Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Logs hunting
Olivier Dolbeau
April 09, 2015
Programming
1
2.3k
Logs hunting
Talk given at sfLive 2015 Paris
Olivier Dolbeau
April 09, 2015
Tweet
Share
More Decks by Olivier Dolbeau
See All by Olivier Dolbeau
odolbeau
0
120
odolbeau
2
280
odolbeau
0
30
odolbeau
0
250
odolbeau
0
55
odolbeau
0
600
odolbeau
4
640
odolbeau
1
290
odolbeau
1
310
Other Decks in Programming
See All in Programming
atskimura
0
300
hr01
1
1.2k
cocoeyes02
0
220
nanimonodemonai
2
1.4k
akatsukinewgrad
0
190
attsumi
1
440
siketyan
1
110
muttsu_623
0
510
line_developers_tw
1
490
line_developers_tw
0
540
azdaroth
0
130
ufoo68
1
170
Featured
See All Featured
trishagee
20
2.1k
sachag
446
36k
sstephenson
144
12k
cassininazir
347
20k
akmur
252
19k
sferik
609
54k
zakiwarfel
88
3.3k
chriscoyier
683
180k
jonyablonski
14
1.1k
scottboms
251
11k
addyosmani
310
21k
destraynor
146
19k
Transcript
LOGS HUNTING 1
WHO AM I? Olivier Dolbeau @odolbeau Work at BlaBlaCar 2
THIS IS AN ELK 3
4
5
6
Inputs Filters Outputs 41 inputs • syslog • udp •
varnishlog • gelf • … 50 filters • date • geoip • i18n • urldecode • … 55 outputs • elasticsearch • redis • email • graphite • … And there are also some codecs 7
Kibana 8
9
10
Which logs are we talking about? 11
12 Access Logs Population: High Difficulty: Easy Weapon
13 Application logs Population: Medium / Low Difficulty: Medium Weapon
Monolog <3
syslog 14 Syslog Population: Medium Difficulty: Easy Weapon RSYSLOG
*.* @127.0.0.1:514;RSYSLOG_ForwardFormat 15
input { udp { port => 514 type => syslog
} } Logstash - Input 16
filter { if [type] == "syslog" { grok { match
=> [ "message", "<%{POSINT:syslog_pri}>% {TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} % {DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: % {GREEDYDATA:syslog_message}" ] add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] add_tag => [ "rsyslog" ] } } } Logstash - Filter 17
output { elasticsearch_http { host => “my_es.blablacar.com” port => 9200
index => "logstashv1-%{+YYYY.MM.dd}" manage_template => false } } Logstash - Output 18
19
syslog 20
21
@odolbeau 22 On recrute ! https://speakerdeck.com/odolbeau/logs-hunting
odolbeau
atskimura
hr01
cocoeyes02
nanimonodemonai
akatsukinewgrad
attsumi
siketyan
muttsu_623
line_developers_tw
azdaroth
ufoo68
trishagee
sachag
sstephenson
cassininazir
akmur
sferik
zakiwarfel
chriscoyier
jonyablonski
scottboms
addyosmani
destraynor
![filter { if [type] == "syslog" { grok { match](https://files.speakerdeck.com/presentations/830b3cc35cc64bd58e9df1ac9a3aa6fa/slide_16.jpg){kind=link}
