Logs hunting

418997665c4a3368515ecf9c3d746b95?s=47 Olivier Dolbeau
April 09, 2015
Programming
1
2.3k

Logs hunting

Talk given at sfLive 2015 Paris

418997665c4a3368515ecf9c3d746b95?s=128

Olivier Dolbeau

April 09, 2015
Tweet

More Decks by Olivier Dolbeau

See All by Olivier Dolbeau
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
2
270
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
28
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
230
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
53
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
0
580
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
4
620
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
290
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
310
418997665c4a3368515ecf9c3d746b95?s=48 odolbeau
1
1k

Other Decks in Programming

See All in Programming
3cfad86677c5966ecfe9b81955fa3489?s=48 youkan2002
0
260
264b44c0c6d60336f8b6a0fbab118984?s=48 mmazour
0
140
58d2fa98345951d9a57fdd6cfd5d0f64?s=48 aszx87410
0
460
F929f5d80ef8a23b67ad8ac6f08416cd?s=48 melix
0
300
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
2
230
66988ef2ff1307f07c7c8d829a6dc4fa?s=48 rosariopfernandes
2
120
023b04c98f39cc041293d780352432ff?s=48 koic
4
1.6k
6dd0483f1353a4a359e92633cfd65c64?s=48 wasabeef
23
5.6k
894a9f3c8db89d0a5cd8e1add1dbe37b?s=48 usamiuhuru
0
300
Dcbf2269af2483cabf43128ad1718c11?s=48 grapecity_dev
0
310
249b3122eee454c0a818bfe7851418e4?s=48 fromkk
1
110
Bc87ea9c7a0f85b8761b716a677c6694?s=48 adammc331
0
160

Featured

See All Featured
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
392
60k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
105
14k
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
14
960
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
79
3.2k
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
193
15k
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
325
14k
78b475797a14c84799063c7cd073962f?s=48 holman
448
130k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
190
8.7k
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
123
20k
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
622
40k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
3
360
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
326
35k

Transcript

  1. LOGS HUNTING 1

  2. WHO AM I? Olivier Dolbeau @odolbeau Work at BlaBlaCar 2

  3. THIS IS AN ELK 3

  4. 4

  5. 5

  6. 6

  7. Inputs Filters Outputs 41 inputs • syslog • udp •

    varnishlog • gelf • … 50 filters • date • geoip • i18n • urldecode • … 55 outputs • elasticsearch • redis • email • graphite • … And there are also some codecs 7

  8. Kibana 8

  9. 9

  10. 10

  11. Which logs are we
 talking about? 11

  12. 12 Access Logs Population: High Difficulty: Easy Weapon

  13. 13 Application logs Population: Medium / Low Difficulty: Medium Weapon

    Monolog <3

  14. syslog 14 Syslog Population: Medium Difficulty: Easy Weapon RSYSLOG

  15. *.* @127.0.0.1:514;RSYSLOG_ForwardFormat 15

  16. input { udp { port => 514 type => syslog

    } } Logstash - Input 16

  17. filter { if [type] == "syslog" { grok { match

    => [ "message", "<%{POSINT:syslog_pri}>% {TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} % {DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: % {GREEDYDATA:syslog_message}" ] add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] add_tag => [ "rsyslog" ] } } } Logstash - Filter 17

  18. output { elasticsearch_http { host => “my_es.blablacar.com” port => 9200

    index => "logstashv1-%{+YYYY.MM.dd}" manage_template => false } } Logstash - Output 18

  19. 19

  20. syslog 20

  21. 21

  22. @odolbeau 22 On recrute ! https://speakerdeck.com/odolbeau/logs-hunting