Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Ensure Network Safety with Centralized Logging : Page 4

Virus definitions often can't keep up with the rapid proliferation of Windows-based worms, letting them slip under your radar. How can you keep your network safe? Use the access lists on your routers along with a centralized logging database to help you quickly find and isolate infected hosts.


advertisement
Syslog-ng Configuration
Traditionally, Unix systems use a syslog daemon to log system events. This is analogous to the Window's Event Viewer, except that on a Unix system, a system log is typically in raw text format. The Event Viewer under Windows is actually modeled after the syslog daemon under Unix systems, so some of the concepts are the same. Different types of programs running on a Unix system can be logged differently and at varying levels. Another cool feature of a syslog daemon is that it can be configured to log across the network as well. This allows you to centralize logging for all of the Unix systems in an enterprise, making it easy to run various parsing scripts on these logs looking for security and hardware problems, as well as whatever else.

The syslog daemon typically shipped with Unix systems is somewhat inflexible, only providing for logging to text files on the drive. Syslog-ng, as it's name implies, is the "next generation" of syslog daemons. Two of the concepts in syslog-ng that you’ll be using are 'templates' for your data, and extremely flexible 'destination' configuration.

First, you need to modify the syslog-ng.conf (usually in /etc/syslog-ng or /usr/local/etc/syslog-ng). Add the destination and the template for the Postgres database:



destination d_pgsql { pipe("/tmp/.syslogd.pipe" template("INSERT INTO syslog (ip, facility, priority, level, tag, date,time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG','$YEAR-$MONTH- $DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes) owner("root") group("c-syslog") perm(0660)); };

Keep in mind that this can be used with any SQL client that is available on the system on which you've configured syslog-ng, so make sure that your SQL is valid for that particular RDBMS.

Next, configure the source/destination of the syslog to allow traffic via the network:

source net { udp(); };

Configure this to go to the previously configured destination:

log { source(net); destination(d_pgsql); };

Don't start or restart your running syslog-ng yet.

Script Configuration
On Unix systems, the fifo file type provides a way to ensure that the first amount of data sent into the file comes out first and so on. In this section, you'll create a fifo that will be writable via the syslog-ng process, running as root, and readable by a user in a group to send the syslog data to your RDBMS.

Create a user on your system (usually adduser or useradd) and call it c-syslog. It's not absolutely necessary to give the user a password—if no password is set, nobody can log in as that user. Also create a syslog group, and put the c-syslog user into the syslog group.

To create a fifo, use the mkfifo command and run mkfifo /tmp/.syslogd.pipe. Set permissions on the fifo by using chmod 660 /tmp/.syslogd.pipe, then set chown root:syslog /tmp/.syslogd.pipe. Finally, type ls—al /tmp/.syslogd.pipe to make sure it was created properly:

prw-rw---- 1 root c-syslog 0 May 4 13:20 /tmp/.syslogd.pipe

Next, you'll need a simple looping script. Cut and paste these contents and create a file in /usr/local/bin, call it syslog-db.sh, save it, and run chmod 755 syslog-db.sh:

#!/bin/bash PIPE="/tmp/.syslogd.pipe"; if [ -e ${PIPE} ]; then while [ -e ${PIPE} ] do # Edit this line to work with your sql client of choice. /usr/local/pgsql/bin/psql -q -h syslog < ${PIPE} > /dev/null 2>&1 done else # Since some systems clean out /tmp on bootup, you would # probably want to include the steps to automatically re-create # the fifo here, but since those steps vary a bit, i haven't # included them. Assuming you followed my instructions above # they'd look like this: # mkfifo /tmp/.syslogd.pipe # chmod 660 /tmp/.syslogd.pipe # chown root:syslog /tmp/.syslogd.pipe echo “ERROR: fifo not created in ${PIPE}. Please create.” exit(1) fi

Change <dbhost> to reflect the host on your network running Postgres. It's important to not restart syslog-ng or start running the looping script mentioned aboveuntil everything is ready.



Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap