Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
Nächste Überarbeitung | Vorherige Überarbeitung | ||
admin_grundlagen:logging [2011/03/13 13:37] 127.0.0.1 Externe Bearbeitung |
admin_grundlagen:logging [2018/07/05 14:23] (aktuell) ingo_wichmann [Log Analyse Software] |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Gängige Befehle ===== | ||
+ | ls -lrt /var/log | ||
+ | tail -F /var/log/messages | ||
+ | less /var/log/messages | ||
+ | grep Testmeldung /var/log/* | ||
+ | |||
+ | Falls vorhanden: | ||
+ | multitail /var/log/messages | ||
====== syslog ====== | ====== syslog ====== | ||
- | Beispiel: Logdaten von einem Rechner auf den nächsten übertragen | + | siehe [[syslog]] |
- | ===== Zielrechner: ===== | + | ====== logrotate ====== |
- | Zielrechner netzwerkfähig machen: | + | siehe [[logrotate]] |
- | ''/etc/sysconfig/syslog'' : ( Centos 5 ) | + | ====== logs auswerten ====== |
- | <file> | + | Debian: |
- | SYSLOGD_OPTIONS="-m 0 -r" | + | logcheck |
- | </file> | + | |
- | ''/etc/sysconfig/syslog'': ( openSuSE 11.1 ) | + | openSuSE (13.1): |
- | <code bash> | + | logdigest |
- | SYSLOGD_PARAMS="-r" | + | logwatch |
- | </code> | + | |
- | ''/etc/default/syslogd'': ( debian 4.0 ) | + | CentOS (ab 5): |
- | <code bash> | + | logwatch |
- | SYSLOGD="-r" | + | |
- | </code> | + | |
- | + | ||
- | Passende Nachrichten in Datei '/var/log/beispiel' schreiben: | + | |
- | ''/etc/syslog.conf'' : | + | ==== Log Analyse Software ==== |
+ | * http://logstash.net/ | ||
+ | * https://www.graylog.org/ | ||
+ | * https://www.fluentd.org/ | ||
+ | * http://loganalyzer.adiscon.com | ||
+ | * http://www.uberadmin.com/Projects/logtemplater/ | ||
+ | * http://www.splunk.com ( proprietär ) | ||
+ | * http://www.octopussy.pm | ||
+ | (( Für Centos 6 benötigte Perl-Pakete: | ||
<file> | <file> | ||
- | local5.info -/var/log/beispiel | + | perl-Apache-ASP |
+ | perl-App-Info | ||
+ | perl-Cache-Cache | ||
+ | perl-Crypt-PasswdMD5 | ||
+ | perl-Date-Manip | ||
+ | perl-JSON | ||
+ | perl-List-MoreUtils | ||
+ | perl-Locale-Maketext-Lexicon | ||
+ | perl-Locale-Maketext-Simple | ||
+ | perl-Mail-Sender | ||
+ | perl-LDAP | ||
+ | perl-Net-SCP | ||
+ | perl-Net-Telnet | ||
+ | perl-Net-XMPP | ||
+ | perl-Proc-PID_File | ||
+ | perl-Proc-ProcessTable | ||
+ | perl-Readonly | ||
+ | perl-Regexp-Assemble | ||
+ | perl-Term-ProgressBar | ||
+ | perl-Unix-Syslog | ||
+ | perl-URI | ||
+ | perl-version | ||
+ | perl-XML-Simple | ||
</file> | </file> | ||
- | Syslog neu starten: | + | xargs yum install -y |
- | /etc/init.d/sysklogd restart | + | |
- | ===== Absender-Rechner: ===== | + | while Schleife: |
- | /etc/syslog.conf: | + | cat datei | while read line; do yum install -y $line; done |
- | local5.info @zielrechner | + | )) |
- | + | ||
- | Syslog neu einlesen: | + | |
- | /etc/init.d/sysklogd restart | + | |
- | + | ||
- | Testen: Meldung abschicken: | + | |
- | logger -p local5.info "Testmeldung" | + | |
- | + | ||
- | ====== rsyslog ====== | + | |
- | Beispiel: Logdaten von einem Rechner auf den nächsten übertragen | + | |
- | + | ||
- | + | ||
- | ===== Zielrechner: ===== | + | |
- | Zielrechner netzwerkfähig machen: | + | |
- | Passende Nachrichten in Datei '/var/log/beispiel' schreiben: | + | |
- | + | ||
- | === Debian === | + | |
- | ''/etc/rsyslog.conf'': ( debian 5.0 ) | + | |
- | <file> | + | |
- | $ModLoad imudp | + | |
- | $UDPServerRun 514 | + | |
- | local5.info -/var/log/beispiel | + | |
- | </file> | + | |
- | + | ||
- | Syslog neu starten: | + | |
- | /etc/init.d/rsyslog restart | + | |
- | + | ||
- | === SuSE === | + | |
- | ''/etc/rsyslog.d/remote.conf'': ( sles 11 SP 1 ) | + | |
- | <file> | + | |
- | $ModLoad imudp | + | |
- | $UDPServerRun 514 | + | |
- | </file> | + | |
- | ''/etc/rsyslog.conf'': ( debian 5.0 ) | + | |
- | + | ||
- | <file> | + | |
- | local5.info -/var/log/beispiel | + | |
- | </file> | + | |
- | + | ||
- | Syslog neu starten: | + | |
- | /etc/init.d/syslog restart | + | |
- | + | ||
- | ===== Absender-Rechner: ===== | + | |
- | /etc/rsyslog.conf: | + | |
- | local5.info @zielrechner | + | |
- | + | ||
