<html> <head> <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> <title>Remote Syslog with MySQL and PHP</title> </head> <body bgcolor="white" link="blue" alink="red">  <table width="100%" border="0" cellspacing="0" cellpadding="14"> <tr> <td>  <p><center> <script LANGUAGE="JavaScript"></SCRIPT> <noscript> <a HREF="http://ads.linuxsecurity.com/cgi-bin/ads.pl?banner=NonSSI;page=01" TARGET="_blank"> <img SRC="http://ads.linuxsecurity.com/cgi-bin/ads.pl?page=01" ALT="Support LinuxSecurity" BORDER=0></a> </noscript> </center>  </td> </tr> </table>  <hr width="100%"> <table border="0" cellpadding="0" cellspacing="2" width="100%"> <tr> <td rowspan="3" width="102" align="right"><a href="/index.html"><img height="91" width="102" src="/images/thegifs/left_cop.gif" border="0"></a></td> <td width="284" align="left"><img height="27" width="247" src="/images/thegifs/linux_word.gif"></td> <td align="left" valign="bottom" rowspan="2"> <input name="words" type="text" size="20"><input type="image" name="Search_Button" src="/images/thegifs/searchbut.gif" border="0"> </form> <table border="0" cellspacing="0" cellpadding="0" width="37%"> <tr> <td nowrap align="right"> </td> <td nowrap> </td> </tr> </table> </td> <td rowspan="3" width="23%"><img height="91" width="136" src="/images/thegifs/righta_bar.gif"></td> </tr> <tr> <td width="284" align="left"><img height="40" width="283" src="/images/thegifs/big_feat.gif"></td> </tr> <tr> <td colspan="2" align="left"><a href="/index.html"><img height="15" width="32" src="/images/thegifs/15_hr.gif" border="0"></a><img src="/images/thegifs/15sep.jpg" height="15" width="6" naturalsizeflag="0" align="BOTTOM"><a href="/feature/index.html"><img height="15" width="43" src="/images/thegifs/15_fr.gif" border="0"></a><img src="/images/thegifs/15sep.jpg" height="15" width="6" naturalsizeflag="0" align="BOTTOM"><a href="/news/index.html" title="News"><img height="15" width="29" src="/images/thegifs/15_nr.gif" border="0"></a><img src="/images/thegifs/15sep.jpg" height="15" width="6" naturalsizeflag="0" align="BOTTOM"><a href="/advisories/index.html" title="Advisories"><img height="15" width="52" src="/images/thegifs/15_ar.gif" border="0"></a><img src="/images/thegifs/15sep.jpg" height="15" width="6" naturalsizeflag="0" align="BOTTOM"><a href="/resources/index.html" title="Resources"><img height="15" width="51" src="/images/thegifs/15_rr.gif" border="0"></a><img src="/images/thegifs/15sep.jpg" height="15" width="6" naturalsizeflag="0" align="BOTTOM"><a href="/contributors/index.html" title="Contributors"><img height="15" width="62" src="/images/thegifs/15_cr.gif" border="0"></a><img src="/images/thegifs/15sep.jpg" height="15" width="6" naturalsizeflag="0" align="BOTTOM"><a href="/resources/forums-1.html" title="Forums"><img height="15" width="39" src="/images/thegifs/15_for.gif" border="0"></a></td> </tr> </table> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr height="469" valign="top"> <td width="128" height="469" bgcolor="#bababa"><img height="25" width="128" src="/images/thegifs/topstoriesright.gif"> <table border="0" cellpadding="0" cellspacing="0" width="125" bgcolor="#bababa"> <tr> <td width="12"><img height="3" width="3" src="/images/thegifs/3spacer.gif"><img height="23" width="12" src="/images/thegifs/3x12spacer.gif"></td> <td width="108"><font face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular" size="2"> <table border="0" cellpadding="0" cellspacing="0">  <tr> <td><font face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular" size="2"> <a href="/articles/forums_article-8998.html">'We're just like the RIAA,' says SCO<br> </a></font><font face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular" size="1">Mar 4<br> <br></font></td> </tr>   <tr> <td><font face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular" size="2"> <a href="/articles/government_article-8997.html">Technical problems reported in e-voting<br> </a></font><font face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular" size="1">Mar 3<br> <br></font></td> </tr>   <tr> <td><font face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular" size="2"> <a href="/articles/network_security_article-8996.html">Network Protocol Stack & TCP hacking<br> </a></font><font face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular" size="1">Mar 3<br> <br></font></td> </tr>  </table> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr><td> <P> <P> <P> </td></tr> </table> <table border="0" cellpadding="0" cellspacing="0" WIDTH="100%"> <TD><CENTER><B><FONT FACE="Arial,Helvetica" SIZE="+1">Today's Term</FONT></B></CENTER> <FONT FACE="Arial,Helvetica" SIZE="2"><A HREF="/dictionary/dict-63.html">certificate policy</A>: <I>"A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements." [X509] (See: certification practice statement.) ...