HTTP/3 QUIC Log Management ELK — จัดการ Log ด้วย
HTTP/3 QUIC ELK Stack
HTTP/3 QUIC UDP TLS 1.3 0-RTT Multiplexing ELK Stack Elasticsearch Logstash Kibana Filebeat Log Management Centralized Logging Security Monitoring
| Protocol | Transport | Encryption | Multiplexing | 0-RTT |
|---|---|---|---|---|
| HTTP/1.1 | TCP | Optional TLS | ไม่มี | ไม่มี |
| HTTP/2 | TCP | TLS 1.2+ | มี (HOL Blocking) | ไม่มี |
| HTTP/3 | QUIC (UDP) | TLS 1.3 Built-in | มี (ไม่มี HOL) | มี |
ELK Stack Setup
=== ELK Stack Docker Compose ===
docker-compose.yml
version: '3.8'
services:
elasticsearch:
image: elasticsearch:8.12.0
environment:
- discovery.type=single-node
- xpack.security.enabled=true
- ELASTIC_PASSWORD=changeme
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
ports:
- "9200:9200"
volumes:
- es-data:/usr/share/elasticsearch/data
ulimits:
memlock: { soft: -1, hard: -1 }
logstash:
image: logstash:8.12.0
ports:
- "5044:5044"
volumes:
- ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf
depends_on:
- elasticsearch
kibana:
image: kibana:8.12.0
environment:
- ELASTICSEARCH_HOSTS=http://elasticsearch:9200
- ELASTICSEARCH_USERNAME=kibana_system
- ELASTICSEARCH_PASSWORD=changeme
ports:
- "5601:5601"
depends_on:
- elasticsearch
volumes:
es-data:
Logstash Pipeline (logstash.conf)
input {
beats { port => 5044 }
udp {
port => 5045
codec => json
tags => ["quic"]
}
}
filter {
if "nginx" in [tags] {
grok {
เนื้อหาเกี่ยวข้อง — ทำความเข้าใจ Kotlin Ktor Citizen Developer —
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
geoip { source => "clientip" }
}
if "quic" in [tags] {
mutate {
แนะนำเพิ่มเติม — อ่านเพิ่มเติมที่ SiamCafeBook
add_field => { "protocol" => "HTTP/3" }
}
}
date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "logs-%{+YYYY.MM.dd}"
user => "elastic"
password => "changeme"
}
เนื้อหาเกี่ยวข้อง — DNSSEC Implementation Post-mortem Analysis
}
from dataclasses import dataclass
from typing import List
@dataclass
class ELKComponent:
name: str
role: str
port: int
resources: str
use_case: str
components = [
ELKComponent("Elasticsearch", "Store & Search", 9200, "2-4GB RAM", "Index + Query Logs"),
แนะนำเพิ่มเติม — เรียนเทรดกับ iCafeForex
ELKComponent("Logstash", "Transform", 5044, "1-2GB RAM", "Parse + Enrich Logs"),
ELKComponent("Kibana", "Visualize", 5601, "512MB RAM", "Dashboard + Analytics"),
ELKComponent("Filebeat", "Collect", 0, "50MB RAM", "Ship Logs from Servers"),
ELKComponent("Metricbeat", "Metrics", 0, "50MB RAM", "System + App Metrics"),
]
print("=== ELK Stack Components ===")
for c in components:
port = f":{c.port}" if c.port else "Agent"
print(f" [{c.name}] {c.role} ({port})")
print(f" Resources: {c.resources} | Use: {c.use_case}")
เนื้อหาเกี่ยวข้อง — แนะนำให้อ่าน LlamaIndex RAG 12 Factor App
QUIC Traffic Analysis
=== QUIC Traffic Monitoring ===
Nginx QUIC/HTTP3 Config
server {
listen 443 quic reuseport;
listen 443 ssl;
http2 on;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
ssl_protocols TLSv1.3;
