Scribd
Upload
840 views44 pages

Monitoring Linux and Windows Logs With The Graylog Collector-Bernd Ahlers

The document discusses Graylog Collector, an open source tool for collecting and shipping logs from Linux, Windows, and other operating systems to a Graylog server for analysis. It can read local log files and the Windows event log and send the data to Graylog using GELF over TLS. The talk covers why another log collector was needed, how to install and configure Graylog Collector, and opportunities for improving its Windows event log support, file reading, and centralized management.

Uploaded by

Alcides Chana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
840 views44 pages

Monitoring Linux and Windows Logs With The Graylog Collector-Bernd Ahlers

The document discusses Graylog Collector, an open source tool for collecting and shipping logs from Linux, Windows, and other operating systems to a Graylog server for analysis. It can read local log files and the Windows event log and send the data to Graylog using GELF over TLS. The talk covers why another log collector was needed, how to install and configure Graylog Collector, and opportunities for improving its Windows event log support, file reading, and centralized management.

Uploaded by

Alcides Chana
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 44

Monitoring Linux and Windows Logs

with Graylog Collector

Bernd Ahlers
Graylog, Inc.

Bernd Ahlers Graylog, Inc. [email protected]


Structured Logging & Introduction to
Graylog Collector

Bernd Ahlers
Graylog, Inc.

Bernd Ahlers Graylog, Inc. [email protected]


Introduction: Graylog
Open source log management platform
Collect, index and analyze structured and
unstructured log data
Alerts based on log data
Extensible via custom plugins

Bernd Ahlers Graylog, Inc. [email protected]


Bernd Ahlers Graylog, Inc. [email protected]
Bernd Ahlers Graylog, Inc. [email protected]
Bernd Ahlers Graylog, Inc. [email protected]
Bernd Ahlers Graylog, Inc. [email protected]
Bernd Ahlers Graylog, Inc. [email protected]
Bernd Ahlers Graylog, Inc. [email protected]
Bernd Ahlers Graylog, Inc. [email protected]
Bernd Ahlers Graylog, Inc. [email protected]
More about Graylog
www.graylog.org
marketplace.graylog.org
docs.graylog.org
github.com/Graylog2

Bernd Ahlers Graylog, Inc. [email protected]


Why are we writing logs?
Getting insight & collecting business metrics
Debugging problems
Building an audit trail
Monitoring

Bernd Ahlers Graylog, Inc. [email protected]


How do we access our logs?
Applications write to local files
SSH into machines
tail, grep, awk
If lucky: central log management

Bernd Ahlers Graylog, Inc. [email protected]


What do they look like?
Syslog RFC 3164 (BSD)
Syslog RFC 5424

Bernd Ahlers Graylog, Inc. [email protected]


Syslog RFC 3164 (BSD)

Nov 10 15:55:01 tumbler CRON[2684]: (root) CMD


(command -v debian-sa1 > /dev/null && debian-sa1
1 1)

Bernd Ahlers Graylog, Inc. [email protected]


Syslog RFC 5424

2003-10-11T22:14:15.003Z mymachine.example.com
evntslog - ID47 [exampleSDID@32473 iut="3"
eventSource="Application" eventID="1011"] BOMAn
application event log entry...

Bernd Ahlers Graylog, Inc. [email protected]


Apache

127.0.0.1 - bernd [28/Dec/2014:06:43:15 +0100]


"PROPFIND /remote.php/webdav/ HTTP/1.1" 207 910
"-" "Mozilla/5.0 (Linux) mirall/1.7.1"

Bernd Ahlers Graylog, Inc. [email protected]


Postfix

Aug 5 17:05:26 hostname postfix/qmgr[308]:


A44F828C71: from=<[email protected]>, size=153136,
nrcpt=1 (queue active)

Bernd Ahlers Graylog, Inc. [email protected]


Squid

sq18.wikimedia.org 1715898 2010-12-


01T21:57:22.331 0 1.2.3.4 TCP_MEM_HIT/200
13208 GET
http://en.wikipedia.org/wiki/Main_Page NONE/-
text/html - - Mozilla/4.0%20(compatible;%20MSIE
%206.0;%20Windows%20NT%205.1;%20.NET%20CLR
%201.1.4322) en-US -

Bernd Ahlers Graylog, Inc. [email protected]


log4j

0 [main] INFO MyApp - Entering application.


36 [main] DEBUG com.foo.Bar - Did it again!
51 [main] INFO MyApp - Exiting application.

Bernd Ahlers Graylog, Inc. [email protected]


Ruby Logger

I, [2015-11-18T00:16:27.723972 #3609] INFO -- :


Hello world!

