Sahara云大数据>> minerva>> 返回
项目作者: cookpad

项目描述 :
Serverless Log Search Architecture for Security Monitoring based on Amazon Athena
高级语言: Go
项目地址: git://github.com/cookpad/minerva.git
创建时间: 2019-11-02T06:57:32Z
项目社区:https://github.com/cookpad/minerva
开源协议:MIT License
下载


[!WARNING]
This repo is now (as of 2025-02-20) archived and will not receive future updates, security related or otherwise. Use at your own risk.

minerva

Serverless Log Search Architecture for Security Monitoring based on Amazon Athena.

Overview

In security monitoring, a security engineer is required to analyze security alert from security devices to determine risk of the alert. When analyzing a security alert, various logs from system, application, middleware, network and 3rd party services strongly help a security engineer to understand what is happened around the alert.
There are a lot of existing useful log search engine products and services. However these products and services are expensive due to amount of log traffic size.

Minerva is designed focusing on cost effectiveness by leveraging AWS managed serviecs. Target use case is log search for several security alerts per day.

  • Advantages
    • Low running cost: (e.g. 7.5 TB logs and several searches per day require about only $300/mo as total)
    • Low operational cost: All components of Minerva are managed services and require minimum operation. Additionally preprocessing Lambda function can smoothly scale in/out.
  • Disadvantage
    • Cost increases accourding to number of search times. Then Minerva is not appropriate for continuous searching operation (e.g. Threat hunting).
    • Amazon Athena has latency in search operation about from 10 seconds to several minutes. This latency is bigger than other search engines (e.g. Elasticsearch).

Minerva provides only API to saerch logs. See Strix as web based user interface for Minerva. A following figure shows abstracted architecture of Minerva and Strix.

rough arch

On a side note, Minerva is the Roman goddess that is equated with Athena.

Getting Started

Prerequisite

  • Tools
    • aws-cdk >= 1.38.0
    • go >= 1.13
  • Resources
    • S3 bucket stored logs (assuming bucket name is s3-log-bucket)
    • S3 bucket stored parquet files (assuming bucket name is s3-parquet-bucket)
    • Amazon SNS receiving s3:ObjectCreated. See docs to configure. (assuming topic name is s3-log-create-topic)
    • IAM role for Lambda Function to access S3 bucket and so on. (assuming role name is YourLambdaRole )
    • Additionally, these resources are in ap-northeast-1 region and account ID is 1234567890x

Configurations

Init your configuration directry by cdk init command.

  1. $ cdk init --language typescript

Then, update bin/cdk.ts like following.

  1. #!/usr/bin/env node
  2. import "source-map-support/register";
  3. import * as cdk from "@aws-cdk/core";
  4. import { MinervaStack } from "../minerva/lib/minerva-stack";
  6. const app = new cdk.App();
  7. const stackID = "your-stack-name";
  8. new MinervaStack(
  9.   app,
  10.   stackID,
  11.   {
  12.     dataS3Region: "ap-northeast-1",
  13.     dataS3Bucket: "s3-parquet-bucket",
  14.     dataS3Prefix: "production/", // Set as you like it
  15.     athenaDatabaseName: "minerva_db", // Set as you like it
  16.     dataSNSTopicARN:
  17.       "arn:aws:sns:ap-northeast-1:1234567890x:s3-log-create-topic",
  18.     lambdaRoleARN: "arn:aws:iam::1234567890x:role/YourLambdaRole",
  19.   },
  20.   {
  21.     stackName: stackID,
  22.     env: {
  23.       region: "ap-northeast-1",
  24.       account: "1234567890x",
  25.     },
  26.   }
  27. );

After that, create indexer.go. An example is following.

  1. package main
  3. import (
  4.     "context"
  6.     "github.com/m-mizutani/rlogs"
  7.     "github.com/m-mizutani/rlogs/parser"
  8.     "github.com/m-mizutani/rlogs/pipeline"
  10.     "github.com/aws/aws-lambda-go/events"
  11.     "github.com/aws/aws-lambda-go/lambda"
  12.     "github.com/m-mizutani/minerva/pkg/indexer"
  13. )
  15. func main() {
  16.     lambda.Start(func(ctx context.Context, event events.SQSEvent) error {
  17.         logEntries := []*rlogs.LogEntry{
  18.             // VPC FlowLogs
  19.             {
  20.                 Pipe: pipeline.NewVpcFlowLogs(),
  21.                 Src: &rlogs.AwsS3LogSource{
  22.                     Region: "ap-northeast-1",
  23.                     Bucket: "my-flow-logs",
  24.                     Key:    "AWSLogs/",
  25.                 },
  26.             },
  28.             // Syslog
  29.             {
  30.                 Pipe: rlogs.Pipeline{
  31.                     Ldr: &rlogs.S3LineLoader{},
  32.                     Psr: &parser.JSON{
  33.                         Tag:             "ec2.syslog",
  34.                         TimestampField:  rlogs.String("timestamp"),
  35.                         TimestampFormat: rlogs.String("2006-01-02T15:04:05-0700"),
  36.                     },
  37.                 },
  38.                 Src: &rlogs.AwsS3LogSource{
  39.                     Region: "ap-northeast-1",
  40.                     Bucket: "my-ec2-syslog",
  41.                     Key:    "logs/",
  42.                 },
  43.             },
  44.         }
  46.         return indexer.RunIndexer(ctx, event, rlogs.NewReader(logEntries))
  47.     })
  48. }

indexer.go is written based on rlogs. Please see the repository for more detail.

Lastly, clone minerva repository.

  1. $ git clone git@github.com:m-mizutani/minerva.git

Deployment

  1. $ go mod init indexer
  2. $ env GOARCH=amd64 GOOS=linux go build -o build/indexer .
  3. $ npm install
  4. $ npm run build
  5. $ cdk deploy

Development

Architecture Overview

github-readme

License

MIT License