Splunk log management Andrijana Todosijevic User services engineer
- Slides: 20
Splunk log management Andrijana Todosijevic User services engineer 5 th SIG-NOC Meeting, Geneva 26 -27 April 2017 Networks ∙ Services ∙ People www. geant. org
Splunk log management - BPD • Campus Best Practices SIG SCOPE • Best Practice Document (BPD) “Splunk log management”- collecting and analysing the log data in terms of eduroam service • Spunk in AMRES – • • • eduroam Asterisk PBX i. AMRES Identity Federation Web-site (App) Filesender (App) Networks ∙ Services ∙ People www. geant. org 2
Generation of logs messages • eduroam RADIUS statistics: • • • Access-Accept/Access-Reject – authentication result; Id. P – domain of the institution; MAC – MAC address of the user device; AP – string based on which the location of AP is determined; RP – RADIUS attribute Operator-Name. • Asterisk: • • callerid, src, dst - caller name and extensions from, to – SIP IDs startcall, end, callduration - time disposition – answering info • i. AMRES: • SP – Service Provider • Id. P – Identity Provider • User - Person's principal name at home organization Networks ∙ Services ∙ People www. geant. org 3
Generation of logs messages linelog splunk { • eduroam syslog-ng • i. AMRES rsyslog filename = syslog format = "" reference = "%{%{reply: Packet-Type}: -format}" Access-Accept ="Access-Accept: Id. P=%{tolower: %{Realm}} MAC=%{Calling-Station-Id} AP=%{Called-Station-Id} RP=%{Operator-Name}" Access-Reject ="Access-Reject: Id. P=%{tolower: %{Realm}} MAC=%{Calling-Station-Id} AP=%{Called-Station-Id} RP=%{Operator-Name}“ } rewrite r_ap_use { • Asterisk ################# syslog ## UNIVERSITY OF BELGRADE ## ################# subst("18 -ef-63 -aa-aa-aa: eduroam", "cisco 1142 -rcub-sf 1"); … } Jan 28 15: 37: 21 ftlr 1 radiusd[31369]: Access-Accept: Id. P=etf. bg. ac. rs MAC=48 -50 -73 -f 2 -80 -5 c AP=cisco 1142 -rcub-studenjak 5 RP=1 rcub. bg. ac. rs Networks ∙ Services ∙ People www. geant. org 4
Collection of logs messages Networks ∙ Services ∙ People www. geant. org 5
Collection of logs messages Networks ∙ Services ∙ People www. geant. org 6
Collection of logs messages index = “eduroam” “login” “ipphones” sourcetype = “syslog” host = “ip address/DNS” Networks ∙ Services ∙ People www. geant. org 7
Splunk Search Processing Language (SPL) Number of requests by Id. P, per chosen location in AMRES network Networks ∙ Services ∙ People www. geant. org 8
Splunk Visualisation Number of distinct successfully authenticated MAC addresses per chosen location Networks ∙ Services ∙ People www. geant. org 9
Splunk fields • Extract new fields • New tags • New event types index="eduroam" Id. P MAC RP Access-Accept sourcetype=syslog > eduroam_success Networks ∙ Services ∙ People www. geant. org 10
Splunk lookups Institution City AP_MAC AP_Name School of Architecture Belgrade 00 -3 a-7 d-75 -66 -90: eduroam cisco 2702 -amres-bg. arh 1 44. 80596 20. 4755 School of Economics Belgrade 00 -3 a-7 d-a 2 -87 -40: eduroam cisco 2702 -amres-bg. ekfak 1 44. 81238 20. 45493 School of Electrical Engineering Belgrade 00 -3 a-7 d-a 2 -69 -90: eduroam cisco 2702 -amres-bg. etf 1 44. 80556 20. 47623 Networks ∙ Services ∙ People www. geant. org Latitude Longitude 11
eduroam monitoring Networks ∙ Services ∙ People www. geant. org 12
eduroam monitoring • AMRES users (. ac. rs domain) • All users: Combinations: • different MAC addresses • Foreign users (other) • Use by institution; • successful authentications • number of requests • use by Id. P • Use by location; • use by AP • use by RP Networks ∙ Services ∙ People www. geant. org 13
Asterisk monitoring Networks ∙ Services ∙ People www. geant. org 14
Asterisk monitoring Number of attack attempts on Asterisk, on public ip address Networks ∙ Services ∙ People www. geant. org 15
i. AMRES monitoring Access per services and per user domains Networks ∙ Services ∙ People www. geant. org 16
AMRES Web Analytics Networks ∙ Services ∙ People www. geant. org 17
AMRES Web Analytics User journey flow through AMRES web-site Networks ∙ Services ∙ People www. geant. org 18
Filesender monitoring Number of downloads per file Networks ∙ Services ∙ People www. geant. org 19
Thank you andrijana. todosijevic@amres. ac. rs Networks ∙ Services ∙ People www. geant. org This work is part of a project that has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN 4 -1). Networks ∙ Services ∙ People www. geant. org 20
Splunk log-management
Andrijana prskalo maček
Log 3 = 0 477 dan log 2 = 0 301 nilai log 18 = .... *
Am artinya
1+3,3 log 30
Jika diketahui log 2 = 0
Diketahui log 2 = 0 301 dan log 5 = 0 699
Nilai dari ³log729 adalah
Jika panjang ap 8 cm bq 5 cm
Persamaan dan pertidaksamaan logaritma
Splunk incident management
Incident response technologies
Single user and multiple user operating system
Operating systems
Aol user 927
Power law log log plot
Power law log log plot
How do you get rid of ln
Loga mn
Experiment 343
Exponential