add_header Alt-Svc 'h3=":443"; ma=86400';
# QUIC Log Format
log_format quic '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $http3';
access_log /var/log/nginx/quic.log quic;
}
Filebeat Config (filebeat.yml)
filebeat.inputs:
- type: log
paths:
- /var/log/nginx/quic.log
tags: ["nginx", "quic"]
fields:
service: web-frontend
เนื้อหาเกี่ยวข้อง — อ่านต่อ: Crowdsec IPS Metric Collection —
output.logstash:
hosts: ["logstash:5044"]
@dataclass
class QUICMetric:
metric: str
value: str
threshold: str
status: str
metrics = [
QUICMetric("0-RTT Success Rate", "85%", "> 80%", "OK"),
QUICMetric("Handshake Latency", "15ms", "< 50ms", "OK"),
QUICMetric("Packet Loss Rate", "0.3%", "< 1%", "OK"),
QUICMetric("Connection Migration", "12/hr", "< 50/hr", "OK"),
QUICMetric("QUIC vs TCP Ratio", "65% QUIC", "> 50%", "OK"),
QUICMetric("Avg Response Time", "120ms", "< 200ms", "OK"),
QUICMetric("Error Rate (4xx+5xx)", "2.1%", "< 5%", "OK"),
]
print("\n=== QUIC Monitoring Dashboard ===")
for m in metrics:
print(f" [{m.status}] {m.metric}: {m.value} (threshold: {m.threshold})")
Security และ Alerting
# === Security Monitoring & Alerts ===
# Elasticsearch Query — Detect Anomalies
# GET logs-*/_search
# {
# "query": {
# "bool": {
# "must": [
# {"range": {"@timestamp": {"gte": "now-1h"}}},
# {"term": {"response": "403"}}
# ],
# "filter": [
# {"term": {"protocol": "HTTP/3"}}
# ]
# }
# },
# "aggs": {
# "by_ip": {
# "terms": {"field": "clientip", "size": 10}
# }
# }
# }
# Kibana Alert Rules
# ElastWatch / Kibana Alerting
# - High Error Rate: > 5% 5xx errors in 5 min
# - DDoS Suspect: > 1000 req/min from single IP
# - Unusual QUIC: Sudden drop in QUIC traffic
# - Slow Response: P99 latency > 500ms
# - Certificate: TLS handshake failures > 10/min
alert_rules = {
"High Error Rate": {
"condition": "5xx > 5% in 5 min",
"action": "Slack + PagerDuty",
"severity": "Critical",
},
"DDoS Detection": {
"condition": "> 1000 req/min single IP",
"action": "Block IP + Alert",
"severity": "Critical",
},
"QUIC Drop": {
"condition": "QUIC traffic drops > 50%",
"action": "Slack Alert",
"severity": "Warning",
},
"Slow Response": {
"condition": "P99 > 500ms for 10 min",
"action": "Slack + Investigate",
"severity": "Warning",
},
"TLS Failures": {
"condition": "Handshake fail > 10/min",
"action": "Check Certificates",
"severity": "High",
},
}
print("Security Alert Rules:")
for name, rule in alert_rules.items():
print(f"\n [{rule['severity']}] {name}")
print(f" Condition: {rule['condition']}")
print(f" Action: {rule['action']}")เคล็ดลับ
- Index Lifecycle: ตั้ง ILM ลบ Log เก่าอัตโนมัติ ประหยัด Disk
- Filebeat: ใช้ Filebeat แทน Logstash ถ้าไม่ต้อง Transform
- Alt-Svc: ตั้ง Alt-Svc Header ให้ Browser รู้ว่ารองรับ HTTP/3
- Firewall: เปิด UDP 443 ถ้าจะใช้ QUIC/HTTP3
- Dashboard: สร้าง Kibana Dashboard สำหรับ QUIC vs TCP เปรียบเทียบ
HTTP/3 QUIC คืออะไร
HTTP เวอร์ชันล่าสุด QUIC Protocol UDP TLS 1.3 Built-in 0-RTT Multiplexing ไม่มี HOL Blocking Connection Migration เร็วกว่า HTTP/2
