I have installed Snort and Barnyard2 following this guide.
I was about to install BASE but it requires PHP5 and it's no longer supported. I have PHP7 installed and cannot downgrade it.
After a bit of lurking I decided to use Graylog2 to view the logs.
Snort is configured to log in unified2 format then barnyard2 reads that and saves it to MySQL database.
As far as I understood (not much) logging to MySQL is pointless without BASE and I need to forward the logs to Graylog.
Now, should I
1) Remove Barnyard and tell Snort to log in human-readable format (not very efficient?) then send the logs to Graylog
2a) Tell Barnyard to stop sending the logs to MySQL but forward them directly to Greylog
2b) Tell Barnyard to just translate unified2 and write the human-readable log to another file then send it to Graylog.
In any case, How?
Snort, Barnyard and Graylog are on the same machine.
So, I've come up with this but I would like an opinion from someone who knows more than me.
Remove this from barnyard2 config file (example - Line 258 to 296)
output database: log, mysql, user=snort password=************** dbname=snort host=localhost sensor_name=sensor01
and add the proper output for syslog
output alert_syslog
(OR output log_syslog_full: sensor_name whatever, server 127.0.0.1, protocol udp, port 514 ?)
Then in syslog config (graylog documentation, here)
*.* #graylog.example.org:514;RSYSLOG_SyslogProtocol23Format
You can also configure barnyard to log directly to your Graylog server. Instead of logging via syslog to localhost, you just create a new syslog input on your Graylog server and point the barnyard syslog output to that ip/port.
Related
I'm trying to get a mosquitto broker to allow websockets on port 1884. For that I have edited the standard mosquitto.conf as such:
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
listener 1883
allow_anonymous true
listener 1884
protocol websockets
allow_anonymous true
However that doesn't seem to work since when I start the broker, it says:
1652941249: mosquitto version 1.4.15 (build date Tue, 18 Jun 2019 11:42:22 -0300) starting
1652941249: Using default config.
1652941249: Opening ipv4 listen socket on port 1883.
1652941249: Opening ipv6 listen socket on port 1883.
I've already tried adding a custom .conf file in the conf.d file and have it included by the mosquitto.conf but without success.
I have also noticed that whenever I try using the -c-flag to specifiy which config to use, it seems to freeze before being able to start.
First Using default config. means that specific instance is not using the config file at all, it is using the build in defaults which as just to listen on port 1883.
Second, mosquitto doesn't have a default config file, you must always use the -c option to pass the path to the config file you want to run.
Given the config file provided, it's probably not freezing, you have just told it to write the logs to a file so there will be NO output on the command line. You need to tail the /var/log/mosquitto/mosquitto.log file to see the output (also there is a small bug in the logging code that means it only prints when the buffer has been filed so log entries may be delayed until enough has been written to the buffer).
And finally v1.4.x is VERY old, you should be running the v2.x version as it contains logs of bug/security fixes.
I would like to redirect the auditd log data into rsyslog instead of audit.log file.
I see that by default in the "/etc/audit/auditd.conf" the following line has been included to redirect it to
log_file = /var/log/audit/audit.log
Is it possible to redirect the Audit log to syslog or rsyslog on the same machine.
NOTE: I don't have any external log server at this point and would like to test this on the same instance of an RHEL Server where my application is running.
Any Assistance is greatly appreciated.
NOTE: My rsyslog Server and auditd logs are on the same server instance.
RHEL-7 -->3.10.0-862.el7.x86_64
Thank you
You can use the audisp plugin - syslog.
path - /etc/audisp/plugins.d/syslog.conf
My computer runs serveral java processes as systemd services.The systemd logs get accumulated in the syslog eventually leading to low disk space . How to re-direct the logs started by systemd services towards /dev/null so that it does not accumulate in syslog.The machine is constantly running out of disk space due to this issue.However , I need to be able to use journalctl to view the systemd service logs. The possible solutions I found were :
1.To modify configurations in /etc/systemd/journald.conf by setting
'ForwardToSyslog=no'
2.Adding StandardOutput=null within the systemd service file itself
However the first solution completely stopped all the logs sent to syslog and solution 2 did not work.I wish to stop forwarding only the log messages from systemd services.
