Unique Life

http://ftp.ics.uci.edu/pub/centos0/ics-custom-build/BUILD/rsyslog-3.19.7/doc/rsyslog_conf.html

https://answers.splunk.com/answers/79844/example-rsyslog-conf-for-multiple-data-sources-with-uf.html

http://serverfault.com/questions/400293/syslog-ip-ranges-to-specific-files-using-rsyslog

Examples

Below are example for templates and selector lines. I hope they are self-explanatory. If not, please see www.monitorware.com/rsyslog/ for advise.

TEMPLATES

Please note that the samples are split across multiple lines. A template MUST NOT actually be split across multiple lines.

A template that resembles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME%
%syslogtag%%msg:::drop-last-lf%\n"

A template that tells you a little more about the message:
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,
%syslogtag%,%msg%\n"

A template for RFC 3164 format:
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"

A template for the format traditonally used for user messages:
$template usermsg," XXXX%syslogtag%%msg%\n\r"

And a template with the traditonal wall-message format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%

A template that can be used for the database write (please note the SQL
template option)
$template MySQLInsert,"insert iut, message, receivedat values
('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%')
into systemevents\r\n", SQL

The following template emulates WinSyslog format (it's an Adiscon format, you do not feel bad if you don't know it ;)). It's interesting to see how it takes different parts out of the date stamps. What happens is that the date stamp is split into the actual date and time and the these two are combined with just a comma in between them.

$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,
%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,
%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,
%syslogtag%%msg%\n"

SELECTOR LINES

# Store critical stuff in critical
#
*.=crit;kern.none /var/adm/critical

This will store all messages with the priority crit in the file /var/adm/critical, except for any kernel message.


# Kernel messages are first, stored in the kernel
# file, critical messages and higher ones also go
# to another host and to the console. Messages to
# the host finlandia are forwarded in RFC 3164
# format (using the template defined above).
#
kern.* /var/adm/kernel
kern.crit @finlandia;RFC3164fmt
kern.crit /dev/console
kern.info;kern.!err /var/adm/kernel-info

The first rule direct any message that has the kernel facility to the file /var/adm/kernel.

The second statement directs all kernel messages of the priority crit and higher to the remote host finlandia. This is useful, because if the host crashes and the disks get irreparable errors you might not be able to read the stored messages. If they're on a remote host, too, you still can try to find out the reason for the crash.

The third rule directs these messages to the actual console, so the person who works on the machine will get them, too.

The fourth line tells rsyslogd to save all kernel messages that come with priorities from info up to warning in the file /var/adm/kernel-info. Everything from err and higher is excluded.


# The tcp wrapper loggs with mail.info, we display
# all the connections on tty12
#
mail.=info /dev/tty12

This directs all messages that uses mail.info (in source LOG_MAIL | LOG_INFO) to /dev/tty12, the 12th console. For example the tcpwrapper tcpd(8) uses this as it's default.


# Store all mail concerning stuff in a file
#
mail.*;mail.!=info /var/adm/mail

This pattern matches all messages that come with the mail facility, except for the info priority. These will be stored in the file /var/adm/mail.


# Log all mail.info and news.info messages to info
#
mail,news.=info /var/adm/info

This will extract all messages that come either with mail.info or with news.info and store them in the file /var/adm/info.


# Log info and notice messages to messages file
#
*.=info;*.=notice;\
mail.none /var/log/messages

This lets rsyslogd log all messages that come with either the info or the notice facility into the file /var/log/messages, except for all
messages that use the mail facility.


# Log info messages to messages file
#
*.=info;\
mail,news.none /var/log/messages

This statement causes rsyslogd to log all messages that come with the info priority to the file /var/log/messages. But any message coming either with the mail or the news facility will not be stored.


# Emergency messages will be displayed using wall
#
*.=emerg *

This rule tells rsyslogd to write all emergency messages to all currently logged in users. This is the wall action.


# Messages of the priority alert will be directed
# to the operator
#
*.alert root,rgerhards

This rule directs all messages with a priority of alert or higher to the terminals of the operator, i.e. of the users "root'' and "rgerhards'' if they're logged in.


*.* @finlandia

This rule would redirect all messages to a remote host called finlandia. This is useful especially in a cluster of machines where all syslog messages will be stored on only one machine.