- | Syslog neu einlesen: | + | |
- | /etc/init.d/rsyslog restart | + | |
- | + | ||
- | Testen: Meldung abschicken: | + | |
- | logger -p local5.info "Testmeldung" | + | |
- | + | ||
- | ====== syslog-ng ====== | + | |
- | Beispiel: Eine eigene log-Regel schreiben: | + | |
- | + | ||
- | ''/etc/syslog-ng/syslog-ng.conf.in'': (SuSE bis 10.1) | + | |
- | + | ||
- | ''/etc/syslog-ng/syslog-ng.conf'': (SuSE ab 10.2) | + | |
- | <file> | + | |
- | filter f_ingo { | + | |
- | level(warn) and program(logger); | + | |
- | }; | + | |
- | destination ingo_log { | + | |
- | file("/var/log/ingo.log"); | + | |
- | }; | + | |
- | log { | + | |
- | source(src); | + | |
- | filter(f_ingo); | + | |
- | destination(ingo_log); | + | |
- | }; | + | |
- | </file> | + | |
- | Configdatei überprüfen: | + | |
- | syslog-ng -s | + | |
- | + | ||
- | Dienst neu starten und evtl. SuSEconfig glücklich machen | + | |
- | /sbin/conf.d/SuSEconfig.syslog-ng | + | |
- | /etc/init.d/syslog restart | + | |
- | + | ||
- | Testen: | + | |
- | logger -p local1.warn -t logger "Dies ist eine Testmeldung" | + | |
- | + | ||
- | Beispiel: Logdaten von einem Rechner auf den nächsten übertragen | + | |
- | + | ||
- | ===== Zielrechner: ===== | + | |
- | Zielrechner netzwerkfähig machen : | + | |
- | + | ||
- | ''/etc/syslog-ng/syslog-ng.conf.in'': (SuSE bis 10.1) | + | |
- | + | ||
- | ''/etc/syslog-ng/syslog-ng.conf'': (SuSE ab 10.2) | + | |
- | + | ||
- | <file> | + | |
- | source src{ | + | |
- | + | ||
- | ... | + | |
- | + | ||
- | udp(ip("0.0.0.0") port(514)); | + | |
- | + | ||
- | }; | + | |
- | </file> | + | |
- | + | ||
- | Meldungen bestimmter Log-Facilities und Log-Priorities werden durch Filter und Destination definiert | + | |
- | + | ||
- | <file> | + | |
- | filter f_local5 { | + | |
- | level(info) and facility(local5); | + | |
- | }; | + | |
- | + | ||
- | destination d_local5 { | + | |
- | file("/var/log/beispiel"); | + | |
- | }; | + | |
- | + | ||
- | log { | + | |
- | source(src) ; | + | |
- | filter(f_local5) ; | + | |
- | destination(d_local5); | + | |
- | }; | + | |
- | </file> | + | |
- | + | ||
- | Danach ''SuSEconfig'' oder ''/sbin/conf.d/SuSEconfig.syslog-ng'' aufrufen um die Änderungen permanent zu übertragen und syslog-ng reloaden. | + | |
- | + | ||
- | rcsyslog reload | + | |
- | + | ||
- | ===== Absender-Rechner ===== | + | |
- | ''/etc/syslog-ng/syslog-ng.conf.in'': (SuSE bis 10.1) | + | |
- | + | ||
- | ''/etc/syslog-ng/syslog-ng.conf'': (SuSE ab 10.2) | + | |
- | + | ||
- | <file> | + | |
- | destination d_ziel { udp( "Zielrechner" port(514) ); }; | + | |
- | + | ||
- | log { source(src); destination(d_ziel); }; | + | |
- | </file> | + | |
- | + | ||
- | ''SuSEconfig'' aufrufen zum Ändern der Konfigdatei und syslog reloaden | + | |
- | + | ||
- | rcsyslog reload | + | |
+ | ==== Log Analyse Konzepte ==== | ||
+ | * Artificial Ignorance [[http://www.ranum.com/security/computer_security/papers/ai/index.html]] | ||
====== User Logging ====== | ====== User Logging ====== | ||
Zeile 192: | Zeile 90: | ||
</code> | </code> | ||
- | ====== logrotate ====== | ||
- | siehe [[logrotate]] | ||
- | ====== logs auswerten ====== | ||
- | Debian: | ||
- | logcheck | ||
- | |||
- | SuSE: | ||
- | logdigest | ||
- | logwatch | ||
- | |||
- | CentOS 5: | ||
- | logwatch | ||
- | |||
- | ====== Doku ====== | ||
- | * Level: | ||
- | ''debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)'' | ||
- | * Facility: | ||
- | ''auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7'' | ||
- | |||
- | ====== Links ====== | ||
- | |||
- | ===== Allgemein ===== | ||
- | * http://www.loganalysis.org/ | ||
- | * Tools: http://www.splunk.com ( proprietär ) | ||
- | |||
- | |||
- | ===== Syslog ===== | ||
- | * http://de.linwiki.org/wiki/Linuxfibel_-_System-Administration_-_Protokollierung | ||
- | |||
- | ===== Syslog-NG ===== | ||
- | * http://www.linux-magazin.de/Artikel/ausgabe/2003/11/tagebuch/tagebuch.html | ||
- | * http://www.wikidorf.de/reintechnisch/Inhalt/SyslogNGEinfuehrung | ||
- | * http://www.balabit.com/products/syslog_ng/reference-1.6/syslog-ng.html/book1.html | ||