Difference between revisions of "Syslog"

From YobiWiki
Jump to navigation Jump to search
Line 51: Line 51:
 
apt-get install logcheck logcheck-database
 
apt-get install logcheck logcheck-database
 
In /etc/logcheck/logcheck.conf:
 
In /etc/logcheck/logcheck.conf:
  +
INTRO=0
 
REPORTLEVEL="paranoid"
 
REPORTLEVEL="paranoid"
  +
ADDTAG="yes"
  +
In /etc/logcheck/logcheck.logfiles
  +
/var/log/remote/MAIN/auth.log
  +
/var/log/remote/MAIN/syslog.log
  +
/var/log/remote/MAIN/kern.log
  +
/var/log/remote/mx/auth.log
  +
/var/log/remote/mx/syslog.log
  +
/var/log/remote/public/auth.log
  +
/var/log/remote/public/syslog.log
  +
/var/log/remote/private/auth.log
  +
/var/log/remote/private/syslog.log
  +
/var/log/remote/ns0/auth.log
  +
/var/log/remote/ns0/syslog.log
  +
/var/log/remote/sql/auth.log
  +
/var/log/remote/sql/syslog.log
  +
/var/log/remote/devel/auth.log
  +
/var/log/remote/devel/syslog.log
  +
#/var/log/remote/MAIN/NF/ethr_in.log
  +
/var/log/remote/MAIN/NF/ethr_out.log
  +
/var/log/remote/MAIN/NF/others.log
   
 
===Tuning logcheck filters===
 
===Tuning logcheck filters===
Line 74: Line 95:
   
 
====Examples of home-made rules====
 
====Examples of home-made rules====
  +
As I run in paranoid mode, I take some rules from server mode:
For common imapd timeouts:
 
  +
* /etc/logcheck/ignore.d.paranoid/local-sa-exim -> /etc/logcheck/ignore.d.server/sa-exim
  +
* /etc/logcheck/ignore.d.paranoid/local-fetchmail -> /etc/logcheck/ignore.d.server/fetchmail
  +
 
For imapd sessions:
 
/etc/logcheck/ignore.d.paranoid/local-imap:
 
/etc/logcheck/ignore.d.paranoid/local-imap:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT, user=[a-z]+, ip=\[[:.0-9a-f]+\], headers=0, body=0, rcvd=[0-9]+, sent=[0-9]+, time=[0-9]+, starttls=1$
+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: Connection, ip=\[[:.0-9a-f]+\]$
  +
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGIN, user=[a-z]+, ip=\[[:.0-9a-f]+\], protocol=IMAP$
  +
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: (TIMEOUT|LOGOUT), (user=[a-z]+, )?ip=\[[:.0-9a-f]+\], (headers=[0-9]+, body=[0-9]+, )?rcvd=[0-9]+, sent=[0-9]+(, time=[0-9]+, starttls=1)?$
  +
  +
For imapproxy sessions:
  +
<br>Probably because of the templates in syslog-ng we have to change a bit the rules of ignore.d.server/imapproxy
  +
/etc/logcheck/ignore.d.paranoid/local-imapproxy:
  +
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGOUT: \\?'\\?"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?\\?"\\?' from server sd \[[0-9]+\]$
  +
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGIN: \\?'\\?"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?\\?"\\?' \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]+\) on (existing|new) sd \[[0-9]+\]$
  +
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: Expiring server sd \[[0-9]+\]$
  +
  +
For ssh just an excerpt from the ignore.d.server/ssh:
  +
/etc/logcheck/ignore.d.paranoid/local-ssh:
  +
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (gssapi(-with-mic)?|rsa|dsa|password|publickey|keyboard-interactive/pam) for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$
   
 
==TODO==
 
==TODO==

Revision as of 21:57, 4 December 2006

Syslog-ng install

apt-get install syslog-ng

Example of /etc/syslog-ng/syslog-ng.conf:

Comment kernel source out as we are in a vserver:

   source s_all {
       #file("/proc/kmsg" log_prefix("kernel: "));

I want to keep the original hostnames:

   options {
       keep_hostname(1);

Enable logging per remote host

   source net { udp(ip(192.168.x.xxx)); };
   destination df_zeus    {   file("/var/log/syslog-zeus.log"    owner("root") group("adm") perm(0640)); };
   destination df_public  {   file("/var/log/syslog-public.log"  owner("root") group("adm") perm(0640)); };
   destination df_private {   file("/var/log/syslog-private.log" owner("root") group("adm") perm(0640)); };
   destination df_ns0     {   file("/var/log/syslog-ns0.log"     owner("root") group("adm") perm(0640)); };
   destination df_sql     {   file("/var/log/syslog-sql.log"     owner("root") group("adm") perm(0640)); };
   destination df_others  {   file("/var/log/syslog-$HOST.log"   owner("root") group("adm") perm(0640)); };
   filter f_zeus    { host(192.168.x.xxx); };
   filter f_public  { host(192.168.x.xxx); };
   filter f_private { host(192.168.x.xxx); };
   filter f_ns0     { host(192.168.x.xxx); };
   filter f_sql     { host(192.168.x.xxx); };
   filter f_others  { not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) };
   log { 
       source(net);
       filter(f_zeus);
       destination(df_zeus);
   };
   log {
       ...