</I> </table> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr><td> <P> <P> <P> </td></tr> </table> <table border="0" cellpadding="0" cellspacing="0" WIDTH="100%"> <TD><CENTER><B><FONT FACE="Arial,Helvetica" SIZE="+1">Today's Tip</FONT></B></CENTER> <FONT FACE="Arial,Helvetica" SIZE="2"><A HREF="/tips/tip-14.html">Kernel Security Patches</A>: <BR>Several independant kernel patches exist to increase the security in your kernel </table> </td> <td width="4"><img height="3" width="3" src="/images/thegifs/3spacer.gif"></td> </tr> </table> <table border="0" cellpadding="0" cellspacing="0" width="116">  <tr><td> </td></tr> <tr> <td width="12"><img height="23" width="12" src="/images/thegifs/3x12spacer.gif"></td> <td width="100"><a href="/contributors/contribute.html"><img height="26" width="100" src="/images/thegifs/contribut_but.gif" border="0"></a></td> <td><img height="3" width="3" src="/images/thegifs/3spacer.gif"></td> </tr>  </table> </td> <td width="4" height="469"><img height="3" width="3" src="/images/thegifs/3spacer.gif"></td> <td width="100%" height="469" valign="top"> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr height="15"> <td width="40%" height="15" align="left" valign="middle" bgcolor="#00006a" nowrap><font face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular" color="white"><b><img height="15" width="15" src="/images/thegifs/featcornerleft.gif">Features</b></font></td> <td height="15" align="right" nowrap width="100%"><font size="2" face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular"><update_date>2/13/2003</update_date><update_time> 8:50</update_time></font></td> </tr> <tr height="4"> <td colspan="2" valign="bottom" bgcolor="#00006a" height="4"><font size="2" face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular"><img height="3" width="3" src="/images/clearspace2.gif"><img height="3" width="3" src="/images/clearspace2.gif"></font></td> </tr> </table>  <h3><ARTICLE_TITLE>Remote Syslog with MySQL and PHP</ARTICLE_TITLE></h3> By <AUTHOR_EMAIL><a href="mailto:duane@sukkha.info"></AUTHOR_EMAIL><AUTHOR>Duane Dunston</AUTHOR></a><br> <DATE>2/13/2003</DATE> <TIME>8:50</TIME><BR><BR> <b><SUMMARY>Msyslog has the ability to log syslog messages to a database. This allows for easier monitoring of multiple servers and the ability to be display and search for syslog messages using PHP or any other programming language that can communicate with the database.</SUMMARY></b><br><BR> <DESCRIPTION><style TYPE="text/css"> A:link { text-decoration: none; } A:visited { text-decoration: none; } A:active { text-decoration: none } .tablebody { font-family: Arial,Helvetica,Geneva,Swiss,SunSans-Regular; font-size: 10pt; margin-left: 5px; margin-right: 5px; } .newsbody { font-family: Arial,Helvetica,Geneva,Swiss,SunSans-Regular; font-size: 10pt; margin-left: 10px; margin-right: 10px; } .title { font-family: Arial,Helvetica,Geneva,Swiss,SunSans-Regular; font-size: 12pt; color: #004080; } .restitle { font-family: Arial,Helvetica,Geneva,Swiss,SunSans-Regular; font-size: 10pt; color: #004080; margin-left: 10px; } .resbody { font-family: Arial,Helvetica,Geneva,Swiss,SunSans-Regular; font-size: 10pt; margin-left: 10px; } .boxheader { font-family: Arial,Helvetica,Sans-Serif; font-size: 14pt; color: #FFFFFF; text-align: center; margin-top: 5px; margin-bottom: 5px; font-weight: bold; } .boxnormal { font-family: Arial,Helvetica,Sans-Serif; margin-left: 10px; margin-right: 10px; margin-top: 5px; margin-bottom: 5px; font-size: 10pt; } </style> <p> <b>"Since the beginning, life has relied upon the transmission of messages. For the self-aware organic unit, these messages can relay many different things. The messages may signal danger, the presence of food or the other necessities of life, and many other things. In many cases, these messages are informative to other units and require no acknowledgement. As people interacted and created processes, this same principle was applied to societal communications. As an example, severe weather warnings may be delivered through any number of channels - a siren blowing, warnings delivered over television and radio stations, and even through the use of flags on ships. The expectation is that people hearing or seeing these warnings would realize their significance and take appropriate action. In most cases, no responding acknowledgement of receipt of the warning is required or even desired."