Bernd Ahlers Graylog, Inc. [email protected]


#1 Problem: Timestamps
Everyone likes to invent one
Missing most of the time: timezone, year

Bernd Ahlers Graylog, Inc. [email protected]


How to get value out of unstructured logs?

Regex
More regex
Even more regex

Bernd Ahlers Graylog, Inc. [email protected]


((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:
[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|
1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4})
{1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-
9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:
[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-
4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]
{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-
9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]
{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-
5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d))
{3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-
Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|
1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]
{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|
1\d\d|[1-9]?\d)){3}))|:)))(%.+)?

Bernd Ahlers Graylog, Inc. [email protected]


Grok
IPV6 ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9...

USERNAME [a-zA-Z0-9._-]+
USER %{USERNAME}
HOSTNAME \b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-
Za-z-]{0,62}))*(\.?|\b)
EMAILLOCALPART [a-zA-Z][a-zA-Z0-9_.+-=:]+
EMAILADDRESS %{EMAILLOCALPART}@%{HOSTNAME}
...
COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}

Bernd Ahlers Graylog, Inc. [email protected]


Graylog: Extractors
Regular expressions based
Extracts data into message fields

Bernd Ahlers Graylog, Inc. [email protected]


Bernd Ahlers Graylog, Inc. [email protected]
How to fix this?
Central log collection (Graylog, ELK, others)
Use structured log formats
Structured Syslog RFC 5424
CEF Format
GELF
JSON

Bernd Ahlers Graylog, Inc. [email protected]


Structured Syslog RFC 5424
2003-10-11T22:14:15.003Z mymachine.example.com
evntslog - ID47 [exampleSDID@32473 iut="3"
eventSource="Application" eventID="1011"] BOMAn
application event log entry...

Bernd Ahlers Graylog, Inc. [email protected]


CEF by ArcSight/HP
Sep 19 08:26:10 host CEF:0|HP|siem|
1.0|100|service
successfully stopped|10|
src=10.0.0.1 dst=2.1.2.2 spt=1232

Bernd Ahlers Graylog, Inc. [email protected]


GELF
{ "version": "1.1",
"timestamp": 1385053862.3072,
"host": "example.org",
"short_message": "A short message",
"full_message": "Backtrace here\n\nmore stuff",
"level": 1,
"_user_id": 9001,
"_some_info": "foo",
"_some_env_var": "bar"}

Bernd Ahlers Graylog, Inc. [email protected]


JSON
{ "source": "example.org",
"message": "A log message",
"timestamp": "2015-11-15T10:43:21Z",
"user_id": 9001,
"http_method": "GET"}

Bernd Ahlers Graylog, Inc. [email protected]


How we try to improve the ecosystem
Icinga2 GELF output for events
Docker GELF logging driver (since Docker 1.8)
apache-mod_log_gelf (beta)
log4j2-gelf
gelfclient Java library
svloggelfd (log forwarding for runit)

Bernd Ahlers Graylog, Inc. [email protected]


We at Graylog <3 structured data
and you should too!

Bernd Ahlers Graylog, Inc. [email protected]


Introduction: Graylog Collector
Reads local log files and ships them to Graylog
Windows EventLog support (limited for now)
Transport encryption via TLS
Runs on Linux, Windows, Mac OS X and AIX

Bernd Ahlers Graylog, Inc. [email protected]


Why another Collector?
There are lots of others: nxlog, fluentd, heka,
filebeat, rsyslog, syslog-ng
We want integration and centralized
management of collectors in Graylog

Bernd Ahlers Graylog, Inc. [email protected]


Bernd Ahlers Graylog, Inc. [email protected]
Collector Installation
OS packages for Linux distributions
Manual installation on Windows via ZIP file
(MSI upcoming)
Runs as Windows service

Bernd Ahlers Graylog, Inc. [email protected]


Collector Configuration
server-url = "http://your-graylog-server:12900"
inputs {
windows-application-log {
type = "windows-eventlog"
source-name = "Application"
}
}
outputs {
gelf-tcp {
type = "gelf"
host = "your-graylog-server"
port = 12201
}
}

Bernd Ahlers Graylog, Inc. [email protected]


Collector: Current State
Windows EventLog support needs update to
support new Windows APIs
File reading needs improvement
Centralized management needs to be
implemented
:-(

Bernd Ahlers Graylog, Inc. [email protected]


Tomorrow: Hackathon

Bernd Ahlers Graylog, Inc. [email protected]


Thank you!

Thank you for your time!

Bernd Ahlers Graylog, Inc. [email protected]


QA

Ask me anything!

Bernd Ahlers / Graylog, Inc.


[email protected]
@berndahlers
www.graylog.org
github.com/Graylog2

Bernd Ahlers Graylog, Inc. [email protected]

You might also like