Allow inbound connections from monitoring subnet

iptables -A INPUT -s xxxx -d xxxx -p udp --dport 514 -m state --state NEW -j ACCEPT

On satellite hosts: add to /etc/syslog.conf

  • .* @192.168.x.xxx

Resources & Credits


Logcheck

apt-get install logcheck logcheck-database

In /etc/logcheck/logcheck.conf:

INTRO=0
REPORTLEVEL="paranoid"
ADDTAG="yes"

In /etc/logcheck/logcheck.logfiles

/var/log/remote/MAIN/auth.log                                                                                                                                             
/var/log/remote/MAIN/syslog.log                                                                                                                                           
/var/log/remote/MAIN/kern.log                                                                                                                                             
/var/log/remote/mx/auth.log                                                                                                                                               
/var/log/remote/mx/syslog.log                                                                                                                                             
/var/log/remote/public/auth.log                                                                                                                                           
/var/log/remote/public/syslog.log                                                                                                                                         
/var/log/remote/private/auth.log                                                                                                                                          
/var/log/remote/private/syslog.log                                                                                                                                        
/var/log/remote/ns0/auth.log                                                                                                                                              
/var/log/remote/ns0/syslog.log                                                                                                                                            
/var/log/remote/sql/auth.log                                                                                                                                              
/var/log/remote/sql/syslog.log                                                                                                                                            
/var/log/remote/devel/auth.log                                                                                                                                            
/var/log/remote/devel/syslog.log                                                                                                                                          
#/var/log/remote/MAIN/NF/ethr_in.log                                                                                                                                      
/var/log/remote/MAIN/NF/ethr_out.log                                                                                                                                      
/var/log/remote/MAIN/NF/others.log                                                                                                                                        

Tuning logcheck filters

Solving the issue at the source

I have many such messages in the vserver:

pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0

Not sure why, probably because vserver max limits are reduced.
To get rid of it, comment the line in /etc/pam.d/cron and /etc/pam.d/ssh:

#session    required     pam_limits.so

Writing and testing new rules

Add your rules into files prepend by "local-" to distinguish your own rules.
Be sure to tune ownership and rights of those new files so that user logcheck can read them.
e.g. rw-r----- root:logcheck

To test logcheck filtering rules:

sed -e 's/[[:space:]]*$//' <logfile> | egrep '<regexp>'

Then you can dry run logcheck on the command line:

su logcheck -s /bin/bash -c "/usr/sbin/logcheck -l <logfile> -o -t" 

This is easier if you have sudo installed...

Examples of home-made rules

As I run in paranoid mode, I take some rules from server mode:

  • /etc/logcheck/ignore.d.paranoid/local-sa-exim -> /etc/logcheck/ignore.d.server/sa-exim
  • /etc/logcheck/ignore.d.paranoid/local-fetchmail -> /etc/logcheck/ignore.d.server/fetchmail

For imapd sessions:

/etc/logcheck/ignore.d.paranoid/local-imap:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: Connection, ip=\[[:.0-9a-f]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGIN, user=[a-z]+, ip=\[[:.0-9a-f]+\], protocol=IMAP$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: (TIMEOUT|LOGOUT), (user=[a-z]+, )?ip=\[[:.0-9a-f]+\], (headers=[0-9]+, body=[0-9]+, )?rcvd=[0-9]+, sent=[0-9]+(, time=[0-9]+, starttls=1)?$

For imapproxy sessions:
Probably because of the templates in syslog-ng we have to change a bit the rules of ignore.d.server/imapproxy

/etc/logcheck/ignore.d.paranoid/local-imapproxy:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGOUT: \\?'\\?"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?\\?"\\?' from server sd \[[0-9]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGIN: \\?'\\?"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?\\?"\\?'  \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]+\) on (existing|new) sd \[[0-9]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: Expiring server sd \[[0-9]+\]$

For ssh just an excerpt from the ignore.d.server/ssh:

/etc/logcheck/ignore.d.paranoid/local-ssh:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (gssapi(-with-mic)?|rsa|dsa|password|publickey|keyboard-interactive/pam) for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$

TODO