1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
# this is a config sample for log normalization, but can
# be used as a more complex general sample.
# It is based on a plain standard rsyslog.conf for Red Hat systems.
#
# NOTE: Absolute path names for modules are used in this config
# so that we can run a different rsyslog version alongside the
# regular system-installed rsyslogd. Remove these path names
# for production environment.
#### MODULES ####
# we do not run imuxsock as we don't want to mess with the main system logger
#module(load="/home/rger/proj/rsyslog/plugins/imuxsock/.libs/imuxsock") # provides support for local system logging (e.g. via logger command)
#module(load="imklog") # provides kernel logging support (previously done by rklogd)
module(load="/home/rger/proj/rsyslog/plugins/imudp/.libs/imudp") # Provides UDP syslog reception
module(load="/home/rger/proj/rsyslog/plugins/imtcp/.libs/imtcp")
module(load="/home/rger/proj/rsyslog/plugins/mmjsonparse/.libs/mmjsonparse")
module(load="/home/rger/proj/rsyslog/plugins/mmnormalize/.libs/mmnormalize")
/* We assume to have all TCP logging (for simplicity)
* Note that we use different ports to point different sources
* to the right rule sets for normalization. While there are
* other methods (e.g. based on tag or source), using multiple
* ports is both the easiest as well as the fastest.
*/
input(type="imtcp" port="13514" Ruleset="WindowsRsyslog")
input(type="imtcp" port="13515" Ruleset="LinuxPlainText")
input(type="imtcp" port="13516" Ruleset="WindowsSnare")
#debug:
action(type="omfile" file="/home/rger/proj/rsyslog/logfile")
/* This ruleset handles structured logging.
* It is the only one ever called for remote machines
* but executed in addition to the standard action for
* the local machine. The ultimate goal is to forward
* to some Vendor's analysis tool (which digests a
* structured log format, here we use Lumberjack).
*/
template(name="lumberjack" type="string" string="%$!all-json%\n")
/* the rsyslog Windows Agent uses native Lumberjack format
* (better said: is configured to use it)
*/
ruleset(name="WindowsRsyslog") {
action(type="mmjsonparse")
if $parsesuccess == "OK" then {
if $!id == 4634 then
set $!usr!type = "logoff";
else if $!id == 4624 then
set $!usr!type = "logon";
set $!usr!rcvdfrom = $!source;
set $!usr!rcvdat = $timereported;
set $!usr!user = $!TargetDomainName & "\\" & $!TargetUserName;
call outwriter
}
}
/* This handles clumsy snare format. Note that "#011" are
* the escape sequences for tab chars used by snare.
*/
ruleset(name="WindowsSnare") {
set $!usr!type = field($rawmsg, "#011", 6);
if $!usr!type == 4634 then {
set $!usr!type = "logoff";
set $!doProces = 1;
} else if $!usr!type == 4624 then {
set $!usr!type = "logon";
set $!doProces = 1;
} else
set $!doProces = 0;
if $!doProces == 1 then {
set $!usr!rcvdfrom = field($rawmsg, 32, 4);
set $!usr!rcvdat = field($rawmsg, "#011", 5);
/* we need to fix up the snare date */
set $!usr!rcvdat = field($!usr!rcvdat, 32, 2) & " " &
field($!usr!rcvdat, 32, 3) & " " &
field($!usr!rcvdat, 32, 4);
set $!usr!user = field($rawmsg, "#011", 8);
call outwriter
}
}
/* plain Linux log messages (here: ssh and sudo) need to be
* parsed - we use mmnormalize for fast and efficient parsing
* here.
*/
ruleset(name="LinuxPlainText") {
action(type="mmnormalize"
rulebase="/home/rger/proj/rsyslog/linux.rb" userawmsg="on")
if $parsesuccess == "OK" and $!user != "" then {
if $!type == "opened" then
set $!usr!type = "logon";
else if $!type == "closed" then
set $!usr!type = "logoff";
set $!usr!rcvdfrom = $!rcvdfrom;
set $!usr!rcvdat = $!rcvdat;
set $!usr!user = $!user;
call outwriter
}
}
/* with CSV, we the reader must receive information on the
* field names via some other method (e.g. tool configuration,
* prepending of a header to the written CSV-file). All of
* this is highly dependant on the actual CSV dialect needed.
* Below, we cover the basics.
*/
template(name="csv" type="list") {
property(name="$!usr!rcvdat" format="csv")
constant(value=",")
property(name="$!usr!rcvdfrom" format="csv")
constant(value=",")
property(name="$!usr!user" format="csv")
constant(value=",")
property(name="$!usr!type" format="csv")
constant(value="\n")
}
/* template for Lumberjack-style logging. Note that the extra
* LF at the end is just for wrinting it to file - it MUST NOT
* be included for messages intended to be sent to a remote system.
* For the latter use case, the syslog header must also be prepended,
* something we have also not done for simplicity (as we write to files).
* Note that we use a JSON-shortcut: If a tree name is specified, JSON
* for its whole subtree is generated. Thus, we only need to specify the
* $!usr top node to get everytihing we need.
*/
template(name="cee" type="string" string="@cee: %$!usr%\n")
/* this ruleset simulates forwarding to the final destination */
ruleset(name="outwriter"){
action(type="omfile"
file="/home/rger/proj/rsyslog/logfile.csv" template="csv")
action(type="omfile"
file="/home/rger/proj/rsyslog/logfile.cee" template="cee")
}
/* below is just the usual "uninteresting" stuff...
* Note that this goes into the default rule set. So
* local logging is handled "as usual" without the need
* for any extra effort.
*/
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Include all config files in /etc/rsyslog.d/
# commented out not to interfere with the system rsyslogd
# (just for this test configuration!)
#$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
|
