Thursday, June 30, 2011

Rsyslog Configuration

While working on a system that sends events to an ELA (Event Log Analyser) Server, I had to start filtering the events that were sent. I noticed this after sending all events (*.* in rsyslog) to the server and seeing 218,000 hits in 30 seconds. Apparently rsyslog logs everything from kernel events to authentication issues, and network traffic. This filled up the event log incredibly quickly. Just browsing the web for a few moments resulted in thousands of messages being saved in the event log. In addition, ever broadcast and multicast from every machine was logged. For my system and remote monitoring, this was not feasible.

As you can see, there are multiple entries for broadcast MACs. I do not want to log these. So, I set out on what would become a two-hour adventure on rsyslog and conditional filtering.

First, I discovered that Ubuntu uses rsyslog rather than the older syslog. Essentially, what I wanted to do was send all events to an ELA manager except for the broadcast and multicast messages (note: this computer is not for web browsing. If yours is, you will want to filter out web traffic as well or risk seeing millions of messages).

Before sending all of my information to an ELA Server (I remembered what happened last time I did that), I needed a way to see what messages would be sent and filtered. Enter "xconsole." Xconsole allows you to view messages that are being sent to the console. To run it, open up a command prompt and type:

sudo xconsole

This will open the console window. Leave this open while testing.

Ubunut stores its rsyslog settings in two places. The first is rsyslog.conf which is stored in /etc. However, it references/includes a file "50-default.conf" which is stored in /etc/rsyslog.d. To open that file and begin our edits type this in a command prompt (open a new command prompt tab so we don't close the xconsole)

sudo gedit /etc/rsyslog.d/50-default.conf

This will open a text editor. This file originally looks like this:

#Test logging to temp log
#*.*;kern.none    /dev/console
*.*    /dev/console

#LOG to remote host ELA
#*.* @

#  Default rules for rsyslog.
#            For more information see rsyslog.conf(5) and /etc/rsyslog.conf

# First some standard log files.  Log by facility.
auth,authpriv.*            /var/log/auth.log
*.*;auth,authpriv.none        -/var/log/syslog
#cron.*                /var/log/cron.log
#daemon.*            -/var/log/daemon.log
kern.*                -/var/log/kern.log
#lpr.*                -/var/log/lpr.log
mail.*                -/var/log/mail.log
#user.*                -/var/log/user.log

# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#            -/var/log/
#mail.warn            -/var/log/mail.warn
mail.err            /var/log/mail.err

# Logging for INN news system.
news.crit            /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice            -/var/log/news/news.notice

# Some "catch-all" log files.
#    auth,authpriv.none;\
#    news.none;mail.none    -/var/log/debug
#    auth,authpriv.none;\
#    cron,daemon.none;\
#    mail,news.none        -/var/log/messages

# Emergencies are sent to everybody logged in.
*.emerg                *

# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#    news.=crit;news.=err;news.=notice;\
#    *.=debug;*.=info;\
#    *.=notice;*.=warn    /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#    $ xconsole -file /dev/xconsole [...]
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
    *.=notice;*.=warn    |/dev/xconsole

This is the original file. We are going to be adding all of our rules to the top. Here are the edits I made to the file. These edits drop all messages matching a rule before logging them.

#Test logging to console with /dev/console.
#Then open CLI and do sudo xconsole to watch output

#Drop all packets containing information matching below. Then write.
:msg, contains, "DST="
& ~
:msg, contains, "DST="
& ~
:msg, contains, "DST="
& ~
*.*    /dev/console

#LOG to remote host ELA

*.* @

The line for logging to the ELA can be commented out while you test this. The line with /dev/console will write to the xconsole window. Now we need to save it and restart the service. Save the file in the text editor, exit, and then issue:

sudo service rsyslog restart

That will begin throwing messages to your xconsole. If it works, you can comment out that line and then send the messages just to the ELA.

Here are some links that were used as sources. However, I wrote this post because none of the sources I found addressed multiple rules directly.

No comments:

Post a Comment