Balabit Meetup - Ruby
-
On Wednesday I did a presentation on Balabit Meetup. I talked about a
programming language that’s very close to me, it’s called Ruby. You can
check the sli...
1 day ago
3/10/2010
CPE certificates from 2010
We have moved forward again. From 2010 we issue CPE certificates about our trainings. if you need that, just indicate on the traning entry-form. The certificate do not contain CPE points, but hours, that helps everybody counting the points. It can be different for every profession. In addition CPE points are maximized if the training is product specific. The certified hours are 6 netto hours a day, therefore we issue 6 hours for SSB, 12 hours for syslog-ng PE and 6 hours for SCB. Fur further info wisit ISACA website.
3/05/2010
syslog-ng OSE: keep_hostname() bug
I have just found a bug in syslog-ng OSE 3.1beta2. When you use keep_hostname(yes) in the options, then at those sources where this field is empty (e.g. messages arriving on /dev/log), it eliminates the hostname, somehow this way:
After the patch:
Not a big bug, but was very embrassing. The patch is in Bazsi's git tree out there. Thank you Bazsi!
I wish you a pleasant weekend!
myuser@myhost:~$ logger hello
myuser@myhost:~$ grep hello /var/log/syslog
myuser@myhost:~$ 2010-03-05T14:05:33+01:00 myuser[]: hello
After the patch:
myuser@myhost:~$ logger hello
myuser@myhost:~$ grep hello /var/log/syslog
myuser@myhost:~$ 2010-03-05T14:05:33+01:00 myhost myuser[]: hello
Not a big bug, but was very embrassing. The patch is in Bazsi's git tree out there. Thank you Bazsi!
I wish you a pleasant weekend!
3/01/2010
Funny spam
I have an own server wich I mainene every day. Yesterday I got the following spam:
That is funny! I am just inform myself, that I have changed my server's configuration therefore I need to change my client's setting too. I was so kind, that to do this I made a small exe, that I uploaded to a different providers's server (how paranoid I am!). What a skizo mail!;-)
Dear use of the acme.hu mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox user@acme.hu settings were changed. In order to apply the new set of settings open this file:
http://path.to.the.spammer.com/settings.exe
Best regards, acme.hu Technical Support.
That is funny! I am just inform myself, that I have changed my server's configuration therefore I need to change my client's setting too. I was so kind, that to do this I made a small exe, that I uploaded to a different providers's server (how paranoid I am!). What a skizo mail!;-)
2/26/2010
First online trainig
I have finished the first online training. We used webex and phone conference. I must tell it was very tiring, but fun. Hopefully there will be more and more training whit this green way of teaching.
2/24/2010
How to collect apache logs by syslog-ng
Let's imagine a webserver with many virtual host. It is jailed to a chroot, but it could be on a virtual machine (even a real one). I do want to collect the logs with the following requirements:
- No messages available by apache
- No need to handle hundres of sources. Transfer every log on one channel (okay let's use two;-)
- No need to rotate and support archive
- Use secure protocoll, but I guess I do not have to even mention;-)
mknod /var/log/apache/access.log pNow set all the virtualhost to use them:
mknod /var/log/apache/error.log p
ErrorLog /var/log/apache2/error.logImportant, that all the virtual hosts will use these nodes, therefor logs are not stored in the apache chroot any more. Now we have to read messages some way. The only small problem is apache uses Common Log Format, which is fare from any standard syslog format. Fortunateley it is possible to modify it in apache conf. The original looks this:
LogLevel debug
CustomLog /var/log/apache2/access.log combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedLet's change it to comply to syslog RFC mine looks this:
LogFormat "<123>Jan 12 12:12:12 %v apache[666]: %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedDo not care about strange PRI field and the fixed timestamp neither the funny PID. I only used it because google indexing;-) Which really count is hostname, which continas the name of the virtual host (%v = virutal host) and the original combined message is delivered at the MESSAGE field ($MSGONLY). So now we are ready with the apache side, let's focus on the syslog-ng side. The first step is reading the two pipes:
source s_apache_access {On the destination (writin side) we simple sore in different files by hostname field:
pipe("/var/log/apache2/access.log);
};
destination d_apache_access {I like solving archiving under the same time, therefore the second destination does it. Now I have to wire the client and the server side:
file("/var/log/apache2/$FULLHOST" template("$MSGONLY\n") template-escape(no) owner("root") group("adm") perm(0640));
file("/var/log/archive/$R_YEAR/apache/$R_MONTH/$FULLHOST.$R_DAY" template("$MSGONLY\n") template-escape(no) owner("root") group("adm") perm(0640) create_dirs(yes) dir_owner("root") dir_group("adm"));
};
destination d_logserver_net {On the server side we receive the messages:
tcp("1.2.3.4" port(514)
tls(ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")
key_file("/opt/syslog-ng/etc/syslog-ng/key.d/client.key")
cert_file("/opt/syslog-ng/etc/syslog-ng/cert.d/client_cert.pem")));
};
log {
source(s_apache_access);
destination(d_logserver_net);
};
source s_apache_net {We are ready. It was not very difficult, was it?
tcp(ip(0.0.0.0) port(1999)
tls( key_file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key")
cert_file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert")
ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) );
};
log {
source(s_apache);
destination(d_apache_access);
};
2/02/2010
Training@Munich
Next week I will bee in Munich, teaching SCB, syslog-ng and SSB. From three country (Germany, UK and Switzerland) in two turns 12-13 colleges are coming. I am preparing the slides, because we have only two days for syslog-ng and SSB insted of three. So I will skip a few less important parts and we will have some overtime too. I'll post some pictures. Bye.
2/01/2010
Kick-off 2010
As my colleges already posted we kept our annual (almost traditional) kick-off conference. We had two sections for Hungarian and foreigner partners/guests. I gave three speaches (syslog-ng in Hungarian and about the trainings in English and Hungarian). I almost know everybody on the very successful event. At least we have changed some mails and a lot guys already attend my trainings. In addition to meeting a lot of partners we kept a brainstorming about the future of Zorp what I liked very much. We asked our partners opinion about Zorp and we learnt a lot important facts about us. Sometimes it is very useful to see how outsiders see us. We also have many guests from abroad (from Dubai, Germany, Italy, UK, US, Thailand and even from Kenya!). A very funny thing happened. In Budapest now there is a lot of snow. In Thailand and Kenya it is not very frequent;-) therefore I asked them if they have ever seen any snow. The guy from Kenya said he is not willing to go out from the Hotel at all. (Finally we managed to persuade him to ho to a site-seeing tour finally -- Hope he did not regret!). So I asked him if he have aver seen snow. And he answared: Yes! In Dubai at the Mall of the Emiartes, but only throughout glass! LOL!
Subscribe to:
Posts (Atom)
