|
Honeypots
mailing list archives
Re: Send strace output through syslog-ng
From: Gergely Révay <gergely.revay () gmail com>
Date: Wed, 5 Aug 2009 14:52:44 +0200
Hi,
First of all there is no filter for strace. My first idea for your
problem was to open a new port on the server just for strace, but it's
understandable if you don't want to do it. Also the idea of Chris
sounds good as well if you don't use the facility field generally. But
a third solution that I've found is the following:
You should create a separate log path for the strace output which
should read the logs from the file and replace the PROGRAM field of
the log message with the 'strace' string. That is why you need the
separate logpath, to make sure that only the strace output gets the
'strace' string. And then you can send these messages to your server
where you can filter the logs by the PROGRAM field. For these you will
need something like this in your config:
=Client=
#
# Sets the PROGRAM field to 'strace'
#
rewrite r_rewrite_set{set("strace", value("PROGRAM"));};
#
# Source to read from file
#
source s_strace {
file ("/var/log/strace.log");
};
#
#Destination to your server
#
destination d_tcp { tcp("127.0.0.1" port(1999) );};
#
# Logpath to read the file, set the
# program name and send it to the server
#
log {
source(s_strace);
rewrite(r_rewrite_set);
destination(d_tcp);
};
= Server =
#
# Filter for the messages generated by strace
#
filter strace_filter{match("strace" value("PROGRAM"));};
#
# Template to see the PROGRAM field
#
template t_filetemplate {
template("$ISODATE $HOST $PROGRAM $MSG\n");
template_escape(no); };
#
# This one just opens a port
#
source s_net {
tcp(ip(127.0.0.1) port(1999) max-connections(10));
};
#
# Destination to write messages to file
#
destination d_strace {file("/var/log/test" template(t_filetemplate));};
#
# Logpath for filtering the strace messages out
#
log {
source(s_net);
filter(strace_filter);
destination(d_strace);
};
I also would like to warn you to use tcp() as I did instead of
syslog() because there might be a bug in sending the APP-NAME field
through network. Also if you don't have it you should download the
admin guide which is realy handy:
http://www.balabit.hu/dl/guides/syslog-ng-v3.0-guide-admin-en.pdf
I hope I could help.
Good luck :)
Geri
2009/8/4 BB () umd <bbenard () umd edu>:
Good afternoon.
I have a honeypot which syslog-ng running. I configured it so that it can
send all the log files to a remote web server. (So that mean I have already
configured syslog-ng on this web server too) No matter with that, it works
great.
Then, on my honeypot, I have a strace command attached to my ssh server. It
gathers strace outputs in a strace.log file. Here is this command :
strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &
Now, I would like to send the strace output (/var/log/strace.log) to my
server through syslog-ng. So, on my honeypot, I added the following in my
syslog-ng.conf in the source section:
file ("/var/log/strace.log").
However, now, on the server side, I do not know how to configure syslog-ng
in order to retrieve this strace output only. Is there a special filter for
strace in syslog-ng ? (Usually, for example, I am using "filter {
facility(auth);};" to filter auth.log : so is there something similar with
strace ?)
Regards,
BB
--
View this message in context: http://www.nabble.com/Send-strace-output-through-syslog-ng-tp24814871p24814871.html
Sent from the Honeypots mailing list archive at Nabble.com.
 By Date 
By Thread
Current thread:
|
Intro
