Transcription

Elasticsearch, Logstash,and Kibana (ELK)Dwight [email protected] Hutchison [email protected] 2015 2014 Carnegie Mellon University

This material is based upon work funded and supported by Department of Homeland Security underContract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the SoftwareEngineering Institute, a federally funded research and development center sponsored by the UnitedStates Department of Defense.References herein to any specific commercial product, process, or service by trade name, trade mark,manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, orfavoring by Carnegie Mellon University or its Software Engineering Institute.NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERINGINSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITYMAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTERINCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE ORMERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITHRESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.This material has been approved for public release and unlimited distribution except as restricted below.This material may be reproduced in its entirety, without modification, and freely distributed in written orelectronic form without requesting formal permission. Permission is required for any other use. Requestsfor permission should be directed to the Software Engineering Institute at [email protected] Mellon , CERT , CERT Coordination Center and FloCon are registered marks of CarnegieMellon University.DM-00018832

Who are we and what do we do?3

What’s our problem? Small team Lots of users (all untrusted) Lots of systems Lots of logs Luckily, no “sensitive” information BUT4

5

Why Elasticsearch Easy to deploy (minimum configuration) Scales vertically and horizontally Easy to use API Modules for most programming/scripting languages Actively developed with good online documentation It’s free6

How Elasticsearch Works in 25 secondsShards Single instance of Lucene on a node Can be primary or replicaIndex Mapping of shards to nodes Like a database within a relational databaseNodes Keeps a copy of the index Maintain primary and replica shards7

Hardware and Infrastructure Blades Network attached storage – NFS Aggregate TAP, SPAN off switches (physical andvirtual) Virtualization (VMware) Puppet8

Nodes8 x Nodes – virtualized 4x Cores16 GB ram500 GB data partition (NFS- NAS)Deployed/Configured using Puppet modules.https://forge.puppetlabs.com/9

Software(Data Collection)(Queuing)(Glue/Integration)(Storage, index, search)(Visualization)10

Data Sources Windows Event Logs Syslog Bro (session data/dpi) SiLK (flow) SNMP PCAP (stored on disk, index information in ES)11

Can I see a diagram with boxes andarrows?12

Things we can do Batch analysis (retrospective) Correlation between data sets Make pretty graphs for displaying on TVs – Kibana Alerting – Python/R13

Where we want to doPuppet / Applications containers (ie, Docker)Our environment is defined in software.Can we use this to automate auditing?14

Batch/Retrospective Analysis Say we saw some interesting traffic coming fromone of our servers – we want to know whichprocesses were run around that time on thathost Set a simple filter in Kibana like Kibana queries ES and returns 15

Batch/Retrospective Analysis16

Batch/Retrospective Analysis You can also use ES Python API to performqueries – http://elasticsearch-py.rtfd.org/ Lots of query and filter options; JSON syntax;more flexibility and control Good for Running queries on-demand over any period of timeChecking on important events that are toocumbersome to alert onDaily review of logsInvestigation17

Batch/Retrospective Analysis Example query bodies And get 18

Batch/Retrospective Analysis19

Correlation of Data Sets & Visualization Correlate events within and between data sets togain context Visualizing data with Kibana facets Makes aspects of data more readily apparentAids perspective and understanding of dataLooks coolTypically Attach one or more Queries to individual facetsDrill down on specific data using Filters (whole page)Plethora of info with just one or two filters20

Correlation of Data Sets & Visualization21

Correlation of Data Sets & Visualization22

Alerting – Windows Event Monitoring Want to know about certain events as they occur Administrator loginLocal/SAM account login attemptsUser account creation/re-enablingCreation/Addition to GroupsScheduled Task creationLog clearedUses ES Python API and CRON Queries ES 15 times per hourEvery 4 minutes - “from”: “now-4m”23

Alerting – Windows Event Monitoring Example Alerts received via email notifications24

Alerting – Windows Event Monitoring Example Alerts received via email notifications25

Alerting – Windows Event Monitoring Example Alerts received via email notifications26

Alerting – Windows Event Monitoring Example Alerts received via email notifications27

Alerting – Irregular Login Activity Want to keep an eye on privileged account use Want to know When users login to hosts they never or rarely everlogin toWhen users login from atypical source IPsWhen user logins violate certain thresholds based onprevious behaviorUses ES Python API, CRON, R, and sqlite3 DB Delivers daily login statsUpdates weekly and expires old weeksChecks against DB with 4 weeks of aggregated data28

Alerting – Irregular Login Activity24 hourstats Processed by R anddelivers Daily LoginStats email with plotsRSweekly.txt Containsall loginactivity forthe weeklin stats weekly.py ProcessesRSweekly.txt with R,expires old weeks /entries, deduplicateDB29

Alerting – Irregular Login Activity Example Daily Login Stats with plots Email Message30

Alerting – Irregular Login Activity Example Daily Login Stats with plots31

Alerting – Irregular Login Activity Example Daily Login Stats with plots32

Alerting – Irregular Login Activity Example Daily Login Stats with plots33

Alerting – Irregular Login Activity Example Alerts received via email notification34

Questions andDiscussion 2014 Carnegie Mellon University

Want to keep an eye on privileged account use Want to know When users login to hosts they never or rarely ever login to When users login from atypical source IPs When user logins violate certain thresholds based on previous behavior Uses ES Python API, CRON, R, and sqlite3 DB Delivers daily login stats Updates weekly and expires old weeks