useful python syslog i found online
https://github.com/cloudpassage/splunk-halo-python/blob/master/remote_syslog.py
sample usage
syslog('Apr 23 07:36:52 10.2.108.181 EventName=[], SourceIP=[], SourcePort=[], DestinationIP=[], DestinationPort=[], UserName=[], SourceWorkstation=[], Url=[], FilePath=[], MD5=[], LogSource=[], MacAddress=[], LogSourceTime=[], Notes=[]', host='10.xx.xx.xx', facility=FACILITY['local0'], level=LEVEL['info'])
---------------
#!/usr/bin/python
"""
Python syslog client.
This code is placed in the public domain by the author.
Written by Christian Stigen Larsen.
This is especially neat for Windows users, who (I think) don't
get any syslog module in the default python installation.
See RFC3164 for more info -- http://tools.ietf.org/html/rfc3164
Note that if you intend to send messages to remote servers, their
syslogd must be started with -r to allow to receive UDP from
the network.
"""
import socket
# I'm a python novice, so I don't know of better ways to define enums
FACILITY = {
'kern': 0, 'user': 1, 'mail': 2, 'daemon': 3,
'auth': 4, 'syslog': 5, 'lpr': 6, 'news': 7,
'uucp': 8, 'cron': 9, 'authpriv': 10, 'ftp': 11,
'local0': 16, 'local1': 17, 'local2': 18, 'local3': 19,
'local4': 20, 'local5': 21, 'local6': 22, 'local7': 23,
}
LEVEL = {
'emerg': 0, 'alert':1, 'crit': 2, 'err': 3,
'warning': 4, 'notice': 5, 'info': 6, 'debug': 7
}
def syslog(message, level=LEVEL['notice'], facility=FACILITY['daemon'],
host='localhost', port=514):
"""
Send syslog UDP packet to given host and port.
"""
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
data = '<%d>%s' % (level + facility*8, message)
sock.sendto(data, (host, port))
sock.close()
Showing posts with label syslog. Show all posts
Showing posts with label syslog. Show all posts
Thursday, March 14, 2019
Tuesday, June 7, 2016
Forwarding iptables logs to rsyslog
If you have a central logging system and you already forward syslogs from your linux server to it, the commands are pretty easy to enable logging for iptables (your local firewall) to auto-forward your firewall permits, denies, etc..
To do this you'd actually be running iptables commands such as this to log inbound tcp connections
iptables -N MYLOGS
iptables -A MYLOGS -j LOG --log-prefix ' INBOUND TCP ' --log-level 4
iptables -A MYLOGS -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -j MYLOGS
Or perhaps something like this to log outbound tcp outbound connections
iptables -N MYLOGS
iptables -A MYLOGS -j LOG --log-prefix ' OUTBOUND TCP ' --log-level 4
iptables -A MYLOGS -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -j MYLOGS
Once you run those commands you're done, iptables does all the rest for you and forwards to syslog!
You could validate syslogging is actually sending the logs by running tcpdump and capturing traffic going outbound to that ip
tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89
Hope that helps make your iptables logging needs simpler.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
To do this you'd actually be running iptables commands such as this to log inbound tcp connections
iptables -N MYLOGS
iptables -A MYLOGS -j LOG --log-prefix ' INBOUND TCP ' --log-level 4
iptables -A MYLOGS -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -j MYLOGS
Or perhaps something like this to log outbound tcp outbound connections
iptables -N MYLOGS
iptables -A MYLOGS -j LOG --log-prefix ' OUTBOUND TCP ' --log-level 4
iptables -A MYLOGS -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -j MYLOGS
Once you run those commands you're done, iptables does all the rest for you and forwards to syslog!
You could validate syslogging is actually sending the logs by running tcpdump and capturing traffic going outbound to that ip
tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89
Hope that helps make your iptables logging needs simpler.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Forward Apache Logs to rsyslog
If you have a central logging system and you already forward syslogs from your linux server to it, the commands are pretty easy to also auto-forward your Apache access logs (your web traffic).
First, open the configuration file with your favorite text editor (my choice was nano)
nano /etc/rsyslog.conf
In the file, at the top add the import module command to allow file monitoring
$ModLoad imfile
Then near the bottom of the file, but before your remote syslog @ command, add the following lines that will allow you to monitor the file
$InputFilePollInterval 10
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
Then restart the syslog service for the changes to take effect
service rsyslog restart
Then validate syslogging is actually sending by running tcpdump and capturing traffic going outbound to that ip
tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89
You can also verify apache access logs are enabled and working by viewing the log file that should have your logs at the bottom of them
nano /var/log/apache2/access.log
Hope that helps make your apache logging needs simpler.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
First, open the configuration file with your favorite text editor (my choice was nano)
nano /etc/rsyslog.conf
In the file, at the top add the import module command to allow file monitoring
$ModLoad imfile
Then near the bottom of the file, but before your remote syslog @ command, add the following lines that will allow you to monitor the file
$InputFilePollInterval 10
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
Then restart the syslog service for the changes to take effect
service rsyslog restart
Then validate syslogging is actually sending by running tcpdump and capturing traffic going outbound to that ip
tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89
You can also verify apache access logs are enabled and working by viewing the log file that should have your logs at the bottom of them
nano /var/log/apache2/access.log
Hope that helps make your apache logging needs simpler.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Enabling Remote Syslogging with rsyslog
If you have a central logging system and you need to forward syslogs from your linux server to it, the commands are pretty simple especially if you're using rsyslog.
First, open the configuration file with your favorite text editor (my choice was nano)
nano /etc/rsyslog.conf
Add to the bottom of the file the following statement where XX.XX.XX.XX is the ip address or hostname of your remote log collection server.
*.* @XX.XX.XX.XX:514
Then restart the syslog service for the changes to take effect
service rsyslog restart
Then validate syslogging is actually sending by running tcpdump and capturing traffic going outbound to that ip
tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89
You can also verify syslog itself is enabled and working by viewing some of they key log files that should have your logs at the bottom of them
nano /var/log/auth.log
nano /var/log/syslog
Hope that helps make your remote syslogging nice and easy.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
First, open the configuration file with your favorite text editor (my choice was nano)
nano /etc/rsyslog.conf
Add to the bottom of the file the following statement where XX.XX.XX.XX is the ip address or hostname of your remote log collection server.
*.* @XX.XX.XX.XX:514
Then restart the syslog service for the changes to take effect
service rsyslog restart
Then validate syslogging is actually sending by running tcpdump and capturing traffic going outbound to that ip
tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89
You can also verify syslog itself is enabled and working by viewing some of they key log files that should have your logs at the bottom of them
nano /var/log/auth.log
nano /var/log/syslog
Hope that helps make your remote syslogging nice and easy.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Subscribe to:
Posts (Atom)