1 / 23

LHCb Logging System

Computer logs serve as essential archives of events generated by various computer systems. In the late 23rd century, Federation starships were equipped with advanced "black boxes" designed to maintain these logs. Utilized primarily for official purposes, these logs were crucial for criminal investigations and determining the causes of incidents involving lost ships. Access to these records was restricted to authorities under specific legal conditions, ensuring sensitive information remained protected. This system, underpinned by technologies like Splunk and OSSEC, has transformed how we approach log analysis, forensic investigations, and system security.

dudley
Télécharger la présentation

LHCb Logging System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LHCb Logging System A computer log is a diary or archive of events, in this case generated by a computer system or systems. In the late- 23rd century, Federation starships were equipped with a "black box" that stored computer logs. The logs could be used in criminal investigations or to determine the cause of a lost ship. Computer logs were for official purposes only and were available to authorities only under specific legal circumstances or court-order. Nikolaidis Fotis ( fotis.nikolaidis @ cern.ch ) University Of Crete, Greece

  2. Sources Web Servers Gateways Network Components Farm Nodes PVSS FMC

  3. Storage Schema hlt[a-e][1-11] Messages, crond, maild, dnsd, secure, secureNagios FARM HOSTS hostName Messages, crond, maild, dnsd, secure, secureNagios {Other files either from FMC or web sites} PVSS_II.log PVSS00ctrl50.log And other ... PVSS hostName Project Name LHCb TFC FEST ECAL ........ DAQ $partition.log PARTITIONS Messages, crond, maild, dnsd, secure, secureNagios TELL1 SERVICES Dataremove, Dimrpc, Writerd, Xmlrpc

  4. Needs Forensic / Troubleshooting Splunk ( http://admin01/splunk ) Real Time Alert Ossec

  5. Splunk Is a High performance, scalable software server written in C/C++ and Python. Index and Normalize logs (disk fail , disk error are the same) Can be combined with with Ossec, Snort and other IDS via plugins Does not need an external Database.

  6. Splunk - Features Advanced search Regular Expressions / Time Windows Runtime statistical analysis Extensible Modules, Patterns Dashboards

  7. Splunk - More Features Can correlate events of different hosts/formats Supports many log formats out of the box (For non standard logs such as FMC configuration is needed) If run on CLI , can be integrated to scripts

  8. Have a closer look here ...

  9. The first line is excluded The second line is now the first

  10. Who is keeping ssh busy ? ;p

  11. New Patterns can be generated almost automatically

  12. Internal Information

  13. OSSEC

  14. OSSEC Open Source Host-based Intrusion Detection System. Log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

  15. OSSEC Analyzes incoming logs runtime and reacts if needed Every event can be ranked with a value [1-14] If event > mailRank , send a mail If event > scriptRank , execute a script Rules are defined in XML files Message, frequency, priority, etc

  16. Fault Tolerance

  17. Normal

  18. Logsrv01 failure

  19. Log analysis failure

  20. Logsrv02 failure

More Related