Proactive Management of Federation using ELK Elasticsearch Logstash

  • Slides: 21
Download presentation
Proactive Management of Federation using ELK – Elasticsearch, Logstash, Kibana Yasvanth Babu HEAnet

Proactive Management of Federation using ELK – Elasticsearch, Logstash, Kibana Yasvanth Babu HEAnet

About me… • System administrator at HEAnet • Team - Edugate Interest. . .

About me… • System administrator at HEAnet • Team - Edugate Interest. . . • Explore new things. June 16, 2021 2

Agenda • Aim, Problem statement. • Edugate and Elasticsearch. • Outcomes. • Demo. •

Agenda • Aim, Problem statement. • Edugate and Elasticsearch. • Outcomes. • Demo. • Q&A. June 16, 2021 3

Aim • To Generate yearly stats on Edugate Usage. • Increasing or decreasing. •

Aim • To Generate yearly stats on Edugate Usage. • Increasing or decreasing. • To find popular services in Edugate and who makes better use of Edugate. June 16, 2021 4

Legacy system • Open-source. • Build at Cardiff University. • Used mainly to parse

Legacy system • Open-source. • Build at Cardiff University. • Used mainly to parse authentication events. • IDP, Open. Athens and Ezproxy. • HEAnet used raptor to generate IDP audit statistic. June 16, 2021 5

Raptor Architecture. June 16, 2021 6

Raptor Architecture. June 16, 2021 6

Stats June 16, 2021 7

Stats June 16, 2021 7

Problem • Raptor code was not actively maintained. • New code base will be

Problem • Raptor code was not actively maintained. • New code base will be released soon. • rrdtool graphs not interactive. • Lack in self-service and real-time auditing. • Very slow performance. June 16, 2021 8

Edugate And Elasticsearch • A graph/stats system built on top of Elastic Stack. •

Edugate And Elasticsearch • A graph/stats system built on top of Elastic Stack. • Elasticsearch. • Distributed Search engine. • All data’s are indexed. • Logstash. • Pipeline processing. • Kibana • UI, Visualize your data. − Charts, Maps, Time-series June 16, 2021 9

New stats system June 16, 2021 10

New stats system June 16, 2021 10

June 16, 2021 11

June 16, 2021 11

Achieved. . . üTo Generate yearly stats on Edugate Usage. üTo find popular services

Achieved. . . üTo Generate yearly stats on Edugate Usage. üTo find popular services in Edugate and who makes better use of Edugate. June 16, 2021 12

Addressed the problems that aren't noticed for months June 16, 2021 13

Addressed the problems that aren't noticed for months June 16, 2021 13

Additional outcomes. . . Edugate Access Audits: • No attributes released. − Important journals.

Additional outcomes. . . Edugate Access Audits: • No attributes released. − Important journals. − Ligo, Clarin, Niche-resources. • Suspicious Logins. − Compromised Accounts. − Misconfigured SP. − Sharing of credentials. • Service Activity. • Login predictions. • Real-time alerts. June 16, 2021 14

What data? 52. 51. 67. 68 --------------------------------------------------------->>> IP address Idp 1. heanet. ie -------------------------------------------------------->>>

What data? 52. 51. 67. 68 --------------------------------------------------------->>> IP address Idp 1. heanet. ie -------------------------------------------------------->>> Host 20180607 T 232814 Z ----------------------------------------------------->>> Timestamp urn: oasis: names: tc: SAML: 2. 0: bindings: HTTP-Redirect ------------------------------->>> Request Binding _85 b 888 a 75 ac 583060 cf 1489768 d 20 a 15 --------------------------------------->>> Request ID https: //edugate. heanet. ie/shibboleth ---------------------------------------->>> Relying Party ID http: //shibboleth. net/ns/profiles/saml 2/sso/browser ------------------------------>>> Message Profile ID https: //idp. heanet. ie/idp/shibboleth ------------------------------------------>>> Asserting Party ID urn: oasis: names: tc: SAML: 2. 0: bindings: HTTP-POST --------------------------------->>> Response Binding _8 c 804 d 811 a 89 b 8 fbfb 79 b 462 bf 65 f 76 e --------------------------------------->>> Response ID Joe. bloggs ---------------------------------------------------------->>> User Name urn: oasis: names: tc: SAML: 2. 0: ac: classes: Password. Protected. Transport -------------------->>> Auth. Method edu. Person. Principal. Name, email -------------------------------------------->>> Released Attributes AAdzyu. Wqs. Ru. NM 5 y. SZ 2 I 724 XTr. L 2/Mzmv. JU= ------------------------------------>>> Name Identifier _79 ff 78 ddfba 9 a 21 d 38401 c 06 e 19 e 163 f ---------------------------------------->>> Assertion ID June 16, 2021 15

Self-service • Kibana lacks in Multi-tenant. • Security • Anonymize usernames. • Shard access.