In the format shown above, UDP is used for transmitting the message. The destination port is set to the default auf 514. Rsyslog is also capable of using much more secure and reliable TCP sessions for message forwarding. Also, the destination port can be specified. To select TCP, simply add one additional @ in front of the host name (that is, @host is UPD, @@host is TCP). For example:


*.* @@finlandia

To specify the destination port on the remote machine, use a colon followed by the port number after the machine name. The following forwards to port 1514 on finlandia:


*.* @@finlandia:1514

This syntax works both with TCP and UDP based syslog. However, you will probably primarily need it for TCP, as there is no well-accepted port for this transport (it is non-standard). For UDP, you can usually stick with the default auf 514, but might want to modify it for security rea-
sons. If you would like to do that, it's quite easy:


*.* @finlandia:1514



*.* >dbhost,dbname,dbuser,dbpassword;dbtemplate

This rule writes all message to the database "dbname" hosted on "dbhost". The login is done with user "dbuser" and password "dbpassword". The actual table that is updated is specified within the template (which contains the insert statement). The template is called "dbtemplate" in this case.

:msg,contains,"error" @errorServer

This rule forwards all messages that contain the word "error" in the msg part to the server "errorServer". Forwarding is via UDP. Please note the colon in fron

[manual index] [rsyslog.conf] [rsyslog site]

This documentation is part of the rsyslog project.
Copyright © 2008 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 2 or higher.

# A commented quick reference and sample configuration
# WARNING: This is not a manual, the full manual of rsyslog configuration is in
# rsyslog.conf (5) manpage
#
# "$" starts lines that contain new directives. The full list of directives
# can be found in /usr/share/doc/rsyslog-1.19.6/doc/rsyslog_conf.html
# Set syslogd options

#                 Some global directives
#                 ----------------------

# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
# --------------
$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com

# $UMASK - specifies the rsyslogd processes' umask
# ------
$umask 0000

# $FileGroup - Set the group for dynaFiles newly created
# ----------
$FileGroup loggroup

# $FileOwner - Set the file owner for dynaFiles newly created.
# ----------
$FileOwner loguser

# $IncludeConfig - include other files into the main configuration file
# --------------
$IncludeConfig /etc/some-included-file.conf    # one file
$IncludeConfig /etc/rsyslog.d/                 # whole directory (must contain the final slash)

# $ModLoad - Dynamically loads a plug-in and activates it
# --------
$ModLoad MySQL  # load MySQL functionality
$ModLoad /rsyslog/modules/somemodule.so # load a module via absolute path



#                       Templates
#                       ---------

# Templates allow to specify any format a user might want.
# They MUST be defined BEFORE they are used.

# A template consists of a template directive, a name, the actual template text
# and optional options. A sample is:
#
$template MyTemplateName,"\7Text %property% some more text\n",

#  where:
#   * $template - tells rsyslog that this line contains a template.
#   * MyTemplateName - template name. All other config lines refer to this name.
#   * "\7Text %property% some more text\n" - templage text

# The backslash is an escape character, i.e. \7 rings the bell, \n is a new line.
# To escape:
# % = \%
# \ = \\

# Template options are case-insensitive. Currently defined are:
# sql      format the string suitable for a SQL statement. This will replace single
#          quotes ("'") by two single quotes ("''") to prevent the SQL injection 
#          (NO_BACKSLASH_ESCAPES turned off)
# stdsql - format the string suitable for a SQL statement that is to
#          be sent  to  a standards-compliant sql server. 
#          (NO_BACKSLASH_ESCAPES turned on)



#               Properties inside templates
#               ---------------------------

# Properties can be modified by the property replacer. They are accessed
# inside the template by putting them between percent signs. The full syntax is as follows:

#     %propname:fromChar:toChar:options%

# FromChar and toChar are used to build substrings. 
# If you need to obtain the first 2 characters of the
# message text, you can use this syntax: 
"%msg:1:2%".
# If you do not whish to specify from and to, but you want to
# specify options, you still need to include the colons. 

# For example, to convert the full message text to lower case only, use 
#     "%msg:::lowercase%".

# The full list of property options can be found in rsyslog.conf(5) manpage



#               Samples of template definitions
#               -------------------------------

# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

# A more verbose template:
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated::fulltime%,%HOSTNAME%,%syslogtag%,%msg%\n"

# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"

# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"

# The template below emulates winsyslog format, but we need to check the time
# stamps used. It is also a good sampleof the property replacer in action.
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"

# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql



#                       Samples of rules
#                       ----------------
# Regular file
# ------------
*.*     /var/log/traditionalfile.log;TraditionalFormat      # log to a file in the traditional format

# Forwarding to remote machine
# ----------------------------
*.*	@172.19.2.16		# udp (standard for syslog)
*.*	@@172.19.2.17		# tcp

# Database action
# ---------------
# (you must have rsyslog-mysql package installed)
# !!! Don't forget to set permission of rsyslog.conf to 600 !!!
*.*	>hostname,dbname,userid,password	# (default Monitorware schema, can be created by /usr/share/doc/rsyslog-mysql-1.19.6/createDB.sql)