</b> <p> I never would have guessed that this message came from the Introduction of RFC 3164 <u>The BSD Syslog Protocol</u>. <p> Reviewing and maintaining the system logs on dozens of servers is a daunting task. Logging into each one and running grep or awk on each one can be very tedious and time-consuming. Luckily, there are programs like <a href="http://www.logwatch.org/">Logwatch</a> and <a href="http://caspian.dotconf.net/menu/Software/LogDog/">Logdog</a> that can parse syslog files (and other files) and filter out keywords and send email or pager alerts. Fortunately, Syslog has a feature that allows for remote logging to a central server or servers. This feature allows virtually any unix syslog daemon to send syslog messages to a remote server that is configured to accept syslog messages. On a Linux system, for example, the syslogd daemon can be started with the "<b>-r</b>" option which tells the daemon to listen for incoming syslog messages. The port it listens on is 514 and the protocol it accepts is UDP. <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /usr/sbin/syslogd -r -m 0</pre></tt></blockquote></td></tr></table> <p> "<b>-m 0</b>" disables the timestamp mark in the syslog file, <i>/var/log/messages</i> on Linux systems. <p> <b> The configuration below is the only client configuration needed. The rest of the article pertains only to the central syslog server. </b><P> Each client's syslog.conf file is then configured to send alerts to the central syslog server, by adding the line: <p> <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt><PRE>*.* @julie</pre></tt></blockquote></td></tr></table> <p> <b>*.*</b> means to send all syslog messages to the remote syslog server, in this article named julie. <p> Then refresh the syslog daemon: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /sbin/service syslogd restart</pre></tt></blockquote></td></tr></table> <p> <b> End client configuration.<P> </b> <p> Now on julie if you run <b>tail -20 /var/log/messages</b> (show the last 20 lines), you should now see the alerts sent with the hostname of the client's that have been configured to send alerts to julie. <p> <b>NOTE: http://ntsyslog.sourceforge.net has a program, called NTSyslog, that enables Windows Event Logs to be sent to a Unix syslog server.</b> <p> The process of reviewing multiple servers can be a lot easier using grep, awk, or perl, now that you have a central location where all the messages are sent. To take this one stop further, it can be incorporated with <a href="http://www.mysql.com">MySQL</a> and <a href="http://www.php.net">PHP</a>. <p> The first thing we need to do is to get the syslog messages to the MySQL server. This is where <a href="http://sourceforge.net/projects/msyslog/">Msyslog</a> comes into play. Msyslog is a replacement for the standard syslog daemon that comes installed with most unix systems. Msyslog also has a nice feature of cryptographically signing syslog messages to let an admin know if their syslog files have been altered. Using the cryptographic features will be discussed in the next article. For now, the focus is on sending syslog messages to a remote server, logging to a database, and viewing the logs over a web interface using PHP. <p> Finally, you will need to compile Apache, MySQL, and PHP support. Depending on your OS you may have a package manager that will do this work for you. Oh! You know me...I am not going to leave you hanging, my fellow readers. Here is a <a href="http://www.devshed.com/Server_Side/PHP/SoothinglySeamless/page1.html"> tutorial</a> that explains how to setup Apache, PHP, MYSQL, and SSL. Just get the latest versions. <p> <b><h4>Configuring Msyslog</h4></b> <p> This was setup by downloading and installing the rpm from the msyslog website at: