Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Obsolete Releases
  3. SME Server 7.x
  4. Topic: Log format questions
« previous next »
Pages: [1]   Go Down

Log format questions

  • 5 Replies
  • 2301 Views

Offline jahlewis

  • *
  • 151
  • +0/-0
    • http://www.arachnerd.com/
Log format questions
« on: April 27, 2007, 09:11:21 PM »
I'm in the process of working up a howto on installing and running ossec on a smeserver (www.ossec.net).  I've got it up and running, and having it look at various logs in /var/log.

I enabled logging on masq by doing the following:
   db configuration setprop masq Logging most
   /sbin/e-smith/expand-template /etc/rc.d/init.d/masq
   /etc/rc.d/init.d/masq restart

which successfully dumps logs to /var/log/iptables

My question is about the format.  On smeserver, many of the logs dump to a file called "current", and have a format different from what appears to be the defaults...  For example, iptables logs normally look like this (on other linux systems):
Code: [Select]
Sep 21 11:45:17 lire kernel:  Packet-drop  IN=eth0 OUT=eth0 SRC=10.0.0.1 DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=38365 DF PROTO=TCP SPT=3117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0  
Sep 21 11:45:20 lire kernel:  Packet-drop  IN=eth0 OUT=eth0 SRC=10.0.0.1 DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=38478 DF PROTO=TCP SPT=3117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0  
Sep 21 11:45:26 lire kernel:  Packet-drop  IN=eth0 OUT=eth0 SRC=10.0.0.1 DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=38680 DF PROTO=TCP SPT=3117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0  
Sep 21 11:52:46 lire kernel:  Packet-drop  IN=eth0 OUT=eth0 SRC=10.0.0.1 DST=10.0.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=54122 DF PROTO=TCP SPT=4532 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0  
Sep 21 11:52:49 lire kernel:  Packet-drop  IN=eth0 OUT=eth0 SRC=10.0.0.1 DST=10.0.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=54222 DF PROTO=TCP SPT=4532 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0  
Sep 21 11:52:55 lire kernel:  Packet-drop  IN=eth0 OUT=eth0 SRC=10.0.0.1 DST=10.0.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=54443 DF PROTO=TCP SPT=4532 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

on my smeserver 7.1.3, /var/log/iptables/current looks like this:
Code: [Select]
@40000000463246020c2ca16c Apr 27 14:50:32 gluon denylog: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:c5:55:aa:9f:08:00  SRC=216.12.18.89 DST=255.255.255.255 LEN=29 TOS=00 PREC=0x00 TTL=128 ID=3256 PROTO=UDP SPT=4855 DPT=1434 LEN=9
@400000004632460a081ba154 Apr 27 14:50:40 gluon denylog: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:c5:55:aa:9f:08:00  SRC=216.12.18.89 DST=255.255.255.255 LEN=29 TOS=00 PREC=0x00 TTL=128 ID=3674 PROTO=UDP SPT=4856 DPT=1434 LEN=9
@400000004632460b1bb1e994 Apr 27 14:50:41 gluon denylog: IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:10:63:71:93:3d:08:00  SRC=216.12.21.176 DST=224.0.0.1 LEN=28 TOS=00 PREC=0x00 TTL=1 ID=0 PROTO=0
@400000004632461131929ed4 Apr 27 14:50:47 gluon denylog: IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:13:46:40:a7:a3:08:00  SRC=216.12.15.233 DST=224.0.0.1 LEN=28 TOS=00 PREC=0x00 TTL=1 ID=18840 PROTO=0
@400000004632461209688be4 Apr 27 14:50:48 gluon denylog: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:c5:55:aa:9f:08:00  SRC=216.12.18.89 DST=255.255.255.255 LEN=29 TOS=00 PREC=0x00 TTL=128 ID=4105 PROTO=UDP SPT=4857 DPT=1434 LEN=9
@400000004632461a0b44ba3c Apr 27 14:50:56 gluon denylog: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:c5:55:aa:9f:08:00  SRC=216.12.18.89 DST=255.255.255.255 LEN=29 TOS=00 PREC=0x00 TTL=128 ID=4548 PROTO=UDP SPT=4858 DPT=1434 LEN=9
@40000000463246220d0a10ec Apr 27 14:51:04 gluon denylog: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:c5:55:aa:9f:08:00  SRC=216.12.18.89 DST=255.255.255.255 LEN=29 TOS=00 PREC=0x00 TTL=128 ID=4973 PROTO=UDP SPT=4859 DPT=1434 LEN=9
@40000000463246231bc1d3cc Apr 27 14:51:05 gluon denylog: IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:10:63:71:93:3d:08:00  SRC=216.12.21.176 DST=224.0.0.1 LEN=28 TOS=00 PREC=0x00 TTL=1 ID=0 PROTO=0
@40000000463246250b93d054 Apr 27 14:51:07 gluon denylog: IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:13:46:40:a7:a3:08:00  SRC=216.12.15.233 DST=224.0.0.1 LEN=28 TOS=00 PREC=0x00 TTL=1 ID=18841 PROTO=0
@400000004632462a091bcf5c Apr 27 14:51:12 gluon denylog: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:c5:55:aa:9f:08:00  SRC=216.12.18.89 DST=255.255.255.255 LEN=29 TOS=00 PREC=0x00 TTL=128 ID=5403 PROTO=UDP SPT=4860 DPT=1434 LEN=9