# And this one uses the template defined above:
*.*	>hostname,dbname,userid,password;dbFormat

# Program to execute
# ------------------
*.*			^alsaunmute 	# set default volume to soundcard

# Filter using regex
# ------------------
# if the user logges word rulez or rulezz or rulezzz or..., then we will shut down his pc
# (note, that + have to be double backslashed...)
:msg, regex, "rulez\\+"	 ^poweroff

# A more complex example
# ----------------------
$template bla_logged,"%timegenerated% the BLA was logged"
:msg, contains, "bla"    ^logger;bla_logged

# Pipes
# -----
# first we need to create pipe by # mkfifo /a_big_pipe
*.*	|/a_big_pipe

# Discarding
# ----------
*.*	~      # discards everything

출처: http://egloos.zum.com/mcchae/v/11109562 

syslog(시스로그)는 1980년대에 메일 전송의 로그를 전송하기 위해 시작되었고,

출처: 해킹사고의 재구성 - 최상용

1. 중요 메소드를 중점적으로 추출

 웹 접근 로그의 99%는 GET 방식의 요청에 대한 기록이며, POST 방식의 요청에 대한 기록은 상대적으로 소량이다. 하지만 웹 해킹 시도는 POST요청 속에 해커의 요청이 숨겨져 오는 경우가 많으므로 웹 접근 로그 중 메소드 필드에 'POST'가 포함되어 있거나 'PUT'이 포함되어 있는 경우의 로그만을 걸러내서 일차적으로 살펴봐야 한다.

2. 중요 스크립트를 중점적으로 추출

 웹 접근 로그는 jsp,asp,php와 같은 스크립트 이외에도 이미지 파일, js 파일 , css 파일 등이 홈페이지에 접속할 때마다 기록되므로 스크립트 파일 외의 파일에 대한 요청 기록이 많은 부분을 차지한다. 그러므로 스크립트를 호출하고, GET 요청에 대한 파라미터가 존재하는 경우를 중점적으로 추출해야 한다. 

출처: 해킹사고의 재구성 - 최상용

1. SQL 인젝션을 이용한 인증 모듈 우회

웹로그에는 SQL injection 공격이 남지 않는다. 이유는 웹 응용 프로그램 개발 시, 사용자 로그인 폼을 POST방식으로 전송하기 때문이다. POST방식은 사용자의 모든 요청 값이 기록되는 GET방식과는 달리, POST 헤더 이후의 부분은 데이터로 인식해 웹 접근 로그에 기록하지 않기 때문이다.

이런 상황에서 웹 로그만을 참고하여 SQL을 탐지하려면 다음과 같은 방법을 사용해야 한다.

1) 로그인 실패를 몇 회이상 지속적으로 할 경우 의심을 할 수 있다.

2) 에러로그에 실패 로그를 보고 의심 할 수 있다.

웹 접근 로그 분석 방법

1) 로그 중 POST 메소드가 포함되어 있는 로그만을 걸러내어 보는 방법

2) 일정부분의 로그를 추출한 다음 좀 더 정확한 정황이 발견됐을 때 첫 번째 방법으로 POST메소드가 포함된 URL만을 추출해 세부적으로 분석한다.

2. Blind SQL 인젝션을 이용한 ID/패스워드 탈취

 블라인드 SQL 공격의 흔적은 웹 접근 로그에 남아 있을 수도, 그렇지 않을 수도 있다. 만약 해커가 게시판에 Blind SQL를 할 경우 로그에 '구문이 잘못되었습니다.' 라고 남을 수 있다.

즉, 동일한 URL에 대한 여러번의 연속적인 DB 오류 등이 웹 접근 로그에서 발견된다면, 이는 블라인드 SQL 공격 시도로 볼 수 있다. 또한 이러한 연속적인 시도 이후 공격을 시도했던 동일한 IP에서 관리자 로그인 URL을 호출하고 해당 URL을 호출하고 해당 URL에 대한 상태코드가 200라면 특히 로그인을 시도한 IP가 해외라면 이는 유출됐다는 사실을 추정할 수 있다.

But 공격이 수기가 아니라 Pangolin,NBSI, HDSI 같은 해킹 자동화 툴로 이뤄진 경우에는 그 툴만의 특성 있는 흔적이 웹 접근 로그에 기록이 된다.

3. 파일 다운로드 취약점 정보 유출 

파일 다운로드를 위해 ../ 와 같은 시도를 할 것이며, 이러한 행위는 웹 로그에 정확히 기록된다. 그 이유는 GET 방식을 이용해 전송되기 때문이다.