Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Logs hunting

418997665c4a3368515ecf9c3d746b95?s=47 Olivier Dolbeau
April 09, 2015
Programming
1
2.3k

Logs hunting

Talk given at sfLive 2015 Paris

418997665c4a3368515ecf9c3d746b95?s=128

Olivier Dolbeau

April 09, 2015
Tweet

More Decks by Olivier Dolbeau

See All by Olivier Dolbeau
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
130
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
2
290
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
35
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
260
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
62
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
620
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
4
660
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
290
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
320

Other Decks in Programming

See All in Programming
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
4
310
75baf8a56acce7086013da05fd125af5?s=48 dhmegane
0
360
67de06c6cee3ece0f56494e91e48117e?s=48 tkitsunai
6
2.5k
270b0c7883545117a9a618dc7ca7cc83?s=48 xrdnk
0
390
A760a90c9afd981004343b9861f1e8b4?s=48 daipresents
12
4.6k
A7e7c34aaa3ff7eb359b6449fb8bb043?s=48 fancyweb
1
120
D07d36d7d3263da869c7d030ba4a64a6?s=48 y__mattu
0
280
942bb606679caf4c57b38927f83178e1?s=48 qsona
26
6.5k
4b071f90c5d9c0a58e2d9076460b7be4?s=48 ne_sachirou
0
420
44df43ecb9d8ae00cafee6b804db3fcd?s=48 kentatada
0
170
7b606c5039f083d13e2d2320ce6ddcfa?s=48 dqneo
0
170
091c8449decb2f3549c695b5f903865a?s=48 sh_akira
3
180

Featured

See All Featured
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
116
7.2k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
56
9.4k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
203
20k
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
289
110k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
370
42k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
446
36k
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
195
15k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
360
62k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
7
830
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
8
490
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
779
240k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
66
3k

Transcript

  1. LOGS HUNTING 1

  2. WHO AM I? Olivier Dolbeau @odolbeau Work at BlaBlaCar 2

  3. THIS IS AN ELK 3

  4. 4

  5. 5

  6. 6

  7. Inputs Filters Outputs 41 inputs • syslog • udp •

    varnishlog • gelf • … 50 filters • date • geoip • i18n • urldecode • … 55 outputs • elasticsearch • redis • email • graphite • … And there are also some codecs 7

  8. Kibana 8

  9. 9

  10. 10

  11. Which logs are we
 talking about? 11

  12. 12 Access Logs Population: High Difficulty: Easy Weapon

  13. 13 Application logs Population: Medium / Low Difficulty: Medium Weapon

    Monolog <3

  14. syslog 14 Syslog Population: Medium Difficulty: Easy Weapon RSYSLOG

  15. *.* @127.0.0.1:514;RSYSLOG_ForwardFormat 15

  16. input { udp { port => 514 type => syslog

    } } Logstash - Input 16

  17. filter { if [type] == "syslog" { grok { match

    => [ "message", "<%{POSINT:syslog_pri}>% {TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} % {DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: % {GREEDYDATA:syslog_message}" ] add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] add_tag => [ "rsyslog" ] } } } Logstash - Filter 17

  18. output { elasticsearch_http { host => “my_es.blablacar.com” port => 9200

    index => "logstashv1-%{+YYYY.MM.dd}" manage_template => false } } Logstash - Output 18

  19. 19

  20. syslog 20

  21. 21

  22. @odolbeau 22 On recrute ! https://speakerdeck.com/odolbeau/logs-hunting