http://sourceforge.net/projects/msyslog/ <p> The tarball install compiled cleanly on Red Hat 7.0-7.3. <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt><PRE># cd msyslog-x.xxx # ./configure # make # make install</pre></tt></blockquote></td></tr></table> <p> rpm install: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># rpm -ivh msyslog-xxx.rpm</pre></tt></blockquote></td></tr></table> <p> The rpm install added a startup script named "<i>msyslogd</i>" to the <i>/etc/rc.d/init.d/</i> directory. If you installed from source, here is a <a href=" http://www.sukkha.info/tap/msyslog-startup.txt">startup script</a> you can add to your OS's startup directory. <p> The line: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt><PRE># daemon msyslogd $CONFIG $DEBUG $MARK \ $IM_BSD $IM_DOORS $IM_LINUX $IM_STREAMS $IM_TCP \ $IM_UDP $IM_UNIX</PRE></tt></blockquote></td></tr></table> <p> in the "<i>msyslog</i>" startup script was changed by adding the switches "<b>-i udp -p 514 -i om_mysql</b>" <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt><PRE># daemon msyslogd $CONFIG $DEBUG $MARK $IM_BSD $IM_DOORS \ $IM_LINUX $IM_STREAMS $IM_TCP $IM_UDP \ $IM_UNIX -i udp -p 514 -i om_mysql</pre></tt></blockquote></td></tr></table></pre> <p> <b>-i udp -p 514</b> - Listen on the standard port 514 for incoming syslog messages via udp<P> <b>-i om_mysql</b> - load the mysql support module for logging to a mysql database <p> This was done before the existing syslog daemon is shutdown so that when it is stopped, the settings above will immediately take affect and remote logging will continue. <p> The normal syslog daemon was shutdown and myslogd started up immediately: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /sbin/service syslogd stop ; /sbin/service msyslogd start</pre></tt></blockquote></td></tr></table> <p> To ensure everything is still working run "<b>tail -f</b>" on the <i>/var/log/messages</i> file to see if logs from remote servers were being received: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /usr/bin/tail -f /var/log/messages ^C </pre></tt></blockquote></td></tr></table> <p> "<b>tail -f</b>" allows data to be viewed while a file is being appended. <p> The logging to mysql was setup by first creating a database called "<b>logd</b>": <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /usr/bin/mysqladmin -p -u root create logd</pre></tt></blockquote></td></tr></table> <p> Then the script supplied in the man page for the om_mysql module was loaded into the database. <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /usr/bin/mysql -p -u root logd < syslog.sql</pre></tt></blockquote></td></tr></table> <p> The <i>syslog.sql</i> file contained this, I modified the supplied sql file to index the host, date, and message fields.: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt><PRE> mysql> CREATE TABLE syslogTB ( facility char(10), # OPTIONAL field for facility priority char(10), # OPTIONAL field for priority date date, # date of this log message time time, # time of this message host varchar(128), # host logging, If you have a host with # 128 characters you probably # have other issues to worry about than #someone being l33t. 8-) message text, INDEX host_index (host), INDEX date_index (date), INDEX message_index (message (50)) , #Index the first 50 characters seq int unsigned auto_increment primary key # optional sequencenumber ); #Table to import host names mysql> CREATE TABLE sysloghosts ( hostname varchar(128) # host logging, Same principles as # above for a 128-character hostname. 8-) );</pre></tt></blockquote></td></tr></table> <p> The "sysloghosts" table is used as a dropdown list on the PHP search form. This is only run if new hosts are configured to log to julie. I retrieved the list from the <i>/var/log/messages</i> file with this command: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font><tt><PRE># /bin/awk ' { print $4 } ' /var/log/messages | sort \ | uniq > /tmp/hosts.tmp # /bin/chown mysql:mysql /tmp/hosts.tmp</pre></tt></blockquote></td></tr></table> <p> The mysqld owner must hsve permissions to import the file into the database. <p> Log into the mysql logd database as a root user (not system root), delete the current hosts, and add new hosts file: <p> <table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=-1><tt><PRE># /usr/bin/mysql -p -u root