Balabit Meetup - Ruby
-
On Wednesday I did a presentation on Balabit Meetup. I talked about a
programming language that’s very close to me, it’s called Ruby. You can
check the sli...
1 day ago
myuser@myhost:~$ logger hello
myuser@myhost:~$ grep hello /var/log/syslog
myuser@myhost:~$ 2010-03-05T14:05:33+01:00 myuser[]: hello
myuser@myhost:~$ logger hello
myuser@myhost:~$ grep hello /var/log/syslog
myuser@myhost:~$ 2010-03-05T14:05:33+01:00 myhost myuser[]: hello
Dear use of the acme.hu mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox user@acme.hu settings were changed. In order to apply the new set of settings open this file:
http://path.to.the.spammer.com/settings.exe
Best regards, acme.hu Technical Support.
mknod /var/log/apache/access.log pNow set all the virtualhost to use them:
mknod /var/log/apache/error.log p
ErrorLog /var/log/apache2/error.logImportant, that all the virtual hosts will use these nodes, therefor logs are not stored in the apache chroot any more. Now we have to read messages some way. The only small problem is apache uses Common Log Format, which is fare from any standard syslog format. Fortunateley it is possible to modify it in apache conf. The original looks this:
LogLevel debug
CustomLog /var/log/apache2/access.log combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedLet's change it to comply to syslog RFC mine looks this:
LogFormat "<123>Jan 12 12:12:12 %v apache[666]: %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedDo not care about strange PRI field and the fixed timestamp neither the funny PID. I only used it because google indexing;-) Which really count is hostname, which continas the name of the virtual host (%v = virutal host) and the original combined message is delivered at the MESSAGE field ($MSGONLY). So now we are ready with the apache side, let's focus on the syslog-ng side. The first step is reading the two pipes:
source s_apache_access {On the destination (writin side) we simple sore in different files by hostname field:
pipe("/var/log/apache2/access.log);
};
destination d_apache_access {I like solving archiving under the same time, therefore the second destination does it. Now I have to wire the client and the server side:
file("/var/log/apache2/$FULLHOST" template("$MSGONLY\n") template-escape(no) owner("root") group("adm") perm(0640));
file("/var/log/archive/$R_YEAR/apache/$R_MONTH/$FULLHOST.$R_DAY" template("$MSGONLY\n") template-escape(no) owner("root") group("adm") perm(0640) create_dirs(yes) dir_owner("root") dir_group("adm"));
};
destination d_logserver_net {On the server side we receive the messages:
tcp("1.2.3.4" port(514)
tls(ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")
key_file("/opt/syslog-ng/etc/syslog-ng/key.d/client.key")
cert_file("/opt/syslog-ng/etc/syslog-ng/cert.d/client_cert.pem")));
};
log {
source(s_apache_access);
destination(d_logserver_net);
};
source s_apache_net {We are ready. It was not very difficult, was it?
tcp(ip(0.0.0.0) port(1999)
tls( key_file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key")
cert_file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert")
ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) );
};
log {
source(s_apache);
destination(d_apache_access);
};