Why proper logging is important

Why proper logging is important...

...in all phases of development?

Péter Czanikcommunity manager

About me

• Peter Czanik from Hungary

• community manager at BalaBit: syslog-ng upstream

• BalaBit is an IT security company with HQ in Budapest, Hungary with 100+ developers

• part of the openSUSE testing team• openSUSE syslog-ng package maintainer

Topics

• no, it is not about cutting trees :-)

• what is syslog? and syslog-ng?• who uses syslog-ng?• what to log?• free-form messages against name-value pairs• the new buzzword: journal• standardization efforts: CEE/Lumberjack• name-value pairs at work: ELSA

What is syslog?

• logging: recording events• syslog:

- application: collecting events- data: the actual log messages- protocol: forwarding events

• history:- originally developed as a logging tool for sendmail- quickly many other apps started to use it

• syslog-ng: “next generation” syslog server- since 1997

- focus on central log collection

What is syslog-ng

• “Swiss army knife” of logging• OSE vs. PE

• high performance• more input sources (files, programs, and so on)• more destinations (databases, encrypted net,

etc.)• better filtering (not only priority, facility)• processing (rewrite, parse, correlate, and so on)• JSON output and parser• AMQP

Who uses syslog-ng?

• syslog-ng is the default logging solution in SLES since SLES 10- Uses 2.0, an ancient version

• syslog-ng is the default logging solution in Gentoo• syslog-ng is available in openSUSE (package is

maintained by me :-) )

• ...and?

Who uses syslog-ng?

What to log?

• what: everything :-)• in more detail: SANS Top5 log reports:

- authentication, change, resource access, etc.

• during development logging is often an afterthought- some/many of the above is missing- aids just coding- difficult to debug or audit in production

• logging should be an integral part of development- think also about production :-)- consult with operators → DEVOPS!!!- use a similar logging environment, as in production

How to log?

• short answer: centrally• long: centrally, because:

- ease of use: one place to check instead of many- availability: even if the sender machine is down- security: logs are available even if sender machine is compromised

Free form log messages

• most log messages are: date + hostname + textMar 11 13:37:56 linux-6965 sshd[4547]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 46048 ssh2

• text = English sentence with some variable parts• easy to read by a human

Why it does not scale?

• few logs (workstation) → easy to find information• many logs (server) → difficult to find information• information is presented differently by each

application• difficult to process them with scripts

• answer: structured logging- Events represented as name value pairs

Solution from syslog-ng: PatternDB

• syslog-ng: name-value pairs inside- date, facility, priority, program name, pid, etc.

• PatternDB parser:- can extract useful information into name-value pairs- add status fields based on message text- message classification

• example: an ssh login failure:- user=root, action=login, status=failure- classified as “violation”

Journal

• the logging component of system• name-value pairs inside:

- message- trusted properties- sny additional name-value pairs

• native support for name-value pair storage

• persistent log storage can be disabled• logs can be forwarded to syslog-ng through a

socket• syslog-ng can filter, process logs and forward

them to central log server

Journal: the enemy?

• FAQ: Q: is journal the enemy? A: No!• Journal is local only (syslog-ng: client – server)• Journal does not filter or process log messages• Journal is limited to Linux/systemd (syslog-ng: all

Linux/BSD/UNIX)

• Journal, syslog-ng, Windows eventlog, rsyslog, auditd, and so on are based on name-value pairs

• All use different field names• Standardization is a must: CEE → Common Event

Expression• Events: name-value pairs instead of free-form text- Taxonomy: name-value pairs to describe events (example: status)- Dictionary: name-value pairs for event parameters (example: user)

• PatternDB can turn free-form messages into CEE

Name-value pairs in action: ELSA

• ELSA: Enterprise Log Search and Archive• based on syslog-ng, PatternDB and MySQL• simple and powerful web GUI• extreme scalability• patterns focused on network security:

- firewalls: Cisco, iptables- IDS: Snort, Suricata, Bro- HTTP, Windows logs, etc.

Search

So, why syslog-ng?

• 15 years of open source development• high performance log management• flexible configuration• excellent documentation• PatternDB message parsing

Questions? (and some answers)

• Questions?

• Some useful syslog-ng resources:- Syslog-ng: http://www.balabit.com/network-security/syslog-ng- SANS top5 essential log reports extended: http://chuvakin.blogspot.hu/2010/08/updated-with-community-feedback-sans_06.html - Many books at http://oreilly.com/- ELSA: http://code.google.com/p/enterprise-log-search-and-archive/- My blog: http://czanik.blogs.balabit.com/

Thank You!Péter Czanik

community managerpeter.czanik@balabit.com

Why proper logging is important

Documents

Thru-Pipe Logging System (ThruLog) Wireline Logging System20191108… · Slam Logging System (SlamLog) Slim Hostile Logging System (HostileLog) Thru-Pipe Logging System (ThruLog)

Why is correct capitalization important? First word of a sentence Salutations and closings of letters The pronoun I Proper nouns Proper adjectives Abbreviations

Logging - Cisco · Step4 ChooseConfiguration > Device Management > Logging > Logging Setup toenableloggingforthe currentsessiononly. Step5 ChecktheEnable logging checkbox,thenclickApply

Logging Configuration - Cisco€¦ · Logging Configuration Thefollowingdescribeshowtoenableauditandeventloggingonthecontroller. • LoggingConfigurationOverview,page1 Logging Configuration

One step towards True Along Hole logging depths: proper ... · 1. WLL and LWD need better along hole depths 2. Proper corrections to get to real TAH (True Along Hole) depth for both

PrProductionoduction Logging Logging TToolsools

Registration is Important to You! It facilitates… Proper placement in courses Proper placement in courses Fulfillment of graduation requirements Fulfillment

Patient Education Nutrition - Satellite Healthcare · 2017-11-29 · e o 21 Page 1 of 3 Patient Education Nutrition Proper Nutrition is Important Proper nutrition is especially important

Proper backfill and equipment are important for a ... 10 - Installation... · Proper backfill and equipment are important for a successful installation. Installation & Construction

Mud Logging Introduction Without Mud Logging Knowledge

SPECTRAL NOISE LOGGING TOOL - Production Logging Service

Proper Logging of Podiatric Surgical Procedures Logging Webinar Slides.pdf · Logging Basics – General The date entered into the log is the date the procedure was performed, not

Phosphorylation of Sli15 by Ipl1 Is Important for Proper

Introduction to Lexia Strategies. Session Overview What is Lexia? Downloading the Software Logging on The Software Important Points

Ver. 1.4 Release Notes for Chromebook App, Math …...4 Important Notes Teachers and students logging in to the same device is not currently supported. Logging in on a device on one

Earth-Kind · Applying fertilizer to the lawn at the proper time and in the proper amount can save time, effort, and money through reduced mowing and watering. Most important, proper

Semantic Logging: Avoiding the Logging Chaos

Service - rtellason.comrtellason.com/manuals/Service ManualLE32D2320-LE39D2380-LE42D2380... · 2 Important Safety Notice Proper service and repair is important to the safe, reliable

Why is correct capitalization important? First word of sentence Salutations and closings of letters The pronoun I Proper nouns Proper adjectives School

Logging Camps Logging Contractors SIC2411 M