MIW is the shortname for Mobile Investivation Workstation. MIW is a tool for the fast summarization and analysis of very large quantities of logs. It is written in C++/C++11 and provides some small Python tooling.
MIW was built as an extremely efficient single-machine map-reduce alternative to Hadoop for processing hundreds of GB of logs. It is especially useful for on-premises log analysis, for generating condensed analytics out of raw logs, and for computing features useful in Machine Learning applications.
Though rather young in its development MIW has already been integrated several industrial projects and run over billions of logs, from laptops to HPC.
Main functionalities: At the moment, MIW supports implements the following features:
- C++ map-reduce as an extension of Metis with support for multiple input files as input to the same task
- auto-splitting of files based on available RAM
- command line job launcher
- configurable input log and job control formats in JSON
- variety of outputs supported, from memory to JSON and CSV
- variety of configuration options for preprocessing common log fields such as dates, time, URLs, ...
- minimal Python job control utility
Dependencies:
- C++11 compiler + autotools
- protocol buffers for configuration and storage;
- glog for logging events and debug;
- gflags for command line parsing;
- jsoncpp for JSON output;
- gtest for unit testing (optional);
- cppnetlib for preprocessing URIs;
- snappy for log compression;
- libcurl for connecting to external applications.
Implementation:
MIW is designed and implemented by Emmanuel Benazera around the c++ map-reduce library Metis, on behalf of SopraSteria cybersecurity.
Below are instructions for Linux systems:
First, install dependencies
sudo apt-get install autotools-dev automake autoconf libtool pkg-config libprotobuf-dev protobuf-compiler python-protobuf libjsoncpp-dev libgoogle-glog-dev libgflags-dev libsnappy-dev libcurl4-openssl-dev libcppnetlib-dev
For compiling:
./autogen.sh
./configure
make
Using the main command line exe:
./app/miw --help
yields the list of options:
Flags from job.cc:
-appname (optional application name) type: string default: ""
-autosplit (whether to autosplit file based on available memory
type: bool default: false
-compressed (whether to compress the original content) type: bool
default: false
-fnames (comma-separated input file names) type: string default: ""
-format_name (processing format name) type: string default: ""
-map_tasks (number of map tasks (default = auto)) type: int32 default: 0
-memory_factor (heuristic value for autosplit of very large files,
representing the expected memory requirement ratio vs the size of the
file, e.g. 10 times more memory than log volume) type: double default: 10
-merge_results (whether to merge results over multiple input files)
type: bool default: false
-ndisp (number of top records to show) type: int32 default: 5
-nprocs (number of cores (default = auto)) type: int32 default: 0
-ofname (output file name) type: string default: ""
-output_format (output format (json, csv)) type: string default: ""
-quiet (quietness) type: bool default: true
-reduce_tasks (number of reduce tasks (default = auto)) type: int32 default: 0
-skip_header (whether to skip first log line file as header) type: bool default: false
-store_content (whether to store the original content in the processed output) type: bool default: false
-tmp_save (whether to save temporary output of results after each file is processed) type: bool default: false
Example with a sampel of data from the repository:
./app/miw -fnames data/web_proxy_10lines.log -format_name miw/formats/proxy_format -output_format csv -ofname test.csv
should yield
files=data/web_proxy_10lines.log
I1203 16:06:42.315526 21243 job.cc:122] files size=1
I1203 16:06:42.315587 21243 job.cc:127] Processing file=data/web_proxy_10lines.log
logs preprocessing: results (TOP 5 from 2 keys, 4 logs):
2012-11-30_23_NqO3SB - 2
2012-11-30_23_- - 2
Runtime in millisecond [4 cores]
Sample: 15 Map: 0 Reduce: 0 Merge: 0 Sum: 15 Real: 16
Number of Tasks of last Metis run
Sample: 0 Map: 6 Reduce: 67
I1203 16:06:42.330492 21243 job.cc:180] MR duration=0 seconds
The above call uses an existing format file. However, this is unlikely the provided formats match your logs. To generate your own log format:
- Edit a json file in the manner of files in
miw/formats
- Convert it into a proto-buffer:
python format_json2pb.py yourformatfile.json yourformatfile.fmt
- Use the format in a call: ./app/miw -fnames yourlogfile.log -format_name yourformatfile -output_format csv -ofname test.csv
Please note the omission of the .fmt
extension.
The log formats are described in JSON, see the examples in miw/formats
. They basically describe a log as a CSV like format, in which each column can be processed through a set of operations, from basic counts
to aggregations
, preprocessing of time
, date
, url
.
The best way to learn from the built-in possibilities at this point is to study the JSON files in miw/formats
.
There are examples of unit tests in tests/ut-mr-parsing.cc
. Edit the file as needed for using your own formats and logs and run:
make ut_mr_parsing
./ut_mr_parsing