The second option with StandardOutput=null should work. I think what you need is to redirect also STDERR to /dev/null, by adding StandardError=null.
Summarize - in your *.service file should be two lines:
[Service]
StandardOutput=null
StandardError=null
Refer SYSTEMD.EXEC(5) man page for more details.
Similarly on a Redhat 7.4 box, running systemd-219-42.el7_4.1.x86_64, I was unable to turn off log redirection with the ForwardToSyslog=no setting in /etc/systemd/journald.conf.
I instead had success with setting MaxLevelSyslog=warning which removed all the INFO and DEBUG level messages that were being forwarded to rsyslog.
You can configure rsyslog to ignore logs from specific application:
# cat /etc/rsyslog.d/mydaemon.conf
if $programname == 'mydaemon' then {
stop
}
This will result in:
You will see systemd-generated messages about daemon being started/stopped/reloaded/etc within journal AND syslog.
You will see daemon's-generated messages ONLY in journal (and custom log file written directly by application, if any).
Alternatively, you can use the journalctl command to limit the size of the journal. You can limit the size of the journal to a certain size, by adding the following line to /etc/systemd/journald.conf:
SystemMaxUse=10M
This will limit your journal to 10 MB.
You can still use "syslog" to redirect logs from the service to /dev/null. In your system file try:
[service]
SyslogIdentifier=<service-name>
StandardOutput=null
SyslogFacility=local7
Meanwhile, check that the syslog deamon is configured to receive logs with local7 facility. In rsyslog configuration file make sure that:
local7.* /dev/null
journalctl should still be working.
check out the systemd manual for more information
If your service is logging to a file, the messages will not be appended to systemd syslog.
For example:
[Service]
StandardOutput=append:/var/log/python-script-stdout.log
StandardError=append:/var/log/python-script-stderr.log
will forward all messages (stdout and stderr) only to their respective filepath.
If you want to truncate the logs on every service startup, replace append: with file:.
I'm trying to setup a sentry server (getsentry.com). I can run sentry just fine manually as the sentry user. But when I try and run it in supervisor via 'supervisorctl tail sentry-web' I get 'sentry-web: ERROR (no log file)'
The supervisors sentry program specifies using syslog for both regular and error log. I have also tried specifying absolute paths to log files both in the home directory for the sentry user, and under /var/log
OS: Ubuntu 14.04
Supervisor: 3.0b2
Sentry: 7.5.4
You wont be able to use the log commands (or fg iirc) when using syslog for output (which we recommend for simplicity).
An absolute path should work fine, but you'll need to confirm that the user supervisor is running Sentry as has write access to the directory.
If you use syslog, you should see output in /var/log/syslog
A good way to test things is to run the command as the user in the foreground (outside of supervisor). Also by default our log verbosity isn't very high (we actually don't do much informational/debug logging at this time), so you're fairly limited on the output you'll get. There is the possibility to change it, but it utilizes Django's LOGGING configuration and we don't yet document this/expose it in a user friendly way.
I have an Rsyslog central server where multiple machine send log files and these log files are stored by machine IP.
$template DailyPerHostLogs,"/var/log/remote/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
*.* -?DailyPerHostLogs
This works fine however all the logs gets into the logmachines central logs as well like:
/var/log/messages
/var/log/auth
/var/log/cron
What is the best way to stop this from happening?
Thanks
Solved it, have to put the remote log acception rule first then this:
## before going to local log rules, drop remote logging, it's been
## processed in the "central logging" section
#
:hostname, !isequal, "biglogserver" ~
Then rest of the rsyslog.conf
If I understood your question right, you won't save the logs locally on the machines.
To do that you must remove from /etc/syslog.conf all the lines that describe local log files, and leave there only the line that send the logs remotely.