Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Getting Started with Rsyslog Filters - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Getting Started with Rsyslog Filters

 

This is a "guest diary" submitted by Tom Webb. We will gladly forward any responses or please use our comment/forum section to comment publically. Tom is currently enrolled in the SANS Masters Program.

Rsyslog has some very useful features when building a centralized syslog system. If you are not currently centralizing your logs or have not organized them in an efferent way for analysis, this post will get you started in the right direction.  

To understand how to create a filter, you must understand the basic breakdown of the message format. Below is a visual representation of a basic log. The rawmsg is the entire syslog line. If you use this in your filter, it will check the entire line for a match. The hostname field can match a name or an IP address. The programname field normally lists the application that created the log and the msg field is anything after the programname. 

|-------------------------------------rawmsg--------------------------------------|

|-----Date-----|-----Hostname----|programname|-----------------msg----------------|  

Aug 14 02:38:01  SIFT-Workstation  rsyslogd:      rsyslogd's userid changed to 101

 

Client logs

To setup all logs for a Linux system to forward to your central log server simply change the /etc/rsyslog.conf file and replace the IP address of your syslog server with (192.168.1.1) in following line:

*.* @192.168.1.1:514

If you only want to forward a type of application logs to syslog, be more specific about what you want to send. If you do not need all the information in a log, filter out the noise. This will save disk space and speed up processing. In this example, we are only sending apache logs to the server. 

If $programname contains ‘apache’ then @192.168.1.1:514

To send the logs via UDP use one ‘@’ sign and to send the logs via TCP use two ‘@@’ signs.

If $progrmname contains ‘apache’ then @@192.168.1.1:514

Organizing Logs

Once you have several devices reporting to your syslog server, you will need to break the logs into different files to make analysis easier. Most often, you will want to group logs by application. Some of the common operators for filtering are contains, isequal, and startswith.

If you want rsyslog to stop process the line once you have a match, use & ~ on the next line. This prevents the line from being entered into multiple files (e.g. /var/log/my-log and /var/log/syslog).

To place all logs from one IP address into a single log, use the below example. It takes anything from the IP 10.10.41.12 and adds it to the /var/log/mail.log. 

if $fromhost-ip == '10.10.41.12' then /var/log/mail.log

&~

For devices in a cluster, you will likely want both device logs in the same file. In the following example both IP 10.10.10.3 and 10.10.10.4 logs are placed into the /var/log/firewall.log. 

if ($fromhost-ip == '10.10.10.3' or  $fromhost-ip == '10.10.10.4') 

Use a partial IP match for lots of devices on a couple of subnets. In this example, anything that has a 10.20.0 address or 10.30.0 is placed into /var/log/load-balance.log. Rsyslog cannot use CIDR notation for subnets, but in most cases, this is a decent replacement.

if ($hostname contains '10.20.0' or $hostname contains '10.30.0') then/var/log/load.log

To create a log for all authentications, the rule below will take any message that contains ‘auth’ and place it into the /var/log/remote-auth.log file.

if $msg contains 'auth' then /var/log/remote-auth.log

A more complex filter to match both authentications and the word fail, use the below example.

If $msg contains ‘auth’ and $msg contains ‘fail’ then /var/log/remote-fail.log

Rsyslogs support very complex logic and syntax. For more information, visit the following links.

http://www.rsyslog.com/doc/rsyslog_conf_filter.html

http://www.rsyslog.com/doc/property_replacer.html

--

Tom Webb

 
Alex Stanford

136 Posts
Don't forget to check out syslog-ng also. It's also got a whole slew of filtering options and scales nicely.
Brent

116 Posts
1. do also have a look at rsyslog-relp
http://www.rsyslog.com/doc/omrelp.html
http://www.rsyslog.com/doc/imrelp.html

- rsyslog "client"
$ModLoad omrelp

- (remote) rsyslog server
$ModLoad imrelp
$InputRELPServerRun $MY_RELP_PORT

2. think about stunnel
- rsyslog "client" (etc/stunnel/stunnel.conf)
[rsyslog]
client = yes
accept = 127.0.0.1:$MY_RELP_PORT
connect = 137.226.113.88:$REMOTE_PORT

- (remote) rsyslog server
[rsyslog]
accept = $REMOTE_PORT
connect = 127.0.0.1:$MY_RELP_PORT
(use own certificates!)

3. remote Apache loggin
- on Apache2 (for example sites-enabled/default-ssl)
ErrorLog "|/usr/bin/logger -t apache2_ssl_error -p local0.error"
TransferLog "|/usr/bin/logger -t apache2_ssl_access -p local0.notice"
CustomLog "|/usr/bin/logger -t apache2_ssl_request -p local0.notice" combined

Test with
for i in apache2_ssl_error apache2_ssl_access apache2_ssl_request;do /usr/bin/logger -t $i -p local0.error "This is a remote logger message"; done

- on rsyslog server (etc/rsyslog.d/30-templates.conf)
if $syslogfacility-text == 'local0' and $programname == 'apache2_ssl_access' then /var/log/apache_remote/default-ssl/ssl_access_log
if $syslogfacility-text == 'local0' and $programname == 'apache2_ssl_error' then /var/log/apache_remote/default-ssl/ssl_error_log
if $syslogfacility-text == 'local0' and $programname == 'apache2_ssl_request' then /var/log/apache_remote/default-ssl/ssl_request_log

Works fine if you have mor than one Apache2 Webserver
acbeko

13 Posts

Sign Up for Free or Log In to start participating in the conversation!