Self-service • Kibana lacks in Multi-tenant. • Security • Anonymize usernames. • Shard access. June 16, 2021 16

Searchguard • Security Add-on for ELK Stack. • Encryption. • Authentication. • LDAP/AD, Kerberos,

Searchguard • Security Add-on for ELK Stack. • Encryption. • Authentication. • LDAP/AD, Kerberos, Host-Based, JWT and SAML. • Multi-tenancy. • Based on user roles. • Centralized User ACL Index. • Licensing. • Community, Academic and Enterprise June 16, 2021 17

Future work • Learning analytics. • IDP, Eduroam and VLE ( moodle). • Automation.

Future work • Learning analytics. • IDP, Eduroam and VLE ( moodle). • Automation. • Resource registry. • Can Integrate with: • Netflow, Application data, Web-filter data. • Machine learning. June 16, 2021 18

Summary. . . • Multi-tenant Stats system. • Real-Time Auditing and Analyzing. • Alerting

Summary. . . • Multi-tenant Stats system. • Real-Time Auditing and Analyzing. • Alerting System. June 16, 2021 19

Demo. . . June 16, 2021 20

Demo. . . June 16, 2021 20

Questions ? June 16, 2021 21

Questions ? June 16, 2021 21

ELASTICSEARCH Mark Elasticsearch Elasticsearch Lucene REST api 1ELASTICSEARCH Mark Elasticsearch Elasticsearch Lucene REST api 1
ELK E Elastic Search L Logstash K KibanaELK E Elastic Search L Logstash K Kibana
Proactive or retroactive interference Retroactive Proactive Proactive orProactive or retroactive interference Retroactive Proactive Proactive or
HABIT 1 Be Proactive REACTIVE VS PROACTIVE ProactiveHABIT 1 Be Proactive REACTIVE VS PROACTIVE Proactive
Scaling Logstash using Open Shift Steve Malenfant WhatScaling Logstash using Open Shift Steve Malenfant What
Proactive Classroom Management A host of proactive strategiesProactive Classroom Management A host of proactive strategies
Proactive Classroom Management A host of proactive strategiesProactive Classroom Management A host of proactive strategies
BLSEL ELK FESTINGERIN BLSEL ELK KURAMI Kuram biliselBLSEL ELK FESTINGERIN BLSEL ELK KURAMI Kuram bilisel
Computer System Lab ELK Stack u ELK StackComputer System Lab ELK Stack u ELK Stack
Clearwater Region Elk Clearwater Elk Harvest 4 000Clearwater Region Elk Clearwater Elk Harvest 4 000
ELK Stack 3 01 ELK Stack 4 01ELK Stack 3 01 ELK Stack 4 01
ELK HALATLARDA AINMA VE YORULMA Gnhan YANBAY ELKELK HALATLARDA AINMA VE YORULMA Gnhan YANBAY ELK
u ELK University Computer System Lab ELK 2u ELK University Computer System Lab ELK 2
Elk Grove A Snapshot of Elk Groves MayElk Grove A Snapshot of Elk Groves May
Clearwater Region Elk Clearwater Elk Harvest 4 000Clearwater Region Elk Clearwater Elk Harvest 4 000
Elk and SitkaBlack Tailed Deer ELK Cervus canadensisElk and SitkaBlack Tailed Deer ELK Cervus canadensis
Moloch Using Elasticsearch to power network forensics httpMoloch Using Elasticsearch to power network forensics http
Efficient molecular similarity match using Elasticsearch Konstantin PerikovEfficient molecular similarity match using Elasticsearch Konstantin Perikov
Moloch Using Elasticsearch to power network forensics httpMoloch Using Elasticsearch to power network forensics http
Habit 1 Be Proactive Proactive vs Reactive lHabit 1 Be Proactive Proactive vs Reactive l