The Samhain Host Integrity Monitoring System | ||
---|---|---|
Prev | Chapter 5. Configuring samhain, the host integrity monitor | Next |
This option is available with samhain version 2.5.0 and higher. To compile with support for this option, use the configure option
./configure --enable-logfile-monitor
![]() | PCRE library required |
---|---|
This option requires the PCRE (Perl compatible regular expressions) library. Many Linux distributions split library packages into a runtime package (required to run a dependent executable) and a development package (required to compile an executable). At least on the build host where samhain is compiled, the development package is required if you use this option. |
This module enables samhain to monitor/analyze logfiles of other applications. Currently (samhain 2.5.0) the following logfile formats are supported:
Syslog
Apache (access and error log)
Samba
'pacct' BSD-style process accounting (also available on Linux)
Logfile analysis will always start from the point the last one ended; the pointer into the file is stored persistently on disk. Logfile rotation is handled automatically as long as the rotated logfile remains in the same directory and is not compressed (usually log rotation tools can be configured to compress only after the second rotation, which is advisable for unrelated reasons - the logging application may still have an open file pointer after logfile rotation).
Logfile entries can be filtered with Perl-style regular expressions (filter rules). Regular expressions must match the whole logfile record. For efficiency, regular expressions can be grouped under a common regular expression, i.e. if the group expression fails to match, no RE in the group is tried. Furthermore, (groups of) regular expressions can be grouped by host, if the logfile(s) contain host information (such as host information in centralized syslog server logfiles, or virtual host information in Apache logfiles). Note that host->group->rule is supported (just as host->rule or group->rule), while group->host->>rule isn't.
Each filtering rule (regular expression) is assigned to an output queue. Currently (samhain 2.5.0) queues only differ in the assigned severity of an event, but more options (per-queue mail addresses for alerts) are under development.
Filtering rules are processed in the order given in the configuration file, i.e. the first match wins.
![]() | Blacklisting vs. whitelisting, and the 'thrash' output queue |
---|---|
Output queues are labelled. The label 'trash' is reserved and refers to the thrash bin (no output, throw away log entries if the matching rule is assigned to the 'thrash' queue). If a logfile entry does not match any rule, it is reported (i.e. the default is whitelisting known-good entries). To turn this into a blacklisting policy, simply add a catch-all rule at the end and assign it to the 'trash' queue. |
LogmonActive=boolean switches this module on or off.
LogmonInterval=seconds sets the interval for logfile checking.
LogmonWatch=TYPE:path[:format] advises the module to monitor the logfile with the specified path, which is of type 'TYPE' (logfile types are uppercase). Some logfile types (e.g. Apache access logs) can be customized, and hence some format information must be provided. Currently (samhain 2.5.0) the following logfile types are supported
Standard UNIX style syslog files. Matching starts at the command (i.e. after the hostname). To select certain hostnames, place the rule under a LogmonHost directive (see below). If the LogmonHidePID option is used, the RE should not account for the process PID.
Apache (or compatible) webserver access and/or error logs. Required format information: either one of combined, common, or error (error log), or the Apache custom log format specification used. The whole log line is matched. If there are virtual hosts (%v), then the LogmonHost directive will match the virtual host.
Samba logfile format (multiline, timestamp and origin within samba source code on first line, log message on continuation lines). The RE will match the continuation line (with the log message) only.
BSD style process accounting (also available on Linux). This is a binary logfile. The module will build a text line like the 'last' command does, and matched it against the RE.
What is pacct good for? Note that pacct records contain only the executable name, not the arguments. This may look somewhat useless for shell accounts, but is quite useful for servers: how many different commands can e.g. postfix legitimately execute? Just a handful, indeed, and certainly none of them is /bin/sh! So if pacct says that the 'postfix' user has executed a shell, then this would be rather alarming...
LogmonHidePID=boolean is an option that only affects logfiles of type SYSLOG. It causes the PID to be stripped from the log line (before matching against the RE).
LogmonQueue=label:[interval]:(sum|report):severity defines an output queue. Here, label is an arbitrary name which is used to assign rules to this queue; interval is the timespan over which messages are summarized if the queue is of type 'sum'; sum (summarize over some interval) or report (report each event seperately and immediately) are the two queue type supported, and severity is the severity assigned to an event.
LogmonHost=(perl)regex causes the following rules to be applied only to entries for this host(s). It is ended implicitely by another LogmonHost directive, or explicitely by a LogmonEndHost directive.
LogmonEndHost explicitely ends a preceding LogmonHost directive.
LogmonGroup=(perl)regex causes the following rules to be applied only if the group regex matches (i.e. rules within the group are skipped if the group regex doesn't match. This can be used to improve speed/efficiency of matching. A group is ended implicitely by another LogmonGroup directive, or explicitely by a LogmonEndGroup directive.
LogmonEndGroup explicitely ends a preceding LogmonGroup directive.
LogmonRule=queue_label:(perl)regex matches a logfile entry against the provided regular expression. If the expression matches, then captured subexpressions are replaced by '___', and the logfile entry is reported as specified for the queue referenced by queue_label.
[Logmon] # # Switch on the module # LogmonActive = yes # Check every second # LogmonInterval = 1 # Strip PIDs from syslog messages # Logmonhidepid = true # Define a queue with severity 'crit'. # This is a 'report' queue, hence 'interval' (10) # will be ignored. # LogmonQueue = q1:10:report:crit # Define a second queue with severity 'alert' # LogmonQueue = q2:10:report:alert # Monitor /var/log/messages, which is a syslog file # LogmonWatch = SYSLOG:/var/log/messages # Monitor /var/log/samba/log.nmbd, which is a samba # logfile # LogmonWatch = SAMBA:/var/log/samba/log.nmbd # Monitor /var/log/apache2/access.log, which is # an Apache logfile in 'combined' format # LogmonWatch = APACHE:/var/log/apache2/access.log:combined # Syslog messages for the pppd deamon # LogmonGroup = g1:pppd.* # # Rules in this group # LogmonRule = q1:pppd:\s+primary.* LogmonRule = q1:pppd:\s+secondary.* # LogmonEndGroup # Messages starting with WARNING (some samba stuff) # LogmonGroup = g2:WARNING.* LogmonRule = q2:.*interfaces.* LogmonEndGroup # Throw away all non-matching entries. This amounts # to a blacklist policy (only report known bad). # # Usually considered bad practice!!! Use whitelisting! # # 'thrash' is a built in queue, no definition needed. # LogmonRule = trash:.*