[rsyslog-notify] Forum Thread: Re: from host exclusion - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Thu Oct 2 13:41:49 CEST 2014
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24971#p24971
Message:
----------
Ok, so you do not want to supress logs being sent to you from the machine
at 192.168.200.111 but rather ssh logs that are generated by the local
machine related to connections from 192.168.200.111. fromhost-ip is the IP
address of the machine that sent the log to you. If the log is generated
locally, then fromhost-ip is 127.0.0.1.
What you re trying to do is MUCH harder
You can easily surpress the first and last of the logs
> chicago sshd[8575]: Invalid user toto from 192.168.200.111
and
> sshd[8575]: Failed password for invalid user toto from 192.168.200.111
port 37998 ssh2
because they include the IP address, so you can create regex matches for
"sshd.*from 192.168.200.111" and throw away all those logs
you can also filter out
> chicago sshd[8575]: pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=inflin01.xxx.int
by looking for rhost=inflin01.xxx.int and thrwoing away anything that
matches it
but in both cases you run the risk of matching other logs that you don't
intend to throw away, so I would strongly suggest writing them to another
file first, at least for a while, so that you can check and see if any
other logs get caught.
But the other logs are much harder to deal with becuase they don't include
any information about what IP they are from. You end up having to infer
that they are related to that IP address based on their connection and PID.
this is the sort of thing that's easy for people to do and hard for
computers to do.
First off, it's possible for logs to get out of order, which makes analysis
of them _really_ hard
Secondly, you have multiple PIDs involved here, so you can't even match the
first message and try to throw away all logs with that PID (and it's not
clear if that PID is reused soon anyway, it could be)
You would have to have a program parse all the sshd log messages, notice
the first one has that IP address, and then look for the other logs that
are related to the userid of the first one. Since that userid is provided
by the remote, untrusted system, you hvae to be careful how you use it
because it could be a malicious string to fool your system into throwing
away other logs that you care about.
I would actually just let the logs get written and work on a tool that
would ignore these logs when you want to look at the output.
In rsyslog, it would be very hard to filter these. I think it could be done
with the global variables in 8.x, but it would be very messy. I would
probably look at writing a message modification module to detect and modify
these logs to something that would be easy to filter.
More information about the rsyslog-notify
mailing list