Mais conteúdo relacionado
Semelhante a (Fios#02) 2. elk 포렌식 분석
Semelhante a (Fios#02) 2. elk 포렌식 분석 (20)
Mais de INSIGHT FORENSIC (20)
(Fios#02) 2. elk 포렌식 분석
- 1. FORENSIC
INSIGHT;
DIGITAL
FORENSICS
COMMUNITY
IN
KOREA
ELK Forensics
demantos
demantos@gmail.com
http://malwarel4b.blogspot.kr
Cho
Hoon
- 137. 사이즈
logstash
18235
1
99
10:15
?
01:38:31
/usr/bin/java
-‐Djava.io.tmpdir=/var/lib/logstash
-‐Xmx500m
-‐XX:+UseParNewGC
-‐XX:+UseConcMarkSweepGC
-‐Djava.awt.headless=true
-‐
XX:CMSInitiatingOccupancyFraction=75
-‐XX:+UseCMSInitiatingOccupancyOnly
-‐jar
/opt/logstash/
vendor/jar/jruby-‐complete-‐1.7.11.jar
-‐I/opt/logstash/lib
/opt/logstash/lib/logstash/runner.rb
agent
-‐f
/etc/logstash/conf.d
-‐l
/var/log/logstash/logstash.log
-‐w
4
- 152. 것인지
input
parse/filter
output
collectd,drupal_dblog,elasticsearch,eventlog,exec,file,
ganglia,
gelf,
gemfire,
generator,
graphite,
heroku,
imap,
invalid_input,
irc,
jmx,
log4j,
lumberjack,
pipe,
puppet_facter,
rabbitmq,
rackspace,
redis,
relp,
s3,
snmptrap,
sqlite,
sqs,
stdin,
stomp,
syslog,
tcp,
twitter,
udp,
unix,
varnishlog,
websocket,
wmi,
xmpp,
zenoss,
zeromq
advisor,
alter,
anonymize,
checksum,
cidr,
cipher,
clone,
collate,
csv,
date,
dns,
drop,
elapsed,
elasticsearch,
environment,
extractnumbers,
fingerprint,
gelfify,
geoip,
grep,
grok,
grokdiscovery,
i18n,
json,
json_encode,
kv,
metaevent,
metrics,
multiline,
mutate,
noop,
prune,
punct,
railsparallelrequest,
range,
ruby,
sleep,
split,
sumnumbers,
syslog_pri,
throttle,
translate,
unique,
urldecode,
useragent,
uuid,
wms,
wmts,
xml,
zeromq
boundary,
circonus,
cloudwatch,
csv,
datadog,
datadog_metrics,
elasticsearch,
elasticsearch_http,
elasticsearch_river,
email,
exec,
file,
ganglia,
gelf,
gemfire,
google_bigquery,
google_cloud_storage,
graphite,
graphtastic,
hipchat,
http,
irc,
jira,
juggernaut,
librato,
loggly,
lumberjack,
metriccatcher,
mongodb,
nagios,
nagios_nsca,
null,
opentsdb,
pagerduty,
pipe,
rabbitmq,
rackspace,
redis,
redmine,
riak,
riemann,
s3,
sns,
solr_http,
sqs,
statsd,
stdout,
stomp,
syslog,
tcp,
udp,
websocket,
xmpp,
zabbix,
zeromq
[참고]
- 154. forensicinsight.org Page
Logstash
10
input
{
tcp
{
type
=
apache
port
=
18080
}
}
filter
{
if
[type]
==
apache
{
grok
{
match
=
{
message
=
%{COMBINEDAPACHELOG}
}
}
date
{
match
=
[
timestamp,
dd/MMM/yyyy:HH:mm:ss
Z
]
}
}
}
output
{
if
[type]
==
apache
{
elasticsearch
{
index
=
logstash-‐iistest02
host
=
localhost
}
}
}
Block
Block
Block
plugin
- 166.
• cat
/IIS/W3C1234/ex*
|
nc
-‐vv
localhost
18003
input
{
tcp
{
type
=
w3c_extended_iis
port
=
18003
}
}
input
{
syslog
{
type
=
syslog
port
=
5514
}
}
- 167. forensicinsight.org Page
Logstash
12
▪ Filter
filter
{
if
[type]
==
w3c_extended_iis
{
#
drop
comment
lines
if
([message]
=~
/^#/)
{
drop{}
}
csv
{
columns
=
[date,
time,
s_ip,
cs_method,
cs_uri_stem,
cs_uri_query,
s_port,
cs_username,
c_ip,
cs_user_agent,
sc_status,
sc_substatus,
sc_win32_status,
time_taken]
separator
=
}
mutate
{
merge
=
[date,
time]
}
mutate
{
join
=
[date,
]
}
date
{
match
=
[date,
YYYY-‐MM-‐dd
HH:mm:ss
]
timezone
=
['UTC']
}
geoip
{
source
=
c_ip
}
- 168. forensicinsight.org Page
Logstash
13
▪ Filter
#
extract
macb
info
if
(m
in
[macb])
{
mutate
{
add_tag
=
[modified]
}
}
if
(a
in
[macb])
{
mutate
{
add_tag
=
[accessed]
}
}
if
(c
in
[macb])
{
mutate
{
add_tag
=
[changed]
}
}
if
(b
in
[macb])
{
mutate
{
add_tag
=
[birth]
}
}
#
extract
file
extension
grok
{
match
=
[path,
(?filename[^/]+?)?$]
}
grok
{
match
=
[filename,
((.(?ext[^./]+))?)?$]
}
mutate
{
lowercase
=
[ext]
remove_field
=
[message,
perms,
uid,
gid]
}
}
}
- 203. 가능
%{syntax:semantic}
SYSLOGBASE
%{SYSLOGTIMESTAMP:timestamp}
(?:%{SYSLOGFACILITY}
)?%{SYSLOGHOST:logsource}
%{SYSLOGPROG}:
COMMONAPACHELOG
%{IPORHOST:clientip}
%{USER:ident}
%{USER:auth}
[%{HTTPDATE:timestamp}]
(?:%{WORD:verb}
%
{NOTSPACE:request}(?:
HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})
%{NUMBER:response}
(?:%{NUMBER:bytes}|-‐)
COMBINEDAPACHELOG
%{COMMONAPACHELOG}
%{QS:referrer}
%{QS:agent}
- 206. grok
Logstash
15
Dec
26
10:45:01
localhost
postfix/pickup[27869]:
841D26FFA8:
uid=0
from=root
%{SYSLOGTIMESTAMP:timestamp}
%{SYSLOGHOST:hostname}
postfix/(?component[w._/%-‐]+)
(?:[%{POSINT:pid}]):
(?queueid[0-‐9A-‐F]{,11}):
%{GREEDYDATA:message}
Built-in
- 253. 불가능
output
{
if
[type]
==
w3c_extended_iis
{
elasticsearch
{
index
=
logstash-‐%{[type]}-‐%{+YYYY.MM.dd}
host
=
localhost
}
}
}
- 340. 함
elastic+
8363
1848
8
15:51
?
