Tweet
Title: (Beginner) Discovering ELK The First Time - Lessons Learned Over 2 Years
Description:
ELK has become one of the favorite tools of blue teamers across the world. However, when you’re first getting used to ELK, you may be overwhelmed and not fully understanding what is happening. There is more to do with it than simply feed in logs and search it in a pretty web UI! This talk will focus on things I wish I knew about ELK back when I was first learning it to help provide some quick wins for those new to ELK, and maybe a few tidbits for those who already use it.
Elastic, Logstash, and Kibana (ELK) continue to keep becoming more popular with blue teamers - there’s plenty of documentation, you can custom develop anything you want with it due to the fact it’s open source, and it’s free! However, those first starting out with ELK can become quickly overwhelmed. When these people finally get the hang of ELK, they still may be missing some critical understanding that limits them - why can’t I filter by hostname? What do these pretty yellow triangles really mean? This is because most people will get used to just Kibana - not rest of the stack. In this talk I’ll cover lessons I wish I learned a lot sooner about ELK that would have helped me out - and hopefully they help you too!
Lesson 1: Elastic and Kibana are NOT the same. Going into the differences, why they get confused, and what the actual differences are.
Lesson 2: Logstash is more powerful than you give it credit for, but is incredibly overwhelming. Here’s some ways to get some quick bang for buck.
Lesson 3: How do you go about feeding in your own custom documents to ELK? This will quickly go into popular ways to feed logs into ELK, and if that doesn’t help, how to feed in other information to ELK through a more manual approach. Never know when a custom script output would be better put in elastic!
Lesson 4: Don’t forget about your Linux logs! With Linux we may be more used to relying on rsyslog to forward everything - but this most likely just captures your application logs. What about the equivalency of event logs on Linux? This will (very) briefly introduce auditd, how to forward it to ELK, and how to best parse through it.
Speaker(s): TheDrPinky
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 17:00 (05:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 18:00 (06:00 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T01:15 (UTC).
Description:
ELK has become one of the favorite tools of blue teamers across the world. However, when you’re first getting used to ELK, you may be overwhelmed and not fully understanding what is happening. There is more to do with it than simply feed in logs and search it in a pretty web UI! This talk will focus on things I wish I knew about ELK back when I was first learning it to help provide some quick wins for those new to ELK, and maybe a few tidbits for those who already use it.
Elastic, Logstash, and Kibana (ELK) continue to keep becoming more popular with blue teamers - there’s plenty of documentation, you can custom develop anything you want with it due to the fact it’s open source, and it’s free! However, those first starting out with ELK can become quickly overwhelmed. When these people finally get the hang of ELK, they still may be missing some critical understanding that limits them - why can’t I filter by hostname? What do these pretty yellow triangles really mean? This is because most people will get used to just Kibana - not rest of the stack. In this talk I’ll cover lessons I wish I learned a lot sooner about ELK that would have helped me out - and hopefully they help you too!
Lesson 1: Elastic and Kibana are NOT the same. Going into the differences, why they get confused, and what the actual differences are.
Lesson 2: Logstash is more powerful than you give it credit for, but is incredibly overwhelming. Here’s some ways to get some quick bang for buck.
Lesson 3: How do you go about feeding in your own custom documents to ELK? This will quickly go into popular ways to feed logs into ELK, and if that doesn’t help, how to feed in other information to ELK through a more manual approach. Never know when a custom script output would be better put in elastic!
Lesson 4: Don’t forget about your Linux logs! With Linux we may be more used to relying on rsyslog to forward everything - but this most likely just captures your application logs. What about the equivalency of event logs on Linux? This will (very) briefly introduce auditd, how to forward it to ELK, and how to best parse through it.
Speaker(s): TheDrPinky
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 17:00 (05:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 18:00 (06:00 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T01:15 (UTC).