Selfhosted

60253 readers

650 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

Be civil.
No spam.
Posts are to be related to self-hosting.
Don't duplicate the full text of your blog or readme if you're providing a link.
Submission headline should match the article title.
No trolling.
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

133

Building my own log aggregation and search server (lemmy.world)

submitted 2 years ago* (last edited 2 years ago) by Kryesh@lemmy.world to c/selfhosted@lemmy.world

19 comments fedilink hide all child comments

Hi everyone, I've been building my own log search server because I wasn't satisfied with any of the alternatives out there and wanted a project to learn rust with. It still needs a ton of work but wanted to share what I've built so far.

The repo is up here: https://codeberg.org/Kryesh/crystalline

and i've started putting together some documentation here: https://kryesh.codeberg.page/crystalline/

There's a lot of features I plan to add to it but I'm curious to hear what people think and if there's anything you'd like to see out of a project like this.

Some examples from my lab environment:

events view searching for SSH logins from systemd journals and syslog events:

counting raw event size for all indices:

performance is looking pretty decent so far, and it can be configured to not be too much of a resource hog depending on use case, some numbers from my test install:

raw events ingested: ~52 million
raw event size: ~40GB
on disk size: ~5.8GB

Ram usage:

not running searches ingesting 600MB-1GB per day it uses about 500MB of ram
running the ssh search examples above brings it to about 600MB of ram while the search is running
running last example search getting the size of all events (requires decompressing the entire event store) peaked at about 3.5GB of ram usage

you are viewing a single comment's thread
view the rest of the comments

[–] pineapple@lemmy.ml 1 points 2 years ago (5 children)

I don't really understand the point of this. What kind of logs are you storing and why would you want to?

[–] possiblylinux127@lemmy.zip 1 points 2 years ago (4 children)

Threat detection

[–] pineapple@lemmy.ml 1 points 2 years ago (3 children)

Why do logs help with threat detection?

[–] Kryesh@lemmy.world 2 points 2 years ago* (last edited 2 years ago) (1 children)

Applications like metrics because they're good for doing statistics so you can figure out things like "is this endpoint slow" or "how much traffic is there"

Security teams like logs because they answer questions like "who logged in to this host between these times?" Or "when did we receive a weird looking http request", basically any time you want to find specific details about a single event logs are typically better; and threat hunting does a lot of analysis on specific one time events.

Logs are also helpful when troubleshooting, metrics can tell you there's a problem but in my experience you'll often need logs to actually find out what the problem is so you can fix it.

[–] pineapple@lemmy.ml 1 points 2 years ago

Yeah that makes sense now. Thanks for the explanation.

load more comments (1 replies)