Logghantering med mjukvara

Schulze, Henrik, Brandberg, Fredrik

January 2016

Abstract By applying principles of conducting design science research, we have developed eight guide-lines for log management. By comparing with the literature on log management, we haveinvestigated the quality and relevance of the guidelines. We also investigated whether six of theeight guidelines are relevant in the sense that they can be supported by software. / Sammanfattning Genom att tillämpa principer för att bedriva forskning i design science, har vi tagit fram åttariktlinjer för en hantering av loggar. Genom jämförelse med litteratur om logghantering har viundersökt kvalitet och relevans hos riktlinjerna. Vi har även undersökt om sex av de åttariktlinjerna är relevanta i den meningen att mjukvara kan stödja dem.

Centralized Logging

Design Science

Log Management

Splunk

Splunk Enterprise

Splunk Web

splunkd.

Logghantering : En undersökning av logghantering och logghanteringssystem

Flodin, Anton

January 2016

This research includes a review of the log management of the company Telia. The research has also included a comparison of the two log management sys- tems Splunk and ELK. The review of the company’s log management shows that log messages are being stored in files on a hard drive that can be accessed through the network. The log messages are system-specific. ELK is able to fetch log messages of different formats simultaneously, but this feature is not possible in Splunk where the process of uploading log messages has to be re- peated for log messages that have different formats. Both systems store log messages through a file system on a hard drive, where the systems are installed. In networks that involve multiple servers, ELK is distributing the log messages between the servers. Thus, the workload to perform searches and storing large amounts of data is reduced. Using Splunk in networks can also reduce the workload. This is done by using forwarders that send the log messages to one or multiple central servers which stores the messages. Searches of log messages in Splunk are performed by using a graphical interface. Searches in ELK is done by using a REST-API which can be used by external systems as well, to retrieve search results. Splunk also has a REST-API that can be used by external sys- tems to receive search results. The research revealed that ELK had a lower search time than Splunk. However, no method was found that could be used to measure the indexing time of ELK, which meant that no comparison could be made with respect to the indexing time for Splunk. For future work there should be an investigation whether there is any possibility to measure the indexing time of ELK. Another recommendation is to include more log management sys- tem in the research to improve the results that may be suitable candidates for the company Telia. An improvement suggestion as well, is to do performance tests in a network with multiple servers and thereby draw conclusions how the performance is in practice. / Denna undersökning har innefattat en granskning av logghanteringen som exi- sterar hos företaget Telia och en jämförelse av två logghanteringssystem: Splunk och ELK. Undersökningen visar att loggmeddelanden hos företaget har olika format och lagras i filer på en hårddisk som nås genom nätverket. Både ELK och Splunk kan hantera loggmeddelanden med olika format. ELK kan läsa in loggmeddelanden av olika format samtidigt, men detta är inte möjligt i Splunk då inläsningsprocessen måste repeteras för loggmeddelanden som har olika format. Båda systemen lagrar loggmeddelanden genom ett filsystem på en servers hårddisk där systemen är installerad. I nätverk som involverar flera servrar arbetar ELK distributivt genom att distribuera loggmeddelanden mellan dessa servrar. Följder av distribuering av loggmeddelanden ger en lägre arbets- börda för varje server i nätverket. I nätverk där Splunk används kan forwarders användas som skickar vidare loggmeddelanden till en eller flera central server som lagrar loggmeddelanden, därmed kan arbetsbördan för sökningar och in- dexering av data minskas. Sökningar av loggmeddelanden i Splunk utförs ge- nom att använda ett grafiskt gränssnitt. Sökningar i ELK sker genom att använ- da ett REST-API som finns i systemet som även används av externa system för att hämta sökresultat. Splunk har också ett REST-API inkluderat som kan an- vändas för att exportera sökresultat. Undersökningen visade att ELK hade en lägre söktid än Splunk. För undersökningen fanns ingen metod att använda för att mäta indexeringstiden för ELK vilket innebar att ingen jämförelse kunde gö- ras med avseende på indexeringstid. För framtida arbete rekommenderas bland annat att undersöka om det finns någon möjlighet att mäta indexeringstiden för ELK. En annan rekommendation är att låta fler logghanteringssystem ingå i un- dersökningen för att förbättra resultatet som kan vara lämpliga kandidater för företaget Telia. Ett förbättringsförslag är att utföra prestandatester för ett nät- verk med flera servrar för att därmed dra slutsatser för hur prestandan är i praktiken.

Log

log management

Splunk

ELK

Telia

Logg

logghantering

Splunk

ELK

Telia

Software Engineering

Programvaruteknik

Testtäckningsstruktur för fälttestning av SDP3 : Skapande och visualisering av testtäckningsstruktur för SDP3 med hjälp av användardata / Test coverage framework for field testing of SDP3

David, Samer

January 2017

A big part of software development is testing and quality assurance. At the department of service market, Scania R&D, the software Scania Diagnose and Programmer 3 (SDP3) is developed and tested. The quality assurance is conducted by internal and external testing. However, the external testing of SDP3 lacks guidelines for measuring the quality of a field test. The purpose of this project was to create and implement a framework for the field test process of SDP3. This framework is later used to determine the quality of a field test. To create the framework, literature study, interviews and workshops were conducted. The workshops laid the foundation of the framework, and the interviews were used to specify the parameters in the framework. For the implementation of the framework studies were done to analyse the available data, later the framework was implemented into the data base management system Splunk as a real time Dashboard. The results of this study describes a framework that can be used to determine the quality of a field test. Unfortunately the whole framework could not be implemented into Splunk since all data needed could not be accessed through Splunk, instead, recommendations were made.

