Hi, I was wondering if anyone has experience with sanity checking of syslog messages. I'm looking for a manner to filter syslog messages such as: "set passwd ....", which could start commands on a UNIX system. Also, I use a webinterface to view the syslog messages (like the vermeer.org). However I want to filter syslog messages that could exploit browser vulnerabilities. Anyone experience with this or have some good advice ? Thanks in advance for any help. Carol Overes __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree
I have been beating my head against a wall getting this to work but no joy. Syslog-ng is running and logging on the local system but no remote logs are being saved. Devices in question are PIX firewalls and NetCache proxies. Here is a netstat: netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 cscnet08p:smtp *:* LISTEN udp 0 0 *:syslog *:* udp 0 0 *:sunrpc *:* Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 1512 /dev/gpmctl unix 2 [ ACC ] STREAM LISTENING 93129 /dev/log Here is my config: options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (on); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (on); }; source s_udp { udp(); }; source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); }; destination rlog { file("/var/log/$HOST/$MONTH.$DAY.log" create_dirs(yes) owner("log") group("log") perm(0600)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog"); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_mlal { usertty("*"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; log { source(s_udp); filter(f_filter7); destination(rlog); }; #log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); };
On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
I have been beating my head against a wall getting this to work but no joy. Syslog-ng is running and logging on the local system but no remote logs are being saved. Devices in question are PIX firewalls and NetCache proxies.
Have you checked whether syslog-ng is actually receiving messages ? tcpdump and strace would help here. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
08:28:15.975018 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134 08:28:15.976003 138.57.100.15.syslog > 66.6.86.58.syslog: udp 137 08:28:15.976820 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134 08:28:15.978296 138.57.100.15.syslog > 66.6.86.58.syslog: udp 137 08:28:15.979772 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134 08:28:15.980096 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134 08:28:15.980756 138.57.100.15.syslog > 66.6.86.58.syslog: udp 133 looks like the firewall is sending (100.15 is firewall) On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
I have been beating my head against a wall getting this to work but no joy. Syslog-ng is running and logging on the local system but no remote logs are being saved. Devices in question are PIX firewalls and NetCache proxies.
Have you checked whether syslog-ng is actually receiving messages ?
tcpdump and strace would help here.
Hiya everyone, I'm pretty new to syslog-ng, and I'm currently working on converting our current "normal" syslog daemons (FreeBSD) ro syslog-ng and setting up a central loghost. So far so good -- everything is working, even through stunnel and TCP, which is awesome. I'm going to try and get it into PostgreSQL next. Anyway, my question is about logging facilities. I never thought about this with syslogd; I always assumed I was limited to the normal facilities, local2 and mail and whatnot. But looking through the syslog-ng config file it occurred to me that I may be able to create my own facility filters. For example, create an apache facility and have Apache log to this. I could then pipe Apache to the log host and have it consolidate all that stuff into httpd-error files in the new directory hierarchy. Thanks! :) -- Josh
On Wed, Nov 19, 2003 at 09:29:18AM -0500, Josh Endries wrote:
Hiya everyone, Anyway, my question is about logging facilities. I never thought about this with syslogd; I always assumed I was limited to the normal facilities, local2 and mail and whatnot. But looking through the syslog-ng config file it occurred to me that I may be able to create my own facility filters. For example, create an apache facility and have Apache log to this. I could then pipe Apache to the log host and have it consolidate all that stuff into httpd-error files in the new directory hierarchy.
Ummm... the "local" facilities are the custom ones. In your head you are supposed to say "local4 means apache", and maybe you say it in a comment in a config file somewhere. I would not recommend sliding your own facility into slots your OS(es) just happen not to use. And you will find some OSes will not allow this added facility to work correctly (it will work fine over the network, but an OS needed to feed it to syslog in the first place, so...) You will be just as happy logging to daemon (since Apache is a daemon) and matching on "httpd" or "apache" in the program field. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt@cpsc.ucalgary.ca University Of Calgary (_)/(_) Joyously Canadian Computer Science
On Wed, Nov 19, 2003 at 07:55:46AM -0600, Daniel Flick wrote:
08:28:15.975018 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134 08:28:15.976003 138.57.100.15.syslog > 66.6.86.58.syslog: udp 137 08:28:15.976820 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134 08:28:15.978296 138.57.100.15.syslog > 66.6.86.58.syslog: udp 137 08:28:15.979772 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134 08:28:15.980096 138.57.100.15.syslog > 66.6.86.58.syslog: udp 134 08:28:15.980756 138.57.100.15.syslog > 66.6.86.58.syslog: udp 133 looks like the firewall is sending (100.15 is firewall)
ok, please strace the syslog-ng process to see whether it is actually receiving messages. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
I have been beating my head against a wall getting this to work but no joy. Syslog-ng is running and logging on the local system but no remote logs are being saved. Devices in question are PIX firewalls and NetCache proxies.
