Re: log_analysis configuration

To: Anne Carasik <gator@cacr.caltech.edu>
Cc: Mathias Palm <Mathias.Palm@gmx.net>, debian-security@lists.debian.org
Subject: Re: log_analysis configuration
From: Mathias Palm <Mathias.Palm@gmx.net>
Date: Fri, 18 Oct 2002 19:53:30 +0200
Message-id: <[🔎] 20021018175330.GB533@Osterstein>
In-reply-to: <[🔎] 20021015213719.GA8302@cacr.caltech.edu>
References: <[🔎] 20021009191817.GA5886@cacr.caltech.edu> <[🔎] 3DA558A0.6050308@gmx.net> <20021010161512.GA15734@cacr.caltech.edu> <[🔎] 20021011094513.GA943@Osterstein> <[🔎] 20021015213719.GA8302@cacr.caltech.edu>

On Tue, Oct 15, 2002 at 02:37:19PM -0700, Anne Carasik wrote:
> Hi Mathias,
> 
> Thanks that's helpful if I'm workign on ONE machine. The problem
> is I can't get this working for our loghost which gets all the
> files.
> 
> All I get is this:
> 
> Other hosts syslogging to us:
> 290374 host1.example.edu
> 283974 host2.example.edu
> 289307 host3.example.edu
> 
> And so on.. no matter what I put in the config file :(
> 
> -Anne
> 

Sorry, I think i didn't make myself clear about the commandline.
You need to tell log_analysis, which rule to use. For example I want log files
iptables.0, iptables.1, .... being analysed, I type

log_analysis -a iptables

Mathias 

> 
> Mathias Palm grabbed a keyboard and typed...
> > On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> > > Hi Mathias,
> > 
> > Hi Anne,
> > 
> > I send this one to the list again, I hope this is ok.
> > 
> > > 
> > > Actually, it is a good start. The developer sent me a tutorial,
> > > and I'm going to help him work on it for the clueless folks like
> > > me :)
> > > 
> > > > config_version 0.38
> > > 
> > > Good, we're using the same version (I'm not surprised since 
> > > Debian hasn't upgraded this yet).
> > > 
> > > > add arr log_type_list=
> > > > iptables
> > > > 
> > > > add arr log_type_list=
> > > > iptables
> > > 
> > > Ok, what is "add arr log_type_list" and why do you have this twice?
> > > 
> > This is just a name for the for a new type of log-files  where all the
> > definitions to follow apply. 
> > 
> > I am sure the doubling is by accident. As I said, I got a config
> > somewhere else and rewrote it according to my needs.
> > 
> > > > add arr iptables_filenames=
> > > > iptables
> > > 
> > > Ok, so that's the filename you're reading from, right?
> > > 
> > 
> > It is the root of the logfiles the log_type "iptables" applies to.
> > This rule actually reads iptables.0 ... or iptables.1.gz (when called
> > with argument -a)
> > 
> > 
> > You need to read about "perl regular expressions" (man perlre or heaps 
> > of other sources about regular expressions) to understand the following
> > and write your own configs. I am no expert in regexps and am sure you
> > could write better ones. Regexps being a powerful tool it is worthwile
> > to learn about them, so you wont waste your time.
> > 
> > > > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > > > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
> > > 
> > 
> > Translated this means:
> > 
> > the brackets are just groupings
> > 
> > - ^ Match the beginning of the line
> > - ?: some switch I cant remember why I put it there
> > - Jan|Feb|Mar... matches Jan or Feb or Mar or ...
> > - + match at least one time
> > - \s match a whitespace (space, tab or similiar)
> > - \d{1,2} match one or two digits
> > - \: match a : (: is a special character and needs to be escaped)
> > 
> > hence it matches a string like
> > 
> > Oct  9 17:34:27
> > 
> > at the beginning of the line.
> > 
> > > 
> > > Ok, quick question:
> > > 
> > > What does +\s +\d do? I take it +d is an integer and +s is a string?
> > > 
> > 
> > see the above
> > 
> > > > set var iptables_date_format=%b %e
> > > 
> > > Not sure what %b and %e give you.
> > 
> > read man strftime. I am not sure what it really does.
> > 
> > > 
> > > > logtype: iptables
> > > > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > > > OTO=(.*)
> > > 
> > > I take *'s work like they do in the shell?
> > >
> > 
> > The . matches any character and the * matches the preceding
> > character 0 or more times. I am not sure if the "preceding character" is
> > the dot or the character replacing the dot. 
> > 
> > > > use_sprintf
> > > > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
> > > 
> > > I have simple "format:" sections like:
> > > format: STMP from $1 to $2
> > > 
> > > What does use_sprintf buy you?
> > 
> > I actually dont know, I guess sprintf sounded just  familiar (knowing C
> > quite well), so I didn't search for anything else 
> > 
> > 
> > > 
> > > > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > > > ROTO=(.*)
> > > 
> > > Do the periods (.) give you anything if they aren't escaped with a \?
> > > 
> > 
> > see before.
> > 
> > 
> > Alright, hope this answers some of your questions. Good luck and thanks
> > for writing the tutorial. I'd be interested in it and would be glad if
> > you could notify me where to find it. 
> > 
> > Mathias
> 
> -- 
>               .-"".__."``".   Anne Carasik, System Administrator
>  .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
> (O/ O) \-'      ` -="""=.    ',  Center for Advanced Computing Research    
> ~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>

Reply to:

References:
- log_analysis configuration
  - From: Anne Carasik <gator@cacr.caltech.edu>
- Re: log_analysis configuration
  - From: mathias palm <mathias.palm@gmx.net>
- Re: log_analysis configuration
  - From: Mathias Palm <Mathias.Palm@gmx.net>
- Re: log_analysis configuration
  - From: Anne Carasik <gator@cacr.caltech.edu>

Prev by Date: Re: ssh "banner"
Next by Date: RE: Automatic Debian security updates, an Implementation
Previous by thread: Re: log_analysis configuration
Next by thread: export problems on security updates?
Index(es):
- Date
- Thread