Kombinatorik

statistik

fordonskonfiguration

mjukvarutestning

SPD3

Scania

Splunk

Databaser

Regular Expression

Probability Theory and Statistics

Sannolikhetsteori och statistik

Förstudie till införandet av centralt loggsystem hos Försvarsmakten / Prestudy for the Introduction of a Central Logging System for the Swedish Armed Forces

Hellqvist, Olof

January 2011

Modern IT systems tend to become more and more complex, while the number of active systems in companies increases. Furthermore, the number of security-related incidents is at an all-time high. These new conditions impose new demands on organizations. For example, it is no longer possible to manually collect and examine the systems log messages. The purpose of this thesis has been to make a comprehensive study of solutions for automated collecting and managing of log messages, analyze the Swedish Armed Forces specification for solutions for central log collection and management, and evaluating exis- ting solutions. The work consisted primarily of literature studies and evaluations of two of the Swedish Armed Forces of selected products: NetIQ Security Manager and Splunk. The conclusion was that neither of the two products met the non-optional requirements posed by the specification. I personally think that the Swedish Armed Forces’ requirements specification for the central log management is far too strict and should hence be revised. A number of requirements in the current specification can be removed. Other requirements should be reformulated and/or re-evaluated. / Moderna IT-system tenderar att bli mer och mer komplexa, samtidigt som antalet ak- tiva system i ett fo ̈retag o ̈kar. Vidare a ̈r antalet sa ̈kerhetsrelaterade incidenter ho ̈gre a ̈n n ̊agonsin. Dessa nya omsta ̈ndigheter sta ̈ller nya krav p ̊a organisationer. Exempelvis a ̈r det inte la ̈ngre mo ̈jligt att manuellt samla in och granska systemens loggmeddelanden. Avsikten med den ha ̈r uppsatsen har varit att go ̈r en o ̈vergripande granskning av lo ̈sningar fo ̈r automatisk insamling och analys av loggmeddelanden, analysera de krav som Fo ̈rsvarsmakten sta ̈ller p ̊a lo ̈sningar fo ̈r central logghantering, samt utva ̈rdera befintliga lo ̈sningar. Arbetet bestod huvudsakligen av litteraturstudier samt utva ̈rderingar av tv ̊a av Fo ̈rsvarsmakten utvalda produkter: NetIQ Security Manager och Splunk. Slutsatsen blev att ingen av de tv ̊a produkterna uppfyller Fo ̈rsvarsmaktens samtliga krav fo ̈r central logghantering. Personligen anser jag att Fo ̈rsvarsmaktens kravspecifikation fo ̈r central logg- hantering a ̈r fo ̈r strikt och bo ̈r omarbetas. Ett antal krav i den nuvarande specifikationen kan med fo ̈rdel tas bort. Andra krav bo ̈r omformuleras och/eller omva ̈rderas.

SIEM

Syslog

EVT

EVTX

IDXP

Splunk

NetIQ Security Manager

Computer Sciences

Datavetenskap (datalogi)

A structured approach to selecting the most suitable log management system for an organization

Kristiansson Herrera, Lucas

January 2020

With the advent of digitalization, a typical organization today will contain an ecosystem of servers, databases, and other components. These systems can produce large volumes of log data on a daily basis. By using a log management system (LMS) for collecting, structuring and analyzing these log events, an organization could benefit in their services. The primary intent with this thesis is to construct a decision model that will aid organizations in finding a LMS that most fit their needs. To construct such a model, a number of log management products are investigated that are both proprietary and open source. Furthermore, good practices of handling log data are investigated by reading various papers and books on the subject. The result is a decision model that can be used by an organization for preparing, implementing, maintaining and choosing a LMS. The decision model makes an attempt to quantify various properties such as product features, but the LMSs it suggests should mostly be seen as a decision basis. In order to make the decision model more comprehensive and usable, more products should be included in the model and other factors that could play a part in finding a suitable LMS should be investigated.

log management

log management system

splunk

elasticsearch

aws

Computer Sciences

Datavetenskap (datalogi)

Network Traffic Analysis and Anomaly Detection : A Comparative Case Study

Babu, Rona

January 2022

Computer security is to protect the data inside the computer, relay the information, expose the information, or reduce the level of security to some extent. The communication contents are the main target of any malicious intent to interrupt one or more of the three aspects of the information security triad (confidentiality, integrity, and availability). This thesis aims to provide a comprehensive idea of network traffic analysis, various anomaly or intrusion detection systems, the tools used for it, and finally, a comparison of two Network Traffic Analysis (NTA) tools available in the market: Splunk and Security Onion and comparing their finding to analyse their feasibility and efficiency on Anomaly detection. Splunk and Security Onion were found to be different in the method of monitoring, User Interface (UI), and the observations noted. Further scope for future works is also suggested from the conclusions made.

Computer security

Network Traffic Analysis (NTA)

SIEM

Splunk

Security Onion

Engineering and Technology

Teknik och teknologier