00:02:13
/usr/lib/jvm/java-‐7-‐openjdk-‐amd64//bin/java
-‐Xms4g
-‐Xmx4g
-‐
Xss256k
-‐Djava.awt.headless=true
-‐XX:+UseParNewGC
-‐XX:+UseConcMarkSweepGC
-‐XX:CMSInitiatingOccupancyFraction=75
-‐XX:+UseCMSInitiatingOccupancyOnly
-‐XX:+HeapDumpOnOutOfMemoryError
-‐XX:+DisableExplicitGC
-‐Dfile.encoding=UTF-‐8
-‐Delasticsearch
-‐Des.pidfile=/var/run/elasticsearch.pid
-‐Des.path.home=/usr/share/elasticsearch
-‐cp
:/usr/
share/elasticsearch/lib/elasticsearch-‐1.4.4.jar:/usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/lib/
sigar/*
-‐Des.default.config=/etc/elasticsearch/elasticsearch.yml
-‐Des.default.path.home=/usr/share/
elasticsearch
-‐Des.default.path.logs=/var/log/elasticsearch
-‐Des.default.path.data=/var/lib/elasticsearch
-‐
Des.default.path.work=/tmp/elasticsearch
-‐Des.default.path.conf=/etc/elasticsearch
org.elasticsearch.bootstrap.Elasticsearch
- 357.
• index.number_of_shards
• index.number_of_replicas
• indices.memory.index_buffer_size
• index.store.type
• index.translog.flush_threshold_ops
• index.refresh_interval
• bootstrap.mlockall
- 474. 보유 define
ROOT
C:Program
Files
(x86)nxlog
Moduledir
%ROOT%modules
CacheDir
%ROOT%data
Pidfile
%ROOT%datanxlog.pid
SpoolDir
%ROOT%data
LogFile
%ROOT%datanxlog.log
Extension
json
Module
xm_json
/Extension
#
Windows
Event
Log
Input
eventlog
Module
im_msvistalog
#
Module
im_mseventlog
Exec
$EventReceivedTime
=
integer($EventReceivedTime)
/
1000000;
to_json();
/Input
Output
out
Module
om_tcp
Host
192.168.1.126
Port
3515
/Output
Route
1
Path
internal,
eventlog
=
out
/Route
Input
Processor
Output
im_xxx
pm_xxx
om_xxx
- 482. 가능
Input
in
Module
im_msvistalog
Exec
if
($TargetUserName
==
'SYSTEM')
OR
($EventType
==
'VERBOSE')
drop();
/Input
Input
unix
Module
im_uds
uds
/dev/log
/Input
Processor
filter
Module
pm_filter
Condition
$raw_event
=~
/failed/
or
$raw_event
=~
/error/
/Processor
Output
out
Module
om_file
File
/var/log/error
/Output
Route
1
Path
unix
=
filter
=
out
/Route
- 488. forensicinsight.org Page
Performance Test
38
Case #1
(default)
Case #2 Case #2’ Case #3 Case #3’ Case #4 Case #4’
index.number_of_replicas 1 1 1 0
index.number_of_shards 5 3 3 1
index.translog.flush_threshold_ops 5000 50000 50000 50000
index.refresh_interval 5s 30s 30s -1
indices.memory.index_buffer_size 10% 30% 50% 50%
index.store.type % mmapfs mmapfs mmapfs
bootstrap.mlockall - - TRUE TRUE
MAX_LOCKED_MEMORY - - unlimited unlimited
indexing duration 180m 168m 135m 174m 143m 165m 145m
docs / primary size 9,600,201/3.0GB 9,600,201/2.8GB 9,600,201/2.7GB 9,600,201/2.7GB 9,600,201/2.7GB 9,600,201/2.7GB 9,600,201/2.7GB
indexing duration 65m 67m 48m 67m 48m 59m 49m
docs / primary size 3,303,249/926.5M 3,303,249/888.1M 3,303,249/889.6M 3,303,249/886.7M 3,303,249/890.4M 3,303,249/894.0M 3,303,249/983.4M
• 테스트