Archive

Articles taggués ‘logs’

How to Change Location of IPTables Logs

03/04/2022 Comments off

Logs are a very important aspect of any firewall. In IPTables, linux provides such functionality as logging, but by default the logs go to a file /var/log/syslog or /var/log/messages . Sometimes it can be hard to find the information you need, as logs from the entire system are also found there.

If you want to change the file where IPTables logs into, you must configure IPTables rules to display the log prefix, next thing is configure RsysLog to get this prefix and send this to a custom log file that contains only iptables log information.

  • Check if you have RsysLog installed and running
root@dbsysnet:/home/olivier# dpkg -l | grep rsyslog
ii  rsyslog                               8.32.0-1ubuntu4                                 amd64        reliable system and kernel logging daemon
Jul 20 17:59:56 dbsysnet systemd[1]: Starting System Logging Service...
Jul 20 17:59:56  systemd[1]: Started System Logging Service.
Jul 20 17:59:56  rsyslogd[813]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.32.0 try http://www.
Jul 20 17:59:56  rsyslogd[813]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.32.0]
Jul 20 17:59:56  rsyslogd[813]: rsyslogd's groupid changed to 106
Jul 20 17:59:56  rsyslogd[813]: rsyslogd's userid changed to 102
Jul 20 17:59:56  rsyslogd[813]:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="813" x-info="http://www.rsyslog.com"] start
  • Configure your IPTABLES rules with --log-prefix
# iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "[IPTABLES]: "
  • Create configuration file for RsysLog
# touch /etc/rsyslog.d/10-iptables.conf
  • Open this file and paste below configuration and tne save file
:msg, contains, "[IPTABLES]: " -/var/log/firewall.log
& ~

Explanation:

First line check data log for word [IPTABLES] : and if the word is found it will be sent to the file /var/log/firewall.log

Second line is responsible for stopping the log processing and sending it to the standard location in this case /var/log/syslog or /var/log/messages

  • Restart RsysLog service
root@:/home/olivier# systemctl restart rsyslog

Lire la suite…

Categories: Réseau, Système Tags: , , ,

Configuring Log Rotation of Apache2 and Other Logs

03/03/2022 Comments off

source: lifeonubuntu.com

I went to check out my apache2 logs

ls /var/log/apache2/

and I noticed that they were being automatically rotated (access.log, access.log.1, etc.) and compressed with gzip (access.log.2.gz, etc.). This seems to be the default Ubuntu configuration. I wanted to make find out more, and I found this helpful article about Ubuntu logs, including Apache2 Log info and some basic log rotation info.

After reading through the info, I decided that I wanted to make a few changes. The log rotation happens via the brilliantly named logrotate command. It turns out that logrotate settings kept in 2 places. Lire la suite…

Convert apache HTTP combined logs into SQL (and import it into a mysql database eventually)

06/02/2022 Comments off

source: snippets.dzone.com

you need to extract the data in your http server log files and put it in a database to query it with your usual tools using SQL. this perl script does just this.

it was hard to find it, that’s why i put it here.

#!/usr/bin/perl -w
# Written by Aaron Jenson.
# Original source: http://www.visualprose.com/software.php
# Updated to work under Perl 5.6.1 by Edward Rudd
# Updated 24 march 2007 by Slim Amamou <slim.amamou@alpha-studios.com>
#  - output SQL with the option '--sql'
#  - added SQL create table script to the HELP
#
#  NOTE : you need the TimeDate library (http://search.cpan.org/dist/TimeDate/)
# Lire la suite...

Forcer logrotate à créer une nouvelle version d’un fichier de log

20/01/2022 Comments off

Récemment, je me suis aperçu que mon dernier fichier /var/log/auth.log n’avait pas été renouvelé depuis le 17/04/2011… Evidemment, ça n’aide pas à analyser sereinement les fichiers de logs, vu la taille que ça génère: 105306586 c’est-à-dire plus de 100Mo !

Je voulais conserver 26 semaines de logs pour analyser les tentatives d’intrusion et calculer leur évolution au fur et à mesure que je renforçais la protection de mon serveur.

Tout simple:

  • créer un fichier séparé pour auth.log qu’on appelle /etc/logrotate.d/auth:

/var/log/auth.log

{
        rotate 26
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                reload rsyslog >/dev/null 2>&1 || true
        endscript
}

  • retirer la référence à /var/log/auth.log dans /etc/logrotate.d/auth
  • redémarrer le service rsyslog:
/etc/init.d/rsyslog restart

Lire la suite…

Change the IPTables log file

02/12/2021 Comments off

An important aspect of any firewall are the log files. Iptables on Linux provides logging functionality, however by default, it will get outputted to the /var/log/messages log file. This can clutter things up, and make it hard to check the logs.

If you want to change the file that IPTables logs to, you need to set up your iptables rules to output a log prefix. Rsyslog will then be configured to pick up this prefix, and output the information to a custom log file, containing just the iptables log information.
Install rsyslog if it is not already installed.

$ sudo apt-get install -y rsyslog

Lire la suite…

Categories: Réseau, Système Tags: , , ,