Honeypots
Send strace output through syslog-ng Aug 04 2009 07:38PM
BB@umd (bbenard umd edu) (3 replies)
Re: Send strace output through syslog-ng Aug 05 2009 02:08PM
BB@umd (bbenard umd edu)
Re: Send strace output through syslog-ng Aug 05 2009 12:52PM
Gergely Révay (gergely revay gmail com)
Hi,

First of all there is no filter for strace. My first idea for your
problem was to open a new port on the server just for strace, but it's
understandable if you don't want to do it. Also the idea of Chris
sounds good as well if you don't use the facility field generally. But
a third solution that I've found is the following:

You should create a separate log path for the strace output which
should read the logs from the file and replace the PROGRAM field of
the log message with the 'strace' string. That is why you need the
separate logpath, to make sure that only the strace output gets the
'strace' string. And then you can send these messages to your server
where you can filter the logs by the PROGRAM field. For these you will
need something like this in your config:

=Client=
#
# Sets the PROGRAM field to 'strace'
#
rewrite r_rewrite_set{set("strace", value("PROGRAM"));};

#
# Source to read from file
#
source s_strace {
file ("/var/log/strace.log");
};

#
#Destination to your server
#
destination d_tcp { tcp("127.0.0.1" port(1999) );};

#
# Logpath to read the file, set the
# program name and send it to the server
#
log {
source(s_strace);
rewrite(r_rewrite_set);
destination(d_tcp);
};

= Server =
#
# Filter for the messages generated by strace
#
filter strace_filter{match("strace" value("PROGRAM"));};

#
# Template to see the PROGRAM field
#
template t_filetemplate {
template("$ISODATE $HOST $PROGRAM $MSG\n");
template_escape(no); };

#
# This one just opens a port
#
source s_net {
tcp(ip(127.0.0.1) port(1999) max-connections(10));
};

#
# Destination to write messages to file
#
destination d_strace {file("/var/log/test" template(t_filetemplate));};

#
# Logpath for filtering the strace messages out
#
log {
source(s_net);
filter(strace_filter);
destination(d_strace);
};

I also would like to warn you to use tcp() as I did instead of
syslog() because there might be a bug in sending the APP-NAME field
through network. Also if you don't have it you should download the
admin guide which is realy handy:

http://www.balabit.hu/dl/guides/syslog-ng-v3.0-guide-admin-en.pdf

I hope I could help.

Good luck :)

Geri

2009/8/4 BB@umd <bbenard (at) umd (dot) edu [email concealed]>:
>
> Good afternoon.
>
> I have a honeypot which syslog-ng running. I configured it so that it can
> send all the log files to a remote web server. (So that mean I have already
> configured syslog-ng on this web server too) No matter with that, it works
> great.
>
> Then, on my honeypot, I have a strace command attached to my ssh server. It
> gathers strace outputs in a strace.log file. Here is this command :
> strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &
>
> Now, I would like to send the strace output (/var/log/strace.log) to my
> server through syslog-ng. So, on my honeypot, I added the following in my
> syslog-ng.conf in the source section:
> file ("/var/log/strace.log").
>
> However, now, on the server side, I do not know how to configure syslog-ng
> in order to retrieve this strace output only. Is there a special filter for
> strace in syslog-ng ? (Usually, for example, I am using "filter {
> facility(auth);};" to filter auth.log : so is there something similar with
> strace ?)
>
> Regards,
> BB
>
> --
> View this message in context: http://www.nabble.com/Send-strace-output-through-syslog-ng-tp24814871p24
814871.html
> Sent from the Honeypots mailing list archive at Nabble.com.
>
>

[ reply ]
Re: Send strace output through syslog-ng Aug 05 2009 12:33AM
Chris Brenton (cbrenton chrisbrenton org)


 

Privacy Statement
Copyright 2010, SecurityFocus