SlideShare a Scribd company logo

Logging at scale: doing more with less

André Fucs de Miranda, profile picture
André Fucs de Miranda

The document discusses using Apache NiFi to improve logging capabilities at scale for a Security Operations Center (SOC). It provides an agenda that includes an introduction to the speaker, context on the SOC's logging needs, an overview of Apache NiFi, and a demonstration. The SOC generates terabytes of logging data per day across diverse tools and cloud services. It evaluated tools to better collect, process, enrich, and analyze logs. Apache NiFi was selected for its ability to flexibly route and transform data, integrate with existing systems, query diverse sources, scale horizontally, and provide security and data provenance.

Technology
1 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Logging at scale Doing more with less Presented by Andre Fucs de Miranda
Macquarie GovernmentMacquarie Government 1. A bit about me 2. A bit of context 3. Apache NiFi and the SOC 4. Demo 5. Questions The agenda. | Logging at scale – Doing more with less 2
Macquarie Government A bit about me. | Logging at scale – Doing more with less
Macquarie Government Manager @ Macquarie’s Security Operations Center 20 years working in information cyber security Apache NiFi committer and PMC member | Logging at scale – Doing more with less https://github.com/trixpan https://twitter.com/trixpan About me
Macquarie Government A bit of context | Logging at scale – Doing more with less
Macquarie Government A bit of context About Macquarie Government • 42% of Australian Government agencies are our customers • 3+ billion events per day; Our tool stack is diverse and busy: • We generate TBs of data per day. • Since 2015 we have been using “Big Data” (i.e. Hadoop ecosystem) for reporting and analytics. • We are constantly looking for ways to offer our customers with better insights over the threats targeting them. • We also felt that relying exclusively on traditional SIEM wasn’t enough anymore. | Logging at scale – Doing more with less 6
Macquarie Government A bit of context Could we leverage “big data” solutions to improve our SOC further? • Perhaps we could rationalise the way we collect and process log messages? • Perhaps we could do enrichment against a more diverse set of sources?? • What else? | Logging at scale – Doing more with less 7
Macquarie Government So we went and evaluated lots of tools and architectures looking to map things like: • Ability to integrate with SIEM pipelines natively • Ability to consume cloud services (IaaS, PaaS and Saas) • Ability to query odd stuff • Inbuilt Security • Ability to Scale out • How easy to maintain and extend | Logging at scale – Doing more with less 8 and many more… A bit of context All Apache project logos are trademarks of the ASF and the respective projects. Logstash is a trademark of Elasticsearch BV, registered in the U.S. and in other countries. fluentd is trademark by Treasure Data
And the winner was…
Macquarie Government Sorry, there was a mistake… | Logging at scale – Doing more with less 10 All Apache project logos are trademarks of the ASF and the respective projects.
Macquarie Government Let’s talk tech. | Logging at scale – Doing more with less Apache NiFi and the SOC
Macquarie Government A bit about Apache NiFi – A brief Prologue When you are start shipping “data” seems like an “easy” task | Logging at scale – Doing more with less DC1 DB 12
Macquarie Government A bit about Apache NiFi – A brief Prologue But as the environment grows, complexity compounds… …but you keep adjusting your environment | Logging at scale – Doing more with less DC1 DB DC2 DB HQ ClientX AZ1 AZ2 13
Macquarie Government ‘til the point you suddenly realise your pipeline is missing a bit of cheese. Or worse… | Logging at scale – Doing more with less © Luca Nebuloni https://www.flickr.com/photos/nebulux/10708289086/ 14
Macquarie Government A bit about Apache NiFi – A brief Prologue | Logging at scale – Doing more with less Source: https://goo.gl/xKoavI 15
Macquarie Government “Apache NiFi supports powerful and scalable directed graphs of data routing, transformation, and system mediation logic.” Open sourced by the National Security Agency in 2014[1] and submitted to The Apache Software Foundation for on-going stewardship [1] https://goo.gl/aZxCIC | Logging at scale – Doing more with less • User friendly interface • Flexible • Data Agnostic • Inbuilt mechanisms to balance between latency and throughput • Fine grain control of delivery guarantees (e.g. discard a flowfile once it becomes too old to be relevant). • “Secure” • Data provenance (from where, to where, changed by, etc.) • Authorization Policies, TLS, Kerberos, Encryption and a handful of other features • Designed for Extension A bit about Apache NiFi16
Macquarie Government A bit about Apache NiFi NiFi allows you easily move data between A and B (and B to A) in a controlled, secure and reliable way, while still allowing you to process and granularly apply logic to the data in motion. | Logging at scale – Doing more with less 17
Macquarie Government A bit about Apache NiFi A few examples on how NiFi capabilities help a SOC: • Rationalising the flows of data into your SIEM • Do you truly need your SIEM to be ingesting all your logs? • What happens when you run more than one SIEM (because it may well happen…)? • Enrich data against a diverse range of sources • ElasticSearch, REST APIs, DNS, Redis, Whois, GeoIP, SQL, MISP (via HTTP) • (Pull|push) data (from|to) a diverse set of platforms • Object based stores such as GCS or S3, FTP, SFTP, Mainframes via WebSphere MQ, Files, SQL and Syslog of course. | Logging at scale – Doing more with less 18
Macquarie Government Let’s take a closer look. | Logging at scale – Doing more with less
Macquarie Government | Logging at scale – Doing more with less DEMO Time
Macquarie Government Let’s talk. | Logging at scale – Doing more with less Andre Fucs de Miranda Macquarie Government amiranda@macquariegovernment.com 1800 004 943
Thank you.