Have you checked whether syslog-ng is actually receiving messages ?
tcpdump and strace would help here. tcpdump shows that the firewalls are contacting the machine.
I was not able to get anything of value with "strace syslog-ng" I am new to this tool so I may not be using it right. This is the only error I could find but I don't know what that means. open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
On Wed, Nov 19, 2003 at 08:53:51AM -0600, Daniel Flick wrote:
On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
I have been beating my head against a wall getting this to work but no joy. Syslog-ng is running and logging on the local system but no remote logs are being saved. Devices in question are PIX firewalls and NetCache proxies.
Have you checked whether syslog-ng is actually receiving messages ?
tcpdump and strace would help here. tcpdump shows that the firewalls are contacting the machine.
I was not able to get anything of value with "strace syslog-ng" I am new to this tool so I may not be using it right. This is the only error I could find but I don't know what that means.
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
check the pid of the syslog-ng process as it is running in the background, and attach to it using strace strace -s 256 -o /tmp/syslog-ng.trace -p <syslog-ng pid> run it for a couple of seconds, to let your firewall send syslog messages. Then grep the file /tmp/syslog-ng.trace for the string "recvfrom" Each received message should have a corresponding recvfrom() call. If you can't see anything either syslog-ng is not correctly bound, or your packet filter drops syslog traffic. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
On Wed, Nov 19, 2003 at 08:53:51AM -0600, Daniel Flick wrote:
On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
I have been beating my head against a wall getting this to work but no joy. Syslog-ng is running and logging on the local system but no remote logs are being saved. Devices in question are PIX firewalls and NetCache proxies.
Have you checked whether syslog-ng is actually receiving messages ?
tcpdump and strace would help here. tcpdump shows that the firewalls are contacting the machine.
I was not able to get anything of value with "strace syslog-ng" I am new to this tool so I may not be using it right. This is the only error I could find but I don't know what that means.
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
check the pid of the syslog-ng process as it is running in the background, and attach to it using strace
strace -s 256 -o /tmp/syslog-ng.trace -p <syslog-ng pid>
run it for a couple of seconds, to let your firewall send syslog messages. Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
Each received message should have a corresponding recvfrom() call. If you can't see anything either syslog-ng is not correctly bound, or your packet filter drops syslog traffic Interesting that I have so many syslog-ng processes. Is this normal? ps -aux | grep [s]yslog root 11118 0.0 0.0 1780 808 ? S Nov17 1:31 syslog-ng root 11994 0.0 0.0 1724 696 ? S 08:31 0:01 syslog-ng root 11999 0.0 0.0 1712 724 ? S 09:00 0:00 syslog-ng all all root 12066 0.0 0.0 1708 680 ? S 09:22 0:00 syslog-ng root 12071 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng root 12075 0.0 0.0 1688 660 ? S 09:23 0:00 syslog-ng root 12079 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng root 12083 0.0 0.0 1700 672 ? S 09:24 0:00 syslog-ng root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng I attached to 11999 and a few others and could not find recvfrom anywhere. The file is rather small and I posted one here. I also tries to attach to several other syslog-ng processes with the same results. I also verified that no filters are running that may be dropping the packets. cat /tmp/syslog-ng.trace time(NULL) = 1069271394 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0 time(NULL) = 1069271425 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0 getpid() = 11999 time(NULL) = 1069271425 time(NULL) = 1069271425 time(NULL) = 1069271425 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll( <unfinished ...>
On Wed, Nov 19, 2003 at 01:39:13PM -0600, Daniel Flick wrote:
On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
check the pid of the syslog-ng process as it is running in the background, and attach to it using strace
strace -s 256 -o /tmp/syslog-ng.trace -p <syslog-ng pid>
run it for a couple of seconds, to let your firewall send syslog messages. Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
Each received message should have a corresponding recvfrom() call. If you can't see anything either syslog-ng is not correctly bound, or your packet filter drops syslog traffic Interesting that I have so many syslog-ng processes. Is this normal? ps -aux | grep [s]yslog root 11118 0.0 0.0 1780 808 ? S Nov17 1:31 syslog-ng root 11994 0.0 0.0 1724 696 ? S 08:31 0:01 syslog-ng root 11999 0.0 0.0 1712 724 ? S 09:00 0:00 syslog-ng all all root 12066 0.0 0.0 1708 680 ? S 09:22 0:00 syslog-ng root 12071 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng root 12075 0.0 0.0 1688 660 ? S 09:23 0:00 syslog-ng root 12079 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng root 12083 0.0 0.0 1700 672 ? S 09:24 0:00 syslog-ng root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng
To my best knowledge syslog-ng forks only when it starts another program (program destination). So it is not normal that you have this number of syslog-ng processes.
