Skip to content

Instantly share code, notes, and snippets.

@esfand

esfand/normalization.conf

Last active February 10, 2021 22:41
Show Gist options
  • Save esfand/6258369 to your computer and use it in GitHub Desktop.
Save esfand/6258369 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
normalization.conf
# this is a config sample for log normalization, but can
# be used as a more complex general sample.
# It is based on a plain standard rsyslog.conf for Red Hat systems.
#
# NOTE: Absolute path names for modules are used in this config
# so that we can run a different rsyslog version alongside the
# regular system-installed rsyslogd. Remove these path names
# for production environment.
#### MODULES ####
# we do not run imuxsock as we don't want to mess with the main system logger
#module(load="/home/rger/proj/rsyslog/plugins/imuxsock/.libs/imuxsock") # provides support for local system logging (e.g. via logger command)
#module(load="imklog") # provides kernel logging support (previously done by rklogd)
module(load="/home/rger/proj/rsyslog/plugins/imudp/.libs/imudp") # Provides UDP syslog reception
module(load="/home/rger/proj/rsyslog/plugins/imtcp/.libs/imtcp")
module(load="/home/rger/proj/rsyslog/plugins/mmjsonparse/.libs/mmjsonparse")
module(load="/home/rger/proj/rsyslog/plugins/mmnormalize/.libs/mmnormalize")
/* We assume to have all TCP logging (for simplicity)
* Note that we use different ports to point different sources
* to the right rule sets for normalization. While there are
* other methods (e.g. based on tag or source), using multiple
* ports is both the easiest as well as the fastest.
*/
input(type="imtcp" port="13514" Ruleset="WindowsRsyslog")
input(type="imtcp" port="13515" Ruleset="LinuxPlainText")
input(type="imtcp" port="13516" Ruleset="WindowsSnare")
#debug:
action(type="omfile" file="/home/rger/proj/rsyslog/logfile")
/* This ruleset handles structured logging.
* It is the only one ever called for remote machines
* but executed in addition to the standard action for
* the local machine. The ultimate goal is to forward
* to some Vendor's analysis tool (which digests a
* structured log format, here we use Lumberjack).
*/
template(name="lumberjack" type="string" string="%$!all-json%\n")
/* the rsyslog Windows Agent uses native Lumberjack format
* (better said: is configured to use it)
*/
ruleset(name="WindowsRsyslog") {
action(type="mmjsonparse")
if $parsesuccess == "OK" then {
if $!id == 4634 then
set $!usr!type = "logoff";
else if $!id == 4624 then
set $!usr!type = "logon";
set $!usr!rcvdfrom = $!source;
set $!usr!rcvdat = $timereported;
set $!usr!user = $!TargetDomainName & "\\" & $!TargetUserName;
call outwriter
}
}
/* This handles clumsy snare format. Note that "#011" are
* the escape sequences for tab chars used by snare.
*/
ruleset(name="WindowsSnare") {
set $!usr!type = field($rawmsg, "#011", 6);
if $!usr!type == 4634 then {
set $!usr!type = "logoff";
set $!doProces = 1;
} else if $!usr!type == 4624 then {
set $!usr!type = "logon";
set $!doProces = 1;
} else
set $!doProces = 0;
if $!doProces == 1 then {
set $!usr!rcvdfrom = field($rawmsg, 32, 4);
set $!usr!rcvdat = field($rawmsg, "#011", 5);
/* we need to fix up the snare date */
set $!usr!rcvdat = field($!usr!rcvdat, 32, 2) & " " &
field($!usr!rcvdat, 32, 3) & " " &
field($!usr!rcvdat, 32, 4);
set $!usr!user = field($rawmsg, "#011", 8);
call outwriter
}
}
/* plain Linux log messages (here: ssh and sudo) need to be
* parsed - we use mmnormalize for fast and efficient parsing
* here.
*/
ruleset(name="LinuxPlainText") {
action(type="mmnormalize"
rulebase="/home/rger/proj/rsyslog/linux.rb" userawmsg="on")
if $parsesuccess == "OK" and $!user != "" then {
if $!type == "opened" then
set $!usr!type = "logon";
else if $!type == "closed" then
set $!usr!type = "logoff";
set $!usr!rcvdfrom = $!rcvdfrom;
set $!usr!rcvdat = $!rcvdat;
set $!usr!user = $!user;
call outwriter
}
}
/* with CSV, we the reader must receive information on the
* field names via some other method (e.g. tool configuration,
* prepending of a header to the written CSV-file). All of
* this is highly dependant on the actual CSV dialect needed.
* Below, we cover the basics.
*/
template(name="csv" type="list") {
property(name="$!usr!rcvdat" format="csv")
constant(value=",")
property(name="$!usr!rcvdfrom" format="csv")
constant(value=",")
property(name="$!usr!user" format="csv")
constant(value=",")
property(name="$!usr!type" format="csv")
constant(value="\n")
}
/* template for Lumberjack-style logging. Note that the extra
* LF at the end is just for wrinting it to file - it MUST NOT
* be included for messages intended to be sent to a remote system.
* For the latter use case, the syslog header must also be prepended,
* something we have also not done for simplicity (as we write to files).
* Note that we use a JSON-shortcut: If a tree name is specified, JSON
* for its whole subtree is generated. Thus, we only need to specify the
* $!usr top node to get everytihing we need.
*/
template(name="cee" type="string" string="@cee: %$!usr%\n")
/* this ruleset simulates forwarding to the final destination */
ruleset(name="outwriter"){
action(type="omfile"
file="/home/rger/proj/rsyslog/logfile.csv" template="csv")
action(type="omfile"
file="/home/rger/proj/rsyslog/logfile.cee" template="cee")
}
/* below is just the usual "uninteresting" stuff...
* Note that this goes into the default rule set. So
* local logging is handled "as usual" without the need
* for any extra effort.
*/
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Include all config files in /etc/rsyslog.d/
# commented out not to interfere with the system rsyslogd
# (just for this test configuration!)
#$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
Raw
rsyslog.conf
/* rsyslog configuration file (for Red Hat-based systems)
* note that most of this config file uses old-style format,
* because it is well-known AND quite suitable for simple cases
* like we have with the default config. For more advanced
* things, RainerScript configuration is suggested.
*
* For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
* or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
* If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
*/
#### MODULES ####
module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog") # provides kernel logging support (previously done by rklogd)
#module(load"immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment