diff options
| -rw-r--r-- | doc/confsamples/normalization.conf | 83 |
1 files changed, 59 insertions, 24 deletions
diff --git a/doc/confsamples/normalization.conf b/doc/confsamples/normalization.conf index f4c983ea..7cfd92ef 100644 --- a/doc/confsamples/normalization.conf +++ b/doc/confsamples/normalization.conf @@ -1,6 +1,11 @@ # this is a config sample for log normalization, but can # be used as a more complex general sample. # It is based on a plain standard rsyslog.conf for Red Hat systems. +# +# NOTE: Absolute path names for modules are used in this config +# so that we can run a different rsyslog version alongside the +# regular system-installed rsyslogd. Remove these path names +# for production environment. #### MODULES #### @@ -12,21 +17,19 @@ module(load="/home/rger/proj/rsyslog/plugins/imtcp/.libs/imtcp") module(load="/home/rger/proj/rsyslog/plugins/mmjsonparse/.libs/mmjsonparse") module(load="/home/rger/proj/rsyslog/plugins/mmnormalize/.libs/mmnormalize") -# We assume to have all UDP logging (for simplicity) -#input(type="imudp" port="13514" Ruleset="struclog") +/* We assume to have all TCP logging (for simplicity) + * Note that we use different ports to point different sources + * to the right rule sets for normalization. While there are + * other methods (e.g. based on tag or source), using multiple + * ports is both the easiest as well as the fastest. + */ input(type="imtcp" port="13514" Ruleset="WindowsRsyslog") input(type="imtcp" port="13515" Ruleset="LinuxPlainText") -#input(type="imtcp" port="13516" Ruleset="struclog3") +input(type="imtcp" port="13516" Ruleset="WindowsSnare") #debug: action(type="omfile" file="/home/rger/proj/rsyslog/logfile") -# Provides TCP syslog reception -# for parameters see http://www.rsyslog.com/doc/imtcp.html -#module(load="imtcp") # needs to be done just once -#input(type="imtcp" port="514") - - /* This ruleset handles structured logging. * It is the only one ever called for remote machines * but executed in addition to the standard action for @@ -49,7 +52,32 @@ ruleset(name="WindowsRsyslog") { set $!usr!type = "logon"; set $!usr!rcvdfrom = $!source; set $!usr!rcvdat = $timereported; - set $!usr!user = $!TargetUserName; + set $!usr!user = $!TargetDomainName & "\\" & $!TargetUserName; + call outwriter + } +} + +/* This handles clumsy snare format. Note that "#011" are + * the escape sequences for tab chars used by snare. + */ +ruleset(name="WindowsSnare") { + set $!usr!type = field($rawmsg, "#011", 6); + if $!usr!type == 4634 then { + set $!usr!type = "logoff"; + set $!doProces = 1; + } else if $!usr!type == 4624 then { + set $!usr!type = "logon"; + set $!doProces = 1; + } else + set $!doProces = 0; + if $!doProces == 1 then { + set $!usr!rcvdfrom = field($rawmsg, 32, 4); + set $!usr!rcvdat = field($rawmsg, "#011", 5); + /* we need to fix up the snare date */ + set $!usr!rcvdat = field($!usr!rcvdat, 32, 2) & " " & + field($!usr!rcvdat, 32, 3) & " " & + field($!usr!rcvdat, 32, 4); + set $!usr!user = field($rawmsg, "#011", 8); call outwriter } } @@ -73,8 +101,6 @@ ruleset(name="LinuxPlainText") { } } -# uleset(name="struclog3") { } - /* with CSV, we the reader must receive information on the * field names via some other method (e.g. tool configuration, * prepending of a header to the written CSV-file). All of @@ -91,23 +117,33 @@ template(name="csv" type="list") { property(name="$!usr!type" format="csv") constant(value="\n") } -#template(name="cee" type="subtree" subtree="$!usr") + +/* template for Lumberjack-style logging. Note that the extra + * LF at the end is just for wrinting it to file - it MUST NOT + * be included for messages intended to be sent to a remote system. + * For the latter use case, the syslog header must also be prepended, + * something we have also not done for simplicity (as we write to files). + * Note that we use a JSON-shortcut: If a tree name is specified, JSON + * for its whole subtree is generated. Thus, we only need to specify the + * $!usr top node to get everytihing we need. + */ template(name="cee" type="string" string="@cee: %$!usr%\n") /* this ruleset simulates forwarding to the final destination */ ruleset(name="outwriter"){ - action(type="omfile" file="/home/rger/proj/rsyslog/logfile.csv" template="csv") - action(type="omfile" file="/home/rger/proj/rsyslog/logfile.cee" template="cee") + action(type="omfile" + file="/home/rger/proj/rsyslog/logfile.csv" template="csv") + action(type="omfile" + file="/home/rger/proj/rsyslog/logfile.cee" template="cee") } -############################ end test/remove ############################ -#call struclog -#stop -############################ end test/remove ############################ - -/* below is just the usual "uninteresting" stuff... */ +/* below is just the usual "uninteresting" stuff... + * Note that this goes into the default rule set. So + * local logging is handled "as usual" without the need + * for any extra effort. + */ #### GLOBAL DIRECTIVES #### @@ -116,6 +152,8 @@ ruleset(name="outwriter"){ $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Include all config files in /etc/rsyslog.d/ +# commented out not to interfere with the system rsyslogd +# (just for this test configuration!) #$IncludeConfig /etc/rsyslog.d/*.conf @@ -147,6 +185,3 @@ uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log - -# now do the structured log processing -#call struclog |