logd Enter Password: mysql> DELETE FROM sysloghosts; mysql> LOAD DATA INFILE '/tmp/hosts.tmp' \ INTO TABLE sysloghosts LINES TERMINATED BY '\n'; mysql> exit</pre></tt></blockquote></td></tr></table></font> <p> Delete the temporary file: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># rm -f /tmp/hosts.tmp</pre></tt></blockquote></td></tr></table> <p> The user "<b>mysql</b>" is used to insert the syslog data into the database. Also, the mysql user will be used to select data from the database using PHP. <p> Log into the database as the admin user and grant the user "<b>mysql</b>" rights to edit and update the "<b>logd</b>" database. <p> <table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <tt><font size=-1></font></tt><PRE># /usr/bin/mysql -u root -p logd Enter Password: mysql> GRANT SELECT, INSERT on logd.* TO mysql@localhost \ IDENTIFIED BY 'dahbadahba'; mysql> FLUSH PRIVILEGES;</pre></tt></td></tr></table> <p>the mysql user is allowed to select and insert data for the logd database <b>(GRANT SELECT,INSERT on logd.*)</b> from the localhost <b>(TO mysql@localhost)</b> with the password "dahbadahba" <b>(IDENTIFIED BY ' dahbadahba ';)</b> and then the privileges are enabled <b>(Flush privileges;)</b>. <p> <b><h4>Syslog configuration file</h4></b> <p> In order for this to work the password for the database has to be kept in the <i>syslog.conf</i> file. A few changes were made to prevent normal users from viewing the <i>syslog.conf</i> file; thus, revealing the database password. <b>(NOTE: Never use the system's root password for a database password)</b> <p> First, the default permissions, on some unix systems, for <i>/etc/syslog.conf</i> are readable-writeable by root and readable by the group "root" and by the world (644). This was changed to 600: <p> <table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /bin/chmod 600 /etc/syslog.conf</pre></tt></blockquote></td></tr></table> <p> Now it is only readable and writeable by root. Test it by trying to "cat" the file as a <b>normal user</b>: <p> <table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /bin/cat /etc/syslog.conf</pre></tt></blockquote></td></tr></table> <p>Hopefully, the following message will be displayed: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># cat: /etc/syslog.conf: Permission denied </pre></tt></blockquote></td></tr></table> <p>The options for logging to the mysql database can be added to the bottom of the <i>/etc/syslog.conf</i> file: <p> <table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt><PRE>*.* %mysql -s localhost -u mysql -p dahbadahba -d logd -t syslogTB -D *.* -- log all syslog messages to the mysql database</pre></tt></blockquote></td></tr></table> <p> <b>-s</b> - hostname<P> <b>-u</b> - user to log into the database as<P> <b>-p</b> - the database password<P> <b>-d</b> - the database name<P> <b>-t</b> - the database table name<P> <b>-D</b> - delay logging to the database (prevents overloading the mysql daemon if large numbers of syslog messages are received). <p> Restart the myslogd daemon: <p> <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /sbin/service msyslogd restart </pre></tt></blockquote></td></tr></table> <p>Watch the directory where your mysql databases are located and see if the file grows. <p><b><u>Restricting access to julie:</u></b> <table width="250" border="1" cellspacing="2" cellpadding="10" align="right" style="border: 1px solid #333333; margin: 8px;"> <tr> <td width="220" valign="top" bgcolor="#ffffff" style="border: none;"> <p class="engarde" style="padding-left: 1px; color: #333333;"> <p class="engarde" Ttyle="padding-left: 1px; color: #333333;"><b>EnGarde Secure Linux</b></p> <p class="engarde"> <a href="http://www.engardelinux.org"> <img src="/images/sponsor_esl_1.png" width="85" height="111" border="0" alt="EnGarde Secure Linux" align="left" hspace="8" vspace="8"></a><b> <a href="http://www.engardelinux.org/">The Secure Internet Platform</a></b><p> <font size=-1> EnGarde has everything necessary to create thousands of virtual Web sites, manage e-mail, DNS, and firewalling for an entire organization, and supports high-speed broadband connections all using a Web-based front-end. <center><a target=_blank href=http://www.guardiandigital.com/screenshots/>[ View Screenshots ]</a> <a target=_blank href=http://store.guardiandigital.com/html/eng/static/software.html>[ Buy Online ]</a> <a target=_blank href=http://store.guardiandigital.com/html/eng/493-AA.shtml>[ Feature List ]</center></a> </font></td></tr></table> <p> By default, the syslog daemon will accept syslog messages from any server. Be sure to use firewall rules to only allow syslog messages from the servers that should be logging to it. If your firewall supports it, use a threshold for logging to prevent a Denial-of-Service (DoS) attack. Also, the clients will listen on port 514 when sending log messages to the syslog server so be sure to firewall incoming requests to the client's syslog port, as well. No one should be connecting to the client's syslog port. <p> Only the system adminstrators should have access to julie. One reason is that root passwords and other user's passwords could be echoed into the syslog files because of those with fast fingers may type the password in the "username" or "Login:" field and hit "Enter". <b>Yes I am guilty.</b>. That's the only time I have stopped the syslog daemon, opened <i>/var/log/messages</i> and mnaully deleted an entry. <b>(NOTE: For sanity be sure your syslog files are chmod 600 and owned by root.)</b> <p> The following rules restrict access to particular hosts: <b>(NOTE: the policy is to DENY ALL)</b> <p> <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt><PRE> <b># This restricts access to the entire web directory on julie</b> <b># You can configure as you like</b> <Directory "/var/www/html"> Options Includes FollowSymLinks AllowOverride None Order deny,allow deny from all # >8-) # allow from (space delimited list of allowed hosts or networks) allow from 192.168.0.2 192.168.0.3 john.server.com clint.server.com </Directory> </pre></tt></blockquote></td></tr></table> <p> The logs should also be reviewed via the web on julie over a secure connection. Your firewall can block or redirect incoming port 80 requests so access to the server is granted only over a secure connection. <p> <b><u>Viewing syslog messages</u></b> <p> Logs are viewed on julie using php to extract the data from the mysql database. <p> Create a directory under your root directory called "<i>web-syslog</i>" <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /bin/mkdir /var/www/html/web-syslog</pre></tt></blockquote></td></tr></table> <p> Place these </i>.php</i> files there: (<a href="http://www.sukkha.info/tap/syslog-index.txt">syslog-index.txt</a> and <a href="http://www.sukkha.info/tap/syslog-search.txt">syslog-search.txt</a>). Create an include outside of your web directory: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># touch /var/www/gsyslog.php</pre></tt></blockquote></td></tr></table> <p> Be sure this file is owned by the owner of the httpd daemon and readable-writeable by only that user. If you put this file somewhere else on your filesystem, be sure the owner of the httpd daemon has read access to the directory where it is located. This file will contain the password for the logd database. Add the following: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt><PRE> <?php // if you change these variable names // be sure the change the variables in // the syslog-search.php file $hostname = "localhost"; $username = "mysql"; $password = "dahbadahba"; $databasename = "logd"; ?> </pre></tt></blockquote></td></tr></table> <p>You can also find this script at <a href="http://www.sukkha.info/tap/gsyslog.txt" target=_blank>http://www.sukkha.info/tap/gsyslog.txt</a>. <p>A side note (special thanks to <a href="mailto:sreed@counselschambers.com.au">Steve Reed</a>): For those of you running older versions of php, you might need to make the following modifications to syslog-search.php: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt><PRE> -$host = trim(addslashes(htmlspecialchars($_GET['host']))); -$message = trim(addslashes(htmlspecialchars($_GET['message']))); -$date = trim(addslashes(htmlspecialchars($_GET['date']))); -$numresults = $_GET['numresults']; -$start = $_GET['start']; +$host = trim(addslashes(htmlspecialchars($host))); +$message = trim(addslashes(htmlspecialchars($message))); +$date = trim(addslashes(htmlspecialchars($date))); +$numresults = $numresults; +$start = $start; </pre></tt></blockquote></td></tr></table> <p> Point your browser to: <b>https://julie.domain.com/web-syslog/syslog-index.php</b>. Hopefully