Send strace output through syslog-ng

Good afternoon.

I have a honeypot which syslog-ng running. I configured it so that it can send all the log files to a remote web server. (So that mean I have already configured syslog-ng on this web server too) No matter with that, it works great.

Then, on my honeypot, I have a strace command attached to my ssh server. It gathers strace outputs in a strace.log file. Here is this command :
strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &

Now, I would like to send the strace output (/var/log/strace.log) to my server through syslog-ng. So, on my honeypot, I added the following in my syslog-ng.conf in the source section:
file ("/var/log/strace.log").

However, now, on the server side, I do not know how to configure syslog-ng in order to retrieve this strace output only. Is there a special filter for strace in syslog-ng ? (Usually, for example, I am using "filter { facility(auth);};" to filter auth.log : so is there something similar with strace ?)

Regards,
BB

Hey man,

On Tue, 2009-08-04 at 12:38 -0700, BB@umd wrote:
>
> Then, on my honeypot, I have a strace command attached to my ssh server. It
> gathers strace outputs in a strace.log file. Here is this command :
> strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &
>
> Now, I would like to send the strace output (/var/log/strace.log) to my
> server through syslog-ng.

What about something like:
tail -f /var/log/strace.log | logger -p <facility> &

> However, now, on the server side, I do not know how to configure syslog-ng
> in order to retrieve this strace output only.

In the above command you need to specify an unused facility. Then on the
server simply tell syslog-ng which file it should use for storing log
entries with the above specified facility (this can be a new unique
file).

You are suppose to use one of the "local use" facilities for stuff like
this, but I run into conflicts far too often. Instead I like to use the
facilities "news", "uucp" or similar that I know will never get run on
my network. Potential conflict solved. ;-)

HTH,
C
---
www.chrisbrenton.org

Hi,

First of all there is no filter for strace. My first idea for your
problem was to open a new port on the server just for strace, but it's
understandable if you don't want to do it. Also the idea of Chris
sounds good as well if you don't use the facility field generally. But
a third solution that I've found is the following:

You should create a separate log path for the strace output which
should read the logs from the file and replace the PROGRAM field of
the log message with the 'strace' string. That is why you need the
separate logpath, to make sure that only the strace output gets the
'strace' string. And then you can send these messages to your server
where you can filter the logs by the PROGRAM field. For these you will
need something like this in your config:

=Client=
#
# Sets the PROGRAM field to 'strace'
#
rewrite r_rewrite_set{set("strace", value("PROGRAM"));};

#
# Source to read from file
#
source s_strace {
file ("/var/log/strace.log");
};

#
#Destination to your server
#
destination d_tcp { tcp("127.0.0.1" port(1999) );};

#
# Logpath to read the file, set the
# program name and send it to the server
#
log {
source(s_strace);
rewrite(r_rewrite_set);
destination(d_tcp);
};

= Server =
#
# Filter for the messages generated by strace
#
filter strace_filter{match("strace" value("PROGRAM"));};

#
# Template to see the PROGRAM field
#
template t_filetemplate {
              template("$ISODATE $HOST $PROGRAM $MSG\n");
template_escape(no); };

#
# This one just opens a port
#
source s_net {
tcp(ip(127.0.0.1) port(1999) max-connections(10));
};

#
# Destination to write messages to file
#
destination d_strace {file("/var/log/test" template(t_filetemplate));};

#
# Logpath for filtering the strace messages out
#
log {
source(s_net);
filter(strace_filter);
destination(d_strace);
};

I also would like to warn you to use tcp() as I did instead of
syslog() because there might be a bug in sending the APP-NAME field
through network. Also if you don't have it you should download the
admin guide which is realy handy:

http://www.balabit.hu/dl/guides/syslog-ng-v3.0-guide-admin-en.pdf

I hope I could help.

Good luck :)

Geri

2009/8/4 BB@umd <bbenard@...>:

Well I did not think about this, but it seems to be a great idea. Thanks a lot.

However, I decided to open a new port and to send syslog data through it so that it is really easy to administrate. It works great.

Thanks for your help,

Regards,

BB@umd wrote:

Good afternoon.

I have a honeypot which syslog-ng running. I configured it so that it can send all the log files to a remote web server. (So that mean I have already configured syslog-ng on this web server too) No matter with that, it works great.

Then, on my honeypot, I have a strace command attached to my ssh server. It gathers strace outputs in a strace.log file. Here is this command :
strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &

Now, I would like to send the strace output (/var/log/strace.log) to my server through syslog-ng. So, on my honeypot, I added the following in my syslog-ng.conf in the source section:
file ("/var/log/strace.log").

However, now, on the server side, I do not know how to configure syslog-ng in order to retrieve this strace output only. Is there a special filter for strace in syslog-ng ? (Usually, for example, I am using "filter { facility(auth);};" to filter auth.log : so is there something similar with strace ?)

Regards,
BB