Can anyone point me to where I need to read up on how/why the logs are set up this way so I can see if the OSSEC folks can interpret these logfiles?

Are the smeserver log formats based on a standard?  can they be changed?

Thanks.
Logged
............

simonfishley

Log format questions
« Reply #1 on: May 06, 2007, 11:38:36 AM »
You'll need to pipe the output to make it human readable - something like this:

tail -f /var/log/iptables/current | tai64nlocal

That'll format the timestamp into somethung u can read.  If I remember correctly that @4000... is the number of seconds that has elapsed since a certain point in time but I can't recall the details.

HTH
Simon
Logged

Offline mmccarn

  • *
  • 2,656
  • +10/-0
Log format questions
« Reply #2 on: May 06, 2007, 07:06:31 PM »
SME uses multilog for most of its logging...
Logged

Offline jahlewis

  • *
  • 151
  • +0/-0
    • http://www.arachnerd.com/
Log format questions
« Reply #3 on: May 09, 2007, 12:05:27 PM »
Thanks guys, good stuff.

Is there a way to have iptables/masq create logs in the standard linux format?  

I want my log parser to be able to understand them, and the multilog bit, as well as the DENYLOG change break the parser's ability to understand the contents.  I've looked through /etc/init.d/iptables and /etc/init.d/masq and don't understand much on how the logging is configured.
Logged
............

Offline mmccarn

  • *
  • 2,656
  • +10/-0
Log format questions
« Reply #4 on: May 09, 2007, 02:45:58 PM »
Warning: I don't know anything about this!

It looks as though you need to turn on masq logging in the SME config db:
    config setprop masq Logging none (the default)
    config setprop masq Logging all (log everything), or
    config setprop masq Logging some (log everything except traffic on ports 520, 137, 139)[/list]  (I come to this conclusion by examining the contents of /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog)

    If you want to log using syslog instead of multilog it looks like you'll need to customize /var/service/ulogd/log/run, which doesn't seem to be either database or template driven - so your changes are likely to disappear any time there are updates.

    Another option would be to create a custom template-fragment to replace  /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog that uses 'LOG' instead of 'ULOG', then figure out how to make that output go to syslog.  (Re-read the first line of this post for my qualifications on this subject...)

    There may also be security or performance implications when switching from multilog to syslog...
    Logged

    Offline Stefano

    • *
    • 10,894
    • +3/-0
    Log format questions
    « Reply #5 on: May 09, 2007, 04:16:51 PM »
    Quote from: "mmccarn"

    Another option would be to create a custom template-fragment to replace  /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustDenyLog that uses 'LOG' instead of 'ULOG', then figure out how to make that output go to syslog.  (Re-read the first line of this post for my qualifications on this subject...)

    There may also be security or performance implications when switching from multilog to syslog...


    AFAIK modifying ULOG to LOG simply results in sending iptables log to /var/log/messages

    Ciao

    Stefano
    Logged
    Pages: [1]   Go Up
    « previous next »
    1. Koozali.org: home of the SME Server
    2. Obsolete Releases
    3. SME Server 7.x
    4. Topic: Log format questions