you should see a page where you can select the hosts to retreive records for and an optional date and message field. <p> <b><u>Other Notes:</u></b> <p> Disable the standard syslog daemon from starting during bootup. You'll have to check your OS documentation for starting a stopping services during bootup. On Red Hat you can use the "<b>chkconfig</b>" program or "<b>ntsysv"</b>: <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /sbin/chkconfig --level 345 syslog off</pre></tt></blockquote></td></tr></table> <center>or</center> <p><table BORDER align="center" CELLSPACING=0 CELLPADDING=0 COLS=1 BGCOLOR="#ECECFF"><tr><td> <blockquote><tt><font size=+1></font></tt># /usr/sbin/ntsysv</pre></tt></blockquote></td></tr></table> <p>Uncheck the <i>syslog</i> option. If you upgrade your system then you will have to be sure that the msyslogd daemon starts up and not the standard syslog daemon on julie. <p> <b><u>Conclusion:</u></b> <p> Centralized logging and viewing of logs is very valuable, especially when you have dozens of servers to monitor. It can also serve as a place to look for errors if a server has crashed and can't be broke back on line. Take care to ensure that only necessary people are allowed to view the logs and if at all possible view the logs only over a secure connection. A database backend whether mysql, postgres, or whatever database gives you more power and control of how to display and manipulate the data that is being stored. <hr> Duane Dunston is a Computer Security Analyst at <a href="http://www.stginc.com">STG Inc.</a> for the <a href="http://lwf.ncdc.noaa.gov /">National Climatic Data Center</a> in Asheville, NC. He received his B.A. and M.S. degrees from Pfeiffer University and he has his G SEC certification from SANS. He hangs out at Old Europe Cafe, Early Girl's eatery, Anntony's, and any place with good tea and hot choc olate. <p>Duane has been working in security for 5 years and wishes he had the funding for a "Basic Security Tour" so he could provide the wo rld with hands-on training on how to implement the security recommendations from the Sans Top 20 List of the most common vulnerabiliti es. He knows that applying these recommendations to any network can minimize the most common types of attacks. Not only does he enjoy his work in computer security, he also likes to get involved in its ever-growing technologies. Duane says, "Security is one of those jobs where you have to stay abreast of new technologies and new ways that attackers are compromising computer systems. Security keeps evolving and the industry has to keep up with it, that is why we need well-trained, evolving security professionals supportive manag ers to help us with this ongoing process". <p>Previous Articles Duane has done for <a href="http://www.linuxsecurity.com">LinuxSecurity.com</a>. <ul> <li><a href="http://www.linuxsecurity.com/feature_stories/feature_story-135.html">Patching It Up</a> <li><a href="http://www.linuxsecurity.com/feature_stories/feature_story-133.html">No 'A' Word In Time</a> <li><a href="http://www.linuxsecurity.com/feature_stories/feature_story-132.html">If It Ain't Broke See If It's Fixed</a> <li><a href="http://www.linuxsecurity.com/feature_stories/feature_story-116.html">Centralized File-Integrity With Samhain</a> <li><a href="http://www.linuxsecurity.com/feature_stories/dsniff-monitoring.html">Network Monitoring with DSniff -- Updated Version <li><a href="http://www.linuxsecurity.com/feature_stories/feature_story-89.html">Network Monitoring with DSniff</a> <li><a href="http://www.linuxsecurity.com/feature_stories/feature_story-88.html">Encrypted Tunnels using SSH and MindTerm</a> </ul></DESCRIPTION> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr align="center" valign="bottom" height="36"> <td align="center" valign="bottom" width="100%" height="36"><a href="/general/contact.html"><font size="1" face="Arial">Contact Us</font></a><font size="1" face="Arial"> | <a href="/general/legal.html">Legal Notice</a> | <a href="/general/about.html">About Our Site</a></font><font size=" 1"><br> <a href="http://www.guardiandigital.com" ><i>© Guardian Digital, Inc., 2000<br> </i></a></font></td> </tr> </table> </td> <td width="105" height="469" valign="top"> <img height="23" width="105" src="/images/thegifs/105x10box.gif"></td> </tr> </table> </body> </html>