# this is a config sample for log normalization, but can # be used as a more complex general sample. # It is based on a plain standard rsyslog.conf for Red Hat systems. # # NOTE: Absolute path names for modules are used in this config # so that we can run a different rsyslog version alongside the # regular system-installed rsyslogd. Remove these path names # for production environment. #### MODULES #### # we do not run imuxsock as we don't want to mess with the main system logger #module(load="/home/rger/proj/rsyslog/plugins/imuxsock/.libs/imuxsock") # provides support for local system logging (e.g. via logger command) #module(load="imklog") # provides kernel logging support (previously done by rklogd) module(load="/home/rger/proj/rsyslog/plugins/imudp/.libs/imudp") # Provides UDP syslog reception module(load="/home/rger/proj/rsyslog/plugins/imtcp/.libs/imtcp") module(load="/home/rger/proj/rsyslog/plugins/mmjsonparse/.libs/mmjsonparse") module(load="/home/rger/proj/rsyslog/plugins/mmnormalize/.libs/mmnormalize") /* We assume to have all TCP logging (for simplicity) * Note that we use different ports to point different sources * to the right rule sets for normalization. While there are * other methods (e.g. based on tag or source), using multiple * ports is both the easiest as well as the fastest. */ input(type="imtcp" port="13514" Ruleset="WindowsRsyslog") input(type="imtcp" port="13515" Ruleset="LinuxPlainText") input(type="imtcp" port="13516" Ruleset="WindowsSnare") #debug: action(type="omfile" file="/home/rger/proj/rsyslog/logfile") /* This ruleset handles structured logging. * It is the only one ever called for remote machines * but executed in addition to the standard action for * the local machine. The ultimate goal is to forward * to some Vendor's analysis tool (which digests a * structured log format, here we use Lumberjack). */ template(name="lumberjack" type="string" string="%$!all-json%\n") /* the rsyslog Windows Agent uses native Lumberjack format * (better said: is configured to use it) */ ruleset(name="WindowsRsyslog") { action(type="mmjsonparse") if $parsesuccess == "OK" then { if $!id == 4634 then set $!usr!type = "logoff"; else if $!id == 4624 then set $!usr!type = "logon"; set $!usr!rcvdfrom = $!source; set $!usr!rcvdat = $timereported; set $!usr!user = $!TargetDomainName & "\\" & $!TargetUserName; call outwriter } } /* This handles clumsy snare format. Note that "#011" are * the escape sequences for tab chars used by snare. */ ruleset(name="WindowsSnare") { set $!usr!type = field($rawmsg, "#011", 6); if $!usr!type == 4634 then { set $!usr!type = "logoff"; set $!doProces = 1; } else if $!usr!type == 4624 then { set $!usr!type = "logon"; set $!doProces = 1; } else set $!doProces = 0; if $!doProces == 1 then { set $!usr!rcvdfrom = field($rawmsg, 32, 4); set $!usr!rcvdat = field($rawmsg, "#011", 5); /* we need to fix up the snare date */ set $!usr!rcvdat = field($!usr!rcvdat, 32, 2) & " " & field($!usr!rcvdat, 32, 3) & " " & field($!usr!rcvdat, 32, 4); set $!usr!user = field($rawmsg, "#011", 8); call outwriter } } /* plain Linux log messages (here: ssh and sudo) need to be * parsed - we use mmnormalize for fast and efficient parsing * here. */ ruleset(name="LinuxPlainText") { action(type="mmnormalize" rulebase="/home/rger/proj/rsyslog/linux.rb" userawmsg="on") if $parsesuccess == "OK" and $!user != "" then { if $!type == "opened" then set $!usr!type = "logon"; else if $!type == "closed" then set $!usr!type = "logoff"; set $!usr!rcvdfrom = $!rcvdfrom; set $!usr!rcvdat = $!rcvdat; set $!usr!user = $!user; call outwriter } } /* with CSV, we the reader must receive information on the * field names via some other method (e.g. tool configuration, * prepending of a header to the written CSV-file). All of * this is highly dependant on the actual CSV dialect needed. * Below, we cover the basics. */ template(name="csv" type="list") { property(name="$!usr!rcvdat" format="csv") constant(value=",") property(name="$!usr!rcvdfrom" format="csv") constant(value=",") property(name="$!usr!user" format="csv") constant(value=",") property(name="$!usr!type" format="csv") constant(value="\n") } /* template for Lumberjack-style logging. Note that the extra * LF at the end is just for wrinting it to file - it MUST NOT * be included for messages intended to be sent to a remote system. * For the latter use case, the syslog header must also be prepended, * something we have also not done for simplicity (as we write to files). * Note that we use a JSON-shortcut: If a tree name is specified, JSON * for its whole subtree is generated. Thus, we only need to specify the * $!usr top node to get everytihing we need. */ template(name="cee" type="string" string="@cee: %$!usr%\n") /* this ruleset simulates forwarding to the final destination */ ruleset(name="outwriter"){ action(type="omfile" file="/home/rger/proj/rsyslog/logfile.csv" template="csv") action(type="omfile" file="/home/rger/proj/rsyslog/logfile.cee" template="cee") } /* below is just the usual "uninteresting" stuff... * Note that this goes into the default rule set. So * local logging is handled "as usual" without the need * for any extra effort. */ #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Include all config files in /etc/rsyslog.d/ # commented out not to interfere with the system rsyslogd # (just for this test configuration!) #$IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log