Logs hunting

418997665c4a3368515ecf9c3d746b95?s=47 Olivier Dolbeau
April 09, 2015
Programming
1
2.3k

Logs hunting

Talk given at sfLive 2015 Paris

418997665c4a3368515ecf9c3d746b95?s=128

Olivier Dolbeau

April 09, 2015
Tweet

More Decks by Olivier Dolbeau

See All by Olivier Dolbeau
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
2
260
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
28
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
220
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
50
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
560
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
4
610
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
280
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
300
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
1k

Other Decks in Programming

See All in Programming
D9e4d5a4b36f83fbde1076815df1362f?s=48 bmack
0
380
6e85e396c2fca10e469e67cbede8104e?s=48 yukikimoto
0
130
E48bd6aeb77b88d5762cd5d96e2c397d?s=48 wen_liao
2
1.1k
Acb6390b6c4b5192f40e10601b63dafc?s=48 twkiiim
0
1.2k
Fc358d63dcdcbad7a5c29198785dec2c?s=48 naototty
1
270
D9e4d5a4b36f83fbde1076815df1362f?s=48 bmack
0
180
38a509643276213e62730e92ef220405?s=48 masatakamiki
0
200
F9e11bea0c22333596791dd0696f5d4f?s=48 daiksy
0
1.2k
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
2
140
A10e41b0a61d59f2258d7f6172c33479?s=48 kaityo256
0
420
C302e84057a922dce0ecbe80207e3fcc?s=48 mu_zaru
1
200
826c34bb94d4fe786230bd95c5bdc409?s=48 fornewid
1
280

Featured

See All Featured
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
195
9.4k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
293
38k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
330
29k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
183
14k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
110
24k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
205
9.9k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
1
40
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
323
14k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
218
14k
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
113
6.8k
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
104
10k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
1
280

Transcript

  1. LOGS HUNTING 1

  2. WHO AM I? Olivier Dolbeau @odolbeau Work at BlaBlaCar 2

  3. THIS IS AN ELK 3

  4. 4

  5. 5

  6. 6

  7. Inputs Filters Outputs 41 inputs • syslog • udp •

    varnishlog • gelf • … 50 filters • date • geoip • i18n • urldecode • … 55 outputs • elasticsearch • redis • email • graphite • … And there are also some codecs 7

  8. Kibana 8

  9. 9

  10. 10

  11. Which logs are we
 talking about? 11

  12. 12 Access Logs Population: High Difficulty: Easy Weapon

  13. 13 Application logs Population: Medium / Low Difficulty: Medium Weapon

    Monolog <3

  14. syslog 14 Syslog Population: Medium Difficulty: Easy Weapon RSYSLOG

  15. *.* @127.0.0.1:514;RSYSLOG_ForwardFormat 15

  16. input { udp { port => 514 type => syslog

    } } Logstash - Input 16

  17. filter { if [type] == "syslog" { grok { match

    => [ "message", "<%{POSINT:syslog_pri}>% {TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} % {DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: % {GREEDYDATA:syslog_message}" ] add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] add_tag => [ "rsyslog" ] } } } Logstash - Filter 17

  18. output { elasticsearch_http { host => “my_es.blablacar.com” port => 9200

    index => "logstashv1-%{+YYYY.MM.dd}" manage_template => false } } Logstash - Output 18

  19. 19

  20. syslog 20

  21. 21

  22. @odolbeau 22 On recrute ! https://speakerdeck.com/odolbeau/logs-hunting