| sum(successes) as successes, sum(client_errors) as client_errors, sum(redirects) as redirects, sum(server_errors) as server_errors by _timeslice | if(status_code matches "5*", 1, 0) as server_errors | if(status_code matches "4*", 1, 0) as client_errors | if(status_code matches "3*", 1, 0) as redirects | if(status_code matches "2*", 1, 0) as successes There is a Sumo App for Apache Access Logs, so this is the simplest analysis you can perform with Sumo. The Sumo Collector Agent logs in with an SSH key, grabs the logs lines, and adds them to the records. I created a Debian user logger and put it into the adm group, so that it can read /var/log/apache2/*.log. This will sum the packets up, within the selected time frame. The percent sign is used to denote a dot within the JSON hierarchy. The sum function takes the amount of packets, which is indicated within the flow.pkts_toserver field. We use one of these extracted fields, and point into the array within the JSON record. (_source="Suricata NIDS EVE JSON") | json auto extractarrays nodrop | sum(%flow.pkts_toserver) group by src_ip | sort by _sum Now you can see all the fields, which allows fast-forward statistical analysis on the value distribution. We select the source, pipe it to the json command, and extract the whole multi layered data set without dropping invalid entries. (_source="Suricata NIDS EVE JSON") | json auto extractarrays nodrop Do I just regex parse the data? Ehhhh… that could become a big task. I have configured the Sumo Collector Agent to monitor a file and to send the data into their service. JSON is an important logging standard, and the most common data exchange format modern tools use nowadays. Now the data is in Sumo and it’s a Splunk style experience.
SUMOLOGIC TIMESLICE WINDOWS
The agent installation is simple on Windows and Linux, and it gets configured via the Web UI. Logs need to contribute to the security processes and the overall security posture, because they contain relevant “trigger” information. This becomes important for data enrichment tasks, and automation. Their Python API is very similar to the Splunk Python SDK imho. The service has a decent API, as you might have guessed. However in the following I want to focus on the Sumo Logic service. For large scale tasks I recommend to use Theano and/or Tensorflow, and probably (py)Spark. In some cases I have also used IBM SPSS, but not for InfoSec purposes. A good workflow is to pipe logs via plaso / log2timeline to sumo (the Go binary built from the source code) to d3.js or InfoVis toolkit.Or Tableau, if you need it fast. I am posting the search queries here, because there is a project on GitHub which allows you to utilize these for your own independent data analysis.
The agent can retrieve files from the local disk, and via SSH.They also support remote Windows EventLog sources.They have Java based Agents, which can open a local Syslog listener on a dedicated machine.Many of these modern solutions fail here.
SUMOLOGIC TIMESLICE HOW TO
SUMOLOGIC TIMESLICE FREE
I will show you some visualizations, which you can generate (even with the free account). This way Suricata acts as your Netflow processor, which sends serialized JSON flow data to Sumo Logic.
I will show how to parse and aggregate the Flow data. So on top of log processing features you get performance monitoring features, such as CPU utilization, memory consumption and network throughput. It can be used for log analysis and metrical data analysis. Sumo Logic is a service (SaaS), which accepts machine data and exposes a very powerful search query language to the user.
0 kommentar(er)