I attached to 11999 and a few others and could not find recvfrom anywhere. The file is rather small and I posted one here. I also tries to attach to several other syslog-ng processes with the same results. I also verified that no filters are running that may be dropping the packets. cat /tmp/syslog-ng.trace time(NULL) = 1069271394 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0 time(NULL) = 1069271425 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0 getpid() = 11999
the output of "lsof" might reveal the nature of those polled filedescriptors, but in general if you can't see recvfrom() lines and syslog-ng is bound to the correct ports there is really something wrong outside syslog-ng. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Wed, 2003-11-19 at 14:50, Balazs Scheidler wrote:
On Wed, Nov 19, 2003 at 01:39:13PM -0600, Daniel Flick wrote:
On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
check the pid of the syslog-ng process as it is running in the background, and attach to it using strace
strace -s 256 -o /tmp/syslog-ng.trace -p <syslog-ng pid>
run it for a couple of seconds, to let your firewall send syslog messages. Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
Each received message should have a corresponding recvfrom() call. If you can't see anything either syslog-ng is not correctly bound, or your packet filter drops syslog traffic Interesting that I have so many syslog-ng processes. Is this normal? ps -aux | grep [s]yslog root 11118 0.0 0.0 1780 808 ? S Nov17 1:31 syslog-ng root 11994 0.0 0.0 1724 696 ? S 08:31 0:01 syslog-ng root 11999 0.0 0.0 1712 724 ? S 09:00 0:00 syslog-ng all all root 12066 0.0 0.0 1708 680 ? S 09:22 0:00 syslog-ng root 12071 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng root 12075 0.0 0.0 1688 660 ? S 09:23 0:00 syslog-ng root 12079 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng root 12083 0.0 0.0 1700 672 ? S 09:24 0:00 syslog-ng root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng
To my best knowledge syslog-ng forks only when it starts another program (program destination). So it is not normal that you have this number of syslog-ng processes. Would this make sense due to the fact that my destination creates a new file based on the host source? If so, that is encouraging. destination rlog { file("/var/log/$HOST/$MONTH.$DAY.log" create_dirs(yes) owner("log") group("log") perm(0600)); };
I attached to 11999 and a few others and could not find recvfrom anywhere. The file is rather small and I posted one here. I also tries to attach to several other syslog-ng processes with the same results. I also verified that no filters are running that may be dropping the packets. cat /tmp/syslog-ng.trace time(NULL) = 1069271394 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0 time(NULL) = 1069271425 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0 getpid() = 11999
the output of "lsof" might reveal the nature of those polled filedescriptors, but in general if you can't see recvfrom() lines and syslog-ng is bound to the correct ports there is really something wrong outside syslog-ng. If the config looks good then I might just do a rebuild to Gentoo and try again. Did you see any obvious errors in my syslog-ng.conf? Thanks very much for the assistance. I learned quite a bit!
On Wed, Nov 19, 2003 at 03:51:47PM -0600, Daniel Flick wrote:
On Wed, 2003-11-19 at 14:50, Balazs Scheidler wrote:
On Wed, Nov 19, 2003 at 01:39:13PM -0600, Daniel Flick wrote:
On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote: root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng
To my best knowledge syslog-ng forks only when it starts another program (program destination). So it is not normal that you have this number of syslog-ng processes. Would this make sense due to the fact that my destination creates a new file based on the host source? If so, that is encouraging. destination rlog { file("/var/log/$HOST/$MONTH.$DAY.log" create_dirs(yes) owner("log") group("log") perm(0600)); };
No, syslog-ng does not fork in this case.
If the config looks good then I might just do a rebuild to Gentoo and try again. Did you see any obvious errors in my syslog-ng.conf? Thanks very much for the assistance. I learned quite a bit!
it seems to be ok. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (5)
-
Balazs Scheidler
-
Brad Arlt
-
Daniel Flick
-
joop jansen
-
Josh Endries