More Related Content

PDF
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data Spain
 
PPTX
Managing the Dewey Decimal System
DataWorks Summit
 
PDF
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Big Data Spain
 
PDF
Elastic at KPN
Elasticsearch
 
PDF
Turning Evidence into Insights: How NCIS Leverages Elastic
Elasticsearch
 
PDF
Achieving cyber mission assurance with near real-time impact
Elasticsearch
 
PPTX
Using Hadoop to Drive Down Fraud for Telcos
Cloudera, Inc.
 
PDF
Security Events Logging at Bell with the Elastic Stack
Elasticsearch
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data Spain
 
Managing the Dewey Decimal System
DataWorks Summit
 
Keeping your Enterprise’s Big Data Secure by Owen O’Malley at Big Data Spain ...
Big Data Spain
 
Elastic at KPN
Elasticsearch
 
Turning Evidence into Insights: How NCIS Leverages Elastic
Elasticsearch
 
Achieving cyber mission assurance with near real-time impact
Elasticsearch
 
Using Hadoop to Drive Down Fraud for Telcos
Cloudera, Inc.
 
Security Events Logging at Bell with the Elastic Stack
Elasticsearch
 

What's hot (20)

PDF
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Elasticsearch
 
PDF
Liferay cloud services lnlug-6-march-2014
Ruud Kluivers
 
PDF
CSX: Real-time Business Discovery with the Elastic Stack
Elasticsearch
 
PPTX
Ran Rothschild - CloudZone
Idan Tohami
 
PDF
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
PROIDEA
 
PDF
Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elasticsearch
 
PDF
Countering Threats with the Elastic Stack at CERDEC/ARL
Elasticsearch
 
PDF
Keynote
Elasticsearch
 
PPTX
Risk Management for Data: Secured and Governed
Cloudera, Inc.
 
PDF
Improving search at Wellcome Collection
Elasticsearch
 
PDF
MongoDB World 2019: A MongoDB Journey: Moving From a Relational Database to M...
MongoDB
 
PDF
Blockchain and Apache NiFi
Timothy Spann
 
PPTX
Strengthening critical internet infrastructure
Bright Boateng
 
PDF
Privacera and Northwestern Mutual - Scaling Privacy in a Spark Ecosystem
Privacera
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PPTX
Insight into Hyperconverged Infrastructure
HTS Hosting
 
PDF
Timothy Spann [StreamNative] | Using FLaNK with InfluxDB for EdgeAI IoT at Sc...
InfluxData
 
PDF
Managing Big Data projects in a constantly changing environment - Rafał Zalew...
GetInData
 
PPTX
Data Governance and Management in Cloud pak nam
PT Datacomm Diangraha
 
PDF
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Elasticsearch
 
Siscale Lightning Talk: Automated Root Cause Analysis with Elastic Stack
Elasticsearch
 
Liferay cloud services lnlug-6-march-2014
Ruud Kluivers
 
CSX: Real-time Business Discovery with the Elastic Stack
Elasticsearch
 
Ran Rothschild - CloudZone
Idan Tohami
 
PLNOG 13: B. van der Sloot, S. Abdel-Hafez: Running a 2 Tbps global IP networ...
PROIDEA
 
Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics
Elasticsearch
 
Countering Threats with the Elastic Stack at CERDEC/ARL
Elasticsearch
 
Keynote
Elasticsearch
 
Risk Management for Data: Secured and Governed
Cloudera, Inc.
 
