOG

  15. *.* @127.0.0.1:514;RSYSLOG_ForwardFormat 15

  16. input { udp { port => 514 type => syslog

    } } Logstash - Input 16

  17. filter { if [type] == "syslog" { grok { match

    => [ "message", "<%{POSINT:syslog_pri}>% {TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} % {DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: % {GREEDYDATA:syslog_message}" ] add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] add_tag => [ "rsyslog" ] } } } Logstash - Filter 17

  18. output { elasticsearch_http { host => “my_es.blablacar.com” port => 9200

    index => "logstashv1-%{+YYYY.MM.dd}" manage_template => false } } Logstash - Output 18

  19. 19

  20. syslog 20

  21. 21

  22. @odolbeau 22 On recrute ! https://speakerdeck.com/odolbeau/logs-hunting