Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Logs hunting

418997665c4a3368515ecf9c3d746b95?s=47 Olivier Dolbeau
April 09, 2015
Programming
1
2.4k

Logs hunting

Talk given at sfLive 2015 Paris

418997665c4a3368515ecf9c3d746b95?s=128

Olivier Dolbeau

April 09, 2015
Tweet

More Decks by Olivier Dolbeau

See All by Olivier Dolbeau
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
160
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
2
300
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
35
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
270
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
72
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
660
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
4
670
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
300
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
360

Other Decks in Programming

See All in Programming
72a2082c6a4dd79ad68befb3db911616?s=48 mraible
PRO
0
430
E3c2bac7a4a04823dda122cf243edd01?s=48 claudioed
0
270
4e4410453964b11bc6077c72334bf8ec?s=48 shinbunbun_
0
220
042b7c0e45c53de46667f07de2fb2614?s=48 vixentael
0
380
Faafc04d9e69b73b9f49995fd4c94d4d?s=48 whatyouhide
0
220
9242ec5423930ab9ab881ce07f4d4fcf?s=48 e99h2121
0
1.5k
Aedb2d72d275bbb27a7419e22ea6f70e?s=48 yutafujii0
1
310
5d769d109697012317c09c6a27a6a4bf?s=48 linyows
1
160
9bcd328daf60fe29dc9970f6cfc26730?s=48 kesin11
7
1.2k
Ff0453fcbf27a84de92b9cc1f2aed9af?s=48 koike91
1
240
87cc3b4ffeb28446da380c5acdcf443e?s=48 takapi86
0
410
8f2c3621c8a56710b8fc8b993f400ef3?s=48 hirokiabe
0
220

Featured

See All Featured
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
177
8k
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
107
6.5k
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
43
4.9k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
91
3.6k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
79acae287842acf29084005533a7fb3b?s=48 hursman
111
9.5k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
253
11k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
443
29k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
92
4.1k
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
162
6.8k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
106
5.3k
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
43
2k

Transcript

  1. LOGS HUNTING 1

  2. WHO AM I? Olivier Dolbeau @odolbeau Work at BlaBlaCar 2

  3. THIS IS AN ELK 3

  4. 4

  5. 5

  6. 6

  7. Inputs Filters Outputs 41 inputs • syslog • udp •

    varnishlog • gelf • … 50 filters • date • geoip • i18n • urldecode • … 55 outputs • elasticsearch • redis • email • graphite • … And there are also some codecs 7

  8. Kibana 8

  9. 9

  10. 10

  11. Which logs are we
 talking about? 11

  12. 12 Access Logs Population: High Difficulty: Easy Weapon

  13. 13 Application logs Population: Medium / Low Difficulty: Medium Weapon

    Monolog <3

  14. syslog 14 Syslog Population: Medium Difficulty: Easy Weapon RSYSLOG

  15. *.* @127.0.0.1:514;RSYSLOG_ForwardFormat 15

  16. input { udp { port => 514 type => syslog

    } } Logstash - Input 16

  17. filter { if [type] == "syslog" { grok { match

    => [ "message", "<%{POSINT:syslog_pri}>% {TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} % {DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: % {GREEDYDATA:syslog_message}" ] add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] add_tag => [ "rsyslog" ] } } } Logstash - Filter 17

  18. output { elasticsearch_http { host => “my_es.blablacar.com” port => 9200

    index => "logstashv1-%{+YYYY.MM.dd}" manage_template => false } } Logstash - Output 18

  19. 19

  20. syslog 20

  21. 21

  22. @odolbeau 22 On recrute ! https://speakerdeck.com/odolbeau/logs-hunting