| View previous topic :: View next topic |
| Author |
Message |
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
 Posted: Wed Feb 11, 2015 8:52 pm Post subject: [solved] syslog-ng madness |
 |
|
The 3.4.8 version writes mess into the log during start: | Code: | Feb 9 22:08:29 t44 syslog-ng[906]: syslog-ng starting up; version='3.4.8'
Feb 9 22:08:29 ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ kernel: [ 0.000000] Initializing cgroup subsys cpuset
|
- happened here at two hardened systems.
Anybody knows a solution (except upgrading to 3.6.2)
-or- another logger, but I do have these rules to convert then :
| Code: | destination d_ps22 { file("/mnt/ramdisk/ps22"); };
destination d_ps80 { file("/mnt/ramdisk/ps80"); };
destination d_ps443 { file("/mnt/ramdisk/ps443"); };
#rewrite r_ps22 { subst('PORTSCAN 22 .*', "ps", value("MESSAGE"), type("pcre"), flags("global")); };
#rewrite r_ps80 { subst('PORTSCAN 80 .*', "ps", value("MESSAGE"), type("pcre"), flags("global")); };
#rewrite r_ps443 { subst('PORTSCAN 443 .*', "ps", value("MESSAGE"), type("pcre"), flags("global")); };
filter f_ps22 { match("PORTSCAN 22 " value("MSG")); };
filter f_ps80 { match("PORTSCAN 80 " value("MSG")); };
filter f_ps443 { match("PORTSCAN 443 " value("MSG")); };
#log { source(src); filter(f_ps22); rewrite(r_ps22); destination(d_ps22); };
#log { source(src); filter(f_ps80); rewrite(r_ps80); destination(d_ps80); };
#log { source(src); filter(f_ps443); rewrite(r_ps443); destination(d_ps443); };
log { source(src); filter(f_ps22); destination(d_ps22); };
log { source(src); filter(f_ps80); destination(d_ps80); };
log { source(src); filter(f_ps443); destination(d_ps443); };
filter f_messages { not match("PORTSCAN " value("MSG")); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_messages); destination(console_all); };
|
Last edited by toralf on Wed May 27, 2015 7:05 pm; edited 1 time in total |
|
| Back to top |
|
 |
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Wed Feb 11, 2015 11:23 pm Post subject: |
|
|
toralf ...
I don't have syslog-ng write a log for itself (a little redundent for my liking) and as the syslog.conf provided with USE="hardened" does you could do as I did and comment the lines for destination, filter, etc.
HTH & best ... khay |
|
| Back to top |
|
|
Balage
n00b
Joined: 10 Jan 2008
Posts: 18
Location: Hungary
|
| Posted: Thu Feb 12, 2015 8:54 am Post subject: |
|
|
Hello,
Try to increase log_msg_size to 8196. Starting from 3.5 that's the default value especially because of situations like that.
log_msg_size(8196);
Regards, |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
| Posted: Thu Feb 12, 2015 3:27 pm Post subject: |
|
|
| khayyam wrote: | toralf ...
I don't have syslog-ng write a log for itself (a little redundent for my liking) and as the syslog.conf provided with USE="hardened" does you could do as I did and comment the lines for destination, filter, etc.
HTH & best ... khay |
b/c I do filter few types of messages out and won't like to have these in /var/log/messages nor on tty12, I think I do need the definitions as seen above, or ? |
|
| Back to top |
|
|
Cyker
Veteran
Joined: 15 Jun 2006
Posts: 1746
|
| Posted: Thu Feb 12, 2015 6:54 pm Post subject: |
|
|
Yaaay! Something I know the answer to! \ /
Short answer:
Put
in your syslog-ng.conf options{} section
There seems to be a bug in 3.4.8 (Possibly others) that causes ^@/NULL chars to be written to the syslog if threaded(yes) is set. |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Thu Feb 12, 2015 7:05 pm Post subject: |
|
|
| toralf wrote: | | khayyam wrote: | | I don't have syslog-ng write a log for itself (a little redundent for my liking) and as the syslog.conf provided with USE="hardened" does you could do as I did and comment the lines for destination, filter, etc. |
b/c I do filter few types of messages out and won't like to have these in /var/log/messages nor on tty12, I think I do need the definitions as seen above, or ? |
toralf ... looks like I misread the above, those message don't come from syslog-ng but the kernel ring, I imagine this is due to hardened or, as Balage suggest above, log_msg_size. I've seen the above '^@^@^@' here in a thread before, but couldn't find it on a search.
As for the above definitions they don't seem to have anything to do with it, they are just rules to log portscans.
best ... khay |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
| Posted: Thu Feb 12, 2015 7:20 pm Post subject: |
|
|
Ok, will start with "threat = no".
@khay
Thanks for pointing me to the hardened config files - wasn't aware of it.
/mw wonders how to enhance the "kern" filter : | Code: | filter f_kern { facility(kern); };
|
to add my regex filter too .... |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Thu Feb 12, 2015 9:08 pm Post subject: |
|
|
| toralf wrote: | | Thanks for pointing me to the hardened config files - wasn't aware of it. |
toralf ... you're welcome. As I remember there use to be a hardened useflag on syslog-ng, and this toggled the install of the config, that useflag seems to have gone now, but the file is under */files/3.{4,6}/syslog-ng.conf.gentoo.hardened ... not sure what triggers the install.
| toralf wrote: | | /mw wonders how to enhance the "kern" filter :[code]filter f_kern { facility(kern); }; to add my regex filter too .... |
Thats just a 'filter' for the kernel ring, this could then be given a 'destination' (ie, /var/log/kern.log) but as 'messages' gets level('info..warn') you probably get as much as is needed there. Such filters are basically used to break down the facilities and direct them (or 'not' ... as you can do 'and not facility(auth, cron); };' so as not get those) so it depends on what you want ... and how much.
best ... khay |
|
| Back to top |
|
|
|
Networking & Security