Improving search at Wellcome Collection
Elasticsearch
 
MongoDB World 2019: A MongoDB Journey: Moving From a Relational Database to M...
MongoDB
 
Blockchain and Apache NiFi
Timothy Spann
 
Strengthening critical internet infrastructure
Bright Boateng
 
Privacera and Northwestern Mutual - Scaling Privacy in a Spark Ecosystem
Privacera
 
ProdSec: A Technical Approach
Jeremy Brown
 
Insight into Hyperconverged Infrastructure
HTS Hosting
 
Timothy Spann [StreamNative] | Using FLaNK with InfluxDB for EdgeAI IoT at Sc...
InfluxData
 
Managing Big Data projects in a constantly changing environment - Rafał Zalew...
GetInData
 
Data Governance and Management in Cloud pak nam
PT Datacomm Diangraha
 
Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...
Elasticsearch
 
Ad

Similar to Logging at scale: doing more with less (20)

PPTX
Integração de Dados com Apache NIFI - Marco Garcia Cetax
Marco Garcia
 
PPTX
Getting Started with Splunk Breakout Session
Splunk
 
PPTX
Getting Started with Splunk Breakout Session
Splunk
 
PDF
Ankus, bigdata deployment and orchestration framework
Ashrith Mekala
 
PDF
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Lucidworks (Archived)
 
PPTX
5 Things that Make Hadoop a Game Changer
Caserta
 
PDF
Leaving the Ivory Tower: Research in the Real World
C4Media
 
PDF
Leaving the Ivory Tower: Research in the Real World
ArmonDadgar
 
PDF
The Great Lakes: How to Approach a Big Data Implementation
Inside Analysis
 
PPTX
Removing dependencies between services: Messaging and Apache Kafka
Daniel Muñoz Garrido
 
PDF
Big Data made easy in the era of the Cloud - Demi Ben-Ari
Demi Ben-Ari
 
PPTX
Benchmark Showdown: Which Relational Database is the Fastest on AWS?
Clustrix
 
PDF
Getting Started with Splunk Enterprise
Splunk
 
PPTX
How to Build Continuous Ingestion for the Internet of Things
Cloudera, Inc.
 
PDF
Elastic Data Analytics Platform @Datadog
C4Media
 
PDF
A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)
Spark Summit
 
PDF
Searching Chinese Patents Presentation at Enterprise Data World
OpenSource Connections
 
PDF
Ask bigger questions
South West Data Meetup
 
PDF
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Solo.io
 
PPTX
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
Government Technology and Services Coalition
 
Integração de Dados com Apache NIFI - Marco Garcia Cetax
Marco Garcia
 
Getting Started with Splunk Breakout Session
Splunk
 
Getting Started with Splunk Breakout Session
Splunk
 
Ankus, bigdata deployment and orchestration framework
Ashrith Mekala
 
Building a Lightweight Discovery Interface for Chinese Patents, Presented by ...
Lucidworks (Archived)
 
5 Things that Make Hadoop a Game Changer
Caserta
 
Leaving the Ivory Tower: Research in the Real World
C4Media
 
Leaving the Ivory Tower: Research in the Real World
ArmonDadgar
 
The Great Lakes: How to Approach a Big Data Implementation
Inside Analysis
 
Removing dependencies between services: Messaging and Apache Kafka
Daniel Muñoz Garrido
 
Big Data made easy in the era of the Cloud - Demi Ben-Ari
Demi Ben-Ari
 
Benchmark Showdown: Which Relational Database is the Fastest on AWS?
Clustrix
 
Getting Started with Splunk Enterprise
Splunk
 
How to Build Continuous Ingestion for the Internet of Things
Cloudera, Inc.
 
Elastic Data Analytics Platform @Datadog
C4Media
 
A Big Data Lake Based on Spark for BBVA Bank-(Oscar Mendez, STRATIO)
Spark Summit
 
Searching Chinese Patents Presentation at Enterprise Data World
OpenSource Connections
 
Ask bigger questions
South West Data Meetup
 
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Solo.io
 
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
Government Technology and Services Coalition
 
Ad

Recently uploaded (20)

PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Encapsulation theory and applications.pdf
gurumoop
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Approach and Philosophy of On baking technology
30anthuong17
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 

