Logs hunting

LOGS
HUNTING
1

View Slide

WHO AM I?
Olivier Dolbeau
@odolbeau
Work at BlaBlaCar
2

View Slide

THIS IS AN
ELK
3

View Slide

4

View Slide

5

View Slide

6

View Slide

Inputs Filters Outputs
41 inputs
• syslog
• udp
• varnishlog
• gelf
• …
50 ﬁlters
• date
• geoip
• i18n
• urldecode
• …
55 outputs
• elasticsearch
• redis
• email
• graphite
• …
And there are also some codecs
7

View Slide

Kibana
8

View Slide

9

View Slide

10

View Slide

Which logs
are we 
talking about?
11

View Slide

12
Access Logs
Population: High
Difﬁculty: Easy
Weapon

View Slide

13
Application logs
Population: Medium / Low
Difﬁculty: Medium
Weapon
Monolog <3

View Slide

syslog
14
Syslog
Population: Medium
Difﬁculty: Easy
Weapon
RSYSLOG

View Slide

*.* @127.0.0.1:514;RSYSLOG_ForwardFormat
15

View Slide

input {
udp {
port => 514
type => syslog
}
}
Logstash - Input
16

View Slide

filter {
if [type] == "syslog" {
grok {
match => [ "message", "%
{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %
{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %
{GREEDYDATA:syslog_message}" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
add_tag => [ "rsyslog" ]
}
}
}
Logstash - Filter
17

View Slide

output {
elasticsearch_http {
host => “my_es.blablacar.com”
port => 9200
index => "logstashv1-%{+YYYY.MM.dd}"
manage_template => false
}
}
Logstash - Output
18

View Slide

19

View Slide

syslog
20

View Slide

21

View Slide

@odolbeau
22
On recrute !
https://speakerdeck.com/odolbeau/logs-hunting

View Slide

Logs hunting

Logs hunting

Olivier Dolbeau

More Decks by Olivier Dolbeau

Other Decks in Programming

Featured

Transcript