Splunk log management Andrijana Todosijevic User services engineer
- Slides: 20
Splunk log management Andrijana Todosijevic User services engineer 5 th SIG-NOC Meeting, Geneva 26 -27 April 2017 Networks ∙ Services ∙ People www. geant. org
Splunk log management - BPD • Campus Best Practices SIG SCOPE • Best Practice Document (BPD) “Splunk log management”- collecting and analysing the log data in terms of eduroam service • Spunk in AMRES – • • • eduroam Asterisk PBX i. AMRES Identity Federation Web-site (App) Filesender (App) Networks ∙ Services ∙ People www. geant. org 2
Generation of logs messages • eduroam RADIUS statistics: • • • Access-Accept/Access-Reject – authentication result; Id. P – domain of the institution; MAC – MAC address of the user device; AP – string based on which the location of AP is determined; RP – RADIUS attribute Operator-Name. • Asterisk: • • callerid, src, dst - caller name and extensions from, to – SIP IDs startcall, end, callduration - time disposition – answering info • i. AMRES: • SP – Service Provider • Id. P – Identity Provider • User - Person's principal name at home organization Networks ∙ Services ∙ People www. geant. org 3
Generation of logs messages linelog splunk { • eduroam syslog-ng • i. AMRES rsyslog filename = syslog format = "" reference = "%{%{reply: Packet-Type}: -format}" Access-Accept ="Access-Accept: Id. P=%{tolower: %{Realm}} MAC=%{Calling-Station-Id} AP=%{Called-Station-Id} RP=%{Operator-Name}" Access-Reject ="Access-Reject: Id. P=%{tolower: %{Realm}} MAC=%{Calling-Station-Id} AP=%{Called-Station-Id} RP=%{Operator-Name}“ } rewrite r_ap_use { • Asterisk ################# syslog ## UNIVERSITY OF BELGRADE ## ################# subst("18 -ef-63 -aa-aa-aa: eduroam", "cisco 1142 -rcub-sf 1"); … } Jan 28 15: 37: 21 ftlr 1 radiusd[31369]: Access-Accept: Id. P=etf. bg. ac. rs MAC=48 -50 -73 -f 2 -80 -5 c AP=cisco 1142 -rcub-studenjak 5 RP=1 rcub. bg. ac. rs Networks ∙ Services ∙ People www. geant. org 4
Collection of logs messages Networks ∙ Services ∙ People www. geant. org 5
Collection of logs messages Networks ∙ Services ∙ People www. geant. org 6
Collection of logs messages index = “eduroam” “login” “ipphones” sourcetype = “syslog” host = “ip address/DNS” Networks ∙ Services ∙ People www. geant. org 7
Splunk Search Processing Language (SPL) Number of requests by Id. P, per chosen location in AMRES network Networks ∙ Services ∙ People www. geant. org 8
Splunk Visualisation Number of distinct successfully authenticated MAC addresses per chosen location Networks ∙ Services ∙ People www. geant. org 9
Splunk fields • Extract new fields • New tags • New event types index="eduroam" Id. P MAC RP Access-Accept sourcetype=syslog > eduroam_success Networks ∙ Services ∙ People www. geant. org 10
Splunk lookups Institution City AP_MAC AP_Name School of Architecture Belgrade 00 -3 a-7 d-75 -66 -90: eduroam cisco 2702 -amres-bg. arh 1 44. 80596 20. 4755 School of Economics Belgrade 00 -3 a-7 d-a 2 -87 -40: eduroam cisco 2702 -amres-bg. ekfak 1 44. 81238 20. 45493 School of Electrical Engineering Belgrade 00 -3 a-7 d-a 2 -69 -90: eduroam cisco 2702 -amres-bg. etf 1 44. 80556 20. 47623 Networks ∙ Services ∙ People www. geant. org Latitude Longitude 11
eduroam monitoring Networks ∙ Services ∙ People www. geant. org 12
eduroam monitoring • AMRES users (. ac. rs domain) • All users: Combinations: • different MAC addresses • Foreign users (other) • Use by institution; • successful authentications • number of requests • use by Id. P • Use by location; • use by AP • use by RP Networks ∙ Services ∙ People www. geant. org 13
Asterisk monitoring Networks ∙ Services ∙ People www. geant. org 14
Asterisk monitoring Number of attack attempts on Asterisk, on public ip address Networks ∙ Services ∙ People www. geant. org 15
i. AMRES monitoring Access per services and per user domains Networks ∙ Services ∙ People www. geant. org 16
AMRES Web Analytics Networks ∙ Services ∙ People www. geant. org 17
AMRES Web Analytics User journey flow through AMRES web-site Networks ∙ Services ∙ People www. geant. org 18
Filesender monitoring Number of downloads per file Networks ∙ Services ∙ People www. geant. org 19
Thank you andrijana. todosijevic@amres. ac. rs Networks ∙ Services ∙ People www. geant. org This work is part of a project that has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN 4 -1). Networks ∙ Services ∙ People www. geant. org 20
- Splunk log-management
- Andrijana prskalo maček
- Log 3 = 0 477 dan log 2 = 0 301 nilai log 18 = .... *
- Am artinya
- 1+3,3 log 30
- Jika diketahui log 2 = 0
- Diketahui log 2 = 0 301 dan log 5 = 0 699
- Nilai dari ³log729 adalah
- Jika panjang ap 8 cm bq 5 cm
- Persamaan dan pertidaksamaan logaritma
- Splunk incident management
- Incident response technologies
- Single user and multiple user operating system
- Operating systems
- Aol user 927
- Power law log log plot
- Power law log log plot
- How do you get rid of ln
- Loga mn
- Experiment 343
- Exponential