Difference between revisions of "Syslog"
Jump to navigation
Jump to search
m (→Logcheck) |
m |
||
| Line 1: | Line 1: | ||
| − | ==Syslog-ng |
+ | ==Syslog-ng== |
| + | ===Install=== |
||
apt-get install syslog-ng |
apt-get install syslog-ng |
||
| Line 39: | Line 40: | ||
*.* @192.168.x.xxx |
*.* @192.168.x.xxx |
||
| − | ==Resources & Credits== |
+ | ===Resources & Credits=== |
* [http://www.balabit.com/products/syslog_ng/ Main page] |
* [http://www.balabit.com/products/syslog_ng/ Main page] |
||
* Manual in [http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html html] or [http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.txt txt] |
* Manual in [http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html html] or [http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.txt txt] |
||
| Line 118: | Line 119: | ||
==TODO== |
==TODO== |
||
* update syslog-ng notes with new filters, flag final etc |
* update syslog-ng notes with new filters, flag final etc |
||
| − | * logcheck them, ! fw of zeus |
||
* source IP of zeus seems to be 100 |
* source IP of zeus seems to be 100 |
||
* fwlogwatch? |
* fwlogwatch? |
||
Revision as of 22:04, 4 December 2006
Syslog-ng
Install
apt-get install syslog-ng
Example of /etc/syslog-ng/syslog-ng.conf:
Comment kernel source out as we are in a vserver:
source s_all {
#file("/proc/kmsg" log_prefix("kernel: "));
I want to keep the original hostnames:
options {
keep_hostname(1);
Enable logging per remote host
source net { udp(ip(192.168.x.xxx)); };
destination df_zeus { file("/var/log/syslog-zeus.log" owner("root") group("adm") perm(0640)); };
destination df_public { file("/var/log/syslog-public.log" owner("root") group("adm") perm(0640)); };
destination df_private { file("/var/log/syslog-private.log" owner("root") group("adm") perm(0640)); };
destination df_ns0 { file("/var/log/syslog-ns0.log" owner("root") group("adm") perm(0640)); };
destination df_sql { file("/var/log/syslog-sql.log" owner("root") group("adm") perm(0640)); };
destination df_others { file("/var/log/syslog-$HOST.log" owner("root") group("adm") perm(0640)); };
filter f_zeus { host(192.168.x.xxx); };
filter f_public { host(192.168.x.xxx); };
filter f_private { host(192.168.x.xxx); };
filter f_ns0 { host(192.168.x.xxx); };
filter f_sql { host(192.168.x.xxx); };
filter f_others { not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) and not host(192.168.x.xxx) };
log {
source(net);
filter(f_zeus);
destination(df_zeus);
};
log {
...
Allow inbound connections from monitoring subnet
iptables -A INPUT -s xxxx -d xxxx -p udp --dport 514 -m state --state NEW -j ACCEPT
On satellite hosts: add to /etc/syslog.conf
- .* @192.168.x.xxx
Resources & Credits
Logcheck
apt-get install logcheck logcheck-database
In /etc/logcheck/logcheck.conf:
INTRO=0 REPORTLEVEL="paranoid" ADDTAG="yes"
In /etc/logcheck/logcheck.logfiles
/var/log/remote/MAIN/auth.log /var/log/remote/MAIN/syslog.log /var/log/remote/MAIN/kern.log /var/log/remote/mx/auth.log /var/log/remote/mx/syslog.log /var/log/remote/public/auth.log /var/log/remote/public/syslog.log /var/log/remote/private/auth.log /var/log/remote/private/syslog.log /var/log/remote/ns0/auth.log /var/log/remote/ns0/syslog.log /var/log/remote/sql/auth.log /var/log/remote/sql/syslog.log /var/log/remote/devel/auth.log /var/log/remote/devel/syslog.log #/var/log/remote/MAIN/NF/ethr_in.log /var/log/remote/MAIN/NF/ethr_out.log /var/log/remote/MAIN/NF/others.log
Tuning logcheck filters
Solving the issue at the source
I have many such messages in the vserver:
pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
Not sure why, probably because vserver max limits are reduced.
To get rid of it, comment the line in /etc/pam.d/cron and /etc/pam.d/ssh:
#session required pam_limits.so
Writing and testing new rules
Add your rules into files prepend by "local-" to distinguish your own rules.
Be sure to tune ownership and rights of those new files so that user logcheck can read them.
e.g. rw-r----- root:logcheck
To test logcheck filtering rules:
sed -e 's/[[:space:]]*$//' <logfile> | egrep '<regexp>'
Then you can dry run logcheck on the command line:
su logcheck -s /bin/bash -c "/usr/sbin/logcheck -l <logfile> -o -t"
This is easier if you have sudo installed...
Examples of home-made rules
As I run in paranoid mode, I take some rules from server mode:
- /etc/logcheck/ignore.d.paranoid/local-sa-exim -> /etc/logcheck/ignore.d.server/sa-exim
- /etc/logcheck/ignore.d.paranoid/local-fetchmail -> /etc/logcheck/ignore.d.server/fetchmail
For imapd sessions:
/etc/logcheck/ignore.d.paranoid/local-imap:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: Connection, ip=\[[:.0-9a-f]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGIN, user=[a-z]+, ip=\[[:.0-9a-f]+\], protocol=IMAP$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: (TIMEOUT|LOGOUT), (user=[a-z]+, )?ip=\[[:.0-9a-f]+\], (headers=[0-9]+, body=[0-9]+, )?rcvd=[0-9]+, sent=[0-9]+(, time=[0-9]+, starttls=1)?$
For imapproxy sessions:
Probably because of the templates in syslog-ng we have to change a bit the rules of ignore.d.server/imapproxy
/etc/logcheck/ignore.d.paranoid/local-imapproxy:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGOUT: \\?'\\?"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?\\?"\\?' from server sd \[[0-9]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGIN: \\?'\\?"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?\\?"\\?' \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]+\) on (existing|new) sd \[[0-9]+\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: Expiring server sd \[[0-9]+\]$
For ssh just an excerpt from the ignore.d.server/ssh:
/etc/logcheck/ignore.d.paranoid/local-ssh:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (gssapi(-with-mic)?|rsa|dsa|password|publickey|keyboard-interactive/pam) for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$
TODO
- update syslog-ng notes with new filters, flag final etc
- source IP of zeus seems to be 100
- fwlogwatch?
- http://www.phpwizardry.com/php-syslog-ng.php ?
- logrotate