Logging at scale: doing more with less

  • 1. Logging at scale Doing more with less Presented by Andre Fucs de Miranda
  • 2. Macquarie GovernmentMacquarie Government 1. A bit about me 2. A bit of context 3. Apache NiFi and the SOC 4. Demo 5. Questions The agenda. | Logging at scale – Doing more with less 2
  • 3. Macquarie Government A bit about me. | Logging at scale – Doing more with less
  • 4. Macquarie Government Manager @ Macquarie’s Security Operations Center 20 years working in information cyber security Apache NiFi committer and PMC member | Logging at scale – Doing more with less https://github.com/trixpan https://twitter.com/trixpan About me
  • 5. Macquarie Government A bit of context | Logging at scale – Doing more with less
  • 6. Macquarie Government A bit of context About Macquarie Government • 42% of Australian Government agencies are our customers • 3+ billion events per day; Our tool stack is diverse and busy: • We generate TBs of data per day. • Since 2015 we have been using “Big Data” (i.e. Hadoop ecosystem) for reporting and analytics. • We are constantly looking for ways to offer our customers with better insights over the threats targeting them. • We also felt that relying exclusively on traditional SIEM wasn’t enough anymore. | Logging at scale – Doing more with less 6
  • 7. Macquarie Government A bit of context Could we leverage “big data” solutions to improve our SOC further? • Perhaps we could rationalise the way we collect and process log messages? • Perhaps we could do enrichment against a more diverse set of sources?? • What else? | Logging at scale – Doing more with less 7
  • 8. Macquarie Government So we went and evaluated lots of tools and architectures looking to map things like: • Ability to integrate with SIEM pipelines natively • Ability to consume cloud services (IaaS, PaaS and Saas) • Ability to query odd stuff • Inbuilt Security • Ability to Scale out • How easy to maintain and extend | Logging at scale – Doing more with less 8 and many more… A bit of context All Apache project logos are trademarks of the ASF and the respective projects. Logstash is a trademark of Elasticsearch BV, registered in the U.S. and in other countries. fluentd is trademark by Treasure Data
  • 9. And the winner was…
  • 10. Macquarie Government Sorry, there was a mistake… | Logging at scale – Doing more with less 10 All Apache project logos are trademarks of the ASF and the respective projects.
  • 11. Macquarie Government Let’s talk tech. | Logging at scale – Doing more with less Apache NiFi and the SOC
  • 12. Macquarie Government A bit about Apache NiFi – A brief Prologue When you are start shipping “data” seems like an “easy” task | Logging at scale – Doing more with less DC1 DB 12
  • 13. Macquarie Government A bit about Apache NiFi – A brief Prologue But as the environment grows, complexity compounds… …but you keep adjusting your environment | Logging at scale – Doing more with less DC1 DB DC2 DB HQ ClientX AZ1 AZ2 13
  • 14. Macquarie Government ‘til the point you suddenly realise your pipeline is missing a bit of cheese. Or worse… | Logging at scale – Doing more with less © Luca Nebuloni https://www.flickr.com/photos/nebulux/10708289086/ 14
  • 15. Macquarie Government A bit about Apache NiFi – A brief Prologue | Logging at scale – Doing more with less Source: https://goo.gl/xKoavI 15
  • 16. Macquarie Government “Apache NiFi supports powerful and scalable directed graphs of data routing, transformation, and system mediation logic.” Open sourced by the National Security Agency in 2014[1] and submitted to The Apache Software Foundation for on-going stewardship [1] https://goo.gl/aZxCIC | Logging at scale – Doing more with less • User friendly interface • Flexible • Data Agnostic • Inbuilt mechanisms to balance between latency and throughput • Fine grain control of delivery guarantees (e.g. discard a flowfile once it becomes too old to be relevant). • “Secure” • Data provenance (from where, to where, changed by, etc.) • Authorization Policies, TLS, Kerberos, Encryption and a handful of other features • Designed for Extension A bit about Apache NiFi16
  • 17. Macquarie Government A bit about Apache NiFi NiFi allows you easily move data between A and B (and B to A) in a controlled, secure and reliable way, while still allowing you to process and granularly apply logic to the data in motion. | Logging at scale – Doing more with less 17
  • 18. Macquarie Government A bit about Apache NiFi A few examples on how NiFi capabilities help a SOC: • Rationalising the flows of data into your SIEM • Do you truly need your SIEM to be ingesting all your logs? • What happens when you run more than one SIEM (because it may well happen…)? • Enrich data against a diverse range of sources • ElasticSearch, REST APIs, DNS, Redis, Whois, GeoIP, SQL, MISP (via HTTP) • (Pull|push) data (from|to) a diverse set of platforms • Object based stores such as GCS or S3, FTP, SFTP, Mainframes via WebSphere MQ, Files, SQL and Syslog of course. | Logging at scale – Doing more with less 18
  • 19. Macquarie Government Let’s take a closer look. | Logging at scale – Doing more with less
  • 20. Macquarie Government | Logging at scale – Doing more with less DEMO Time
  • 21. Macquarie Government Let’s talk. | Logging at scale – Doing more with less Andre Fucs de Miranda Macquarie Government amiranda@macquariegovernment.com 1800 004 943