Solved Syslog server

Phishfry

Phishfry

I would like to create a syslog server for my computers.
I would like to display this data via HTTP in a DMZ to the internet.
What do you recommend? Anything in ports that works?
I don't want to expose Munin to the outside. That is my internal system.
Some Arm based device with lighttpd serving syslogs is my thought.

What says ye?
 
This site called to my attention the security implications of showing the log to the WWW.
Services running on your network are exposed.

Set up a Central Log Server with syslog-ng daemon on FreeBSD - .matrixpost.net

In this post I want to show how you can set up a central log server in your network by using the syslog-ng on FreeBSD. Install syslog-ng daemon First we need to install the syslog-ng package on FreeBSD. # pkg install syslog-ng Next we have to shutdown the default FreeBSD syslogd daemon and...
blog.matrixpost.net blog.matrixpost.net
 
What I wonder is how versatile syslog-ng is.
Can it collect Linux logs too? I dont need long term remote log storage just display

Is syslogd still in use? This is from 2014. Which is preferred?

How To Setup And Configure FreeBSD As A Syslog Server | iceflatline

This post describes how to setup and configure a machine running to be a syslog server, receiving incoming log events from other hosts in the network. A second machine, also running FreeBSD, will be configured to send its log events to the syslog server.
www.iceflatline.com www.iceflatline.com
 
Phishfry said:
I would like to create a syslog server for my computers.
I would like to display this data via HTTP in a DMZ to the internet.
What do you recommend? Anything in ports that works?
I don't want to expose Munin to the outside. That is my internal system.
Some Arm based device with lighttpd serving syslogs is my thought.

What says ye?
Click to expand...
Making your logs available for everyone to see is a terrible idea!
Logs contain tons of valuable information about your system.

I'd recommend keeping it local and making it accessible via a VPN.
 
The syslog's I am really interested in displaying are associated with Web Power Switch.
They don't contain anything harmful.

Code: 
Jun 23 12:10:15 ps7[1960959]: Scripting:[0] .USER thread #1. .44 OFF 3.
Jun 23 12:10:15 ps7[1960959]: Outlet 3 [Pump 1] is turned OFF
Jun 23 15:00:15 ps7[1960959]: Scripting:[0] .USER thread #1. .47 ON 3.
Jun 23 15:00:15 ps7[1960959]: Outlet 3 [Pump 1] is turned ON
Jun 23 15:10:15 ps7[1960959]: Scripting:[0] .USER thread #1. .50 OFF 3.
Jun 23 15:10:15 ps7[1960959]: Outlet 3 [Pump 1] is turned OFF
Jun 23 15:28:06 ps7[1960959]: Successful challenge-response authentication for .admin. from 192.168.1.135
Jun 23 15:29:03 ps7[1960959]: .admin. has changed the User Defined Links
Jun 23 16:51:45 ps7[1960959]: Session for admin from 192.168.1.135 is timed out
Jun 23 16:58:21 ps7[1960959]: Successful challenge-response authentication for .admin. from 192.168.1.135
Jun 23 17:04:27 ps7[1960959]: .admin. has set the Date/Time
Jun 23 17:34:28 ps7[1960959]: Session for admin from 192.168.1.135 is timed out
Jun 23 18:00:15 ps7[1960959]: Scripting:[0] .USER thread #1. .53 ON 3.
Jun 23 18:00:15 ps7[1960959]: Outlet 3 [Pump 1] is turned ON
Jun 23 18:10:14 ps7[1960959]: Scripting:[0] .USER thread #1. .56 OFF 3.
Jun 23 18:10:14 ps7[1960959]: Outlet 3 [Pump 1] is turned OFF
Jun 23 18:17:40 ps7[1960959]: Successful challenge-response authentication for .admin. from 192.168.1.135
 
Phishfry said:
They don't contain anything harmful.
Click to expand...
Until they do.
No but seriously, SKull makes a very valid point here. System log files can contain sensitive information - either directly or indirectly. It also wouldn't be the first time that an application (or device firmware) gets updated and then suddenly leaks information like authentication tokens into the logs.
 
  • Like
Reactions: mer
In apache24 you can use htpasswd to require user login before on site access this will add some layer of filter even if your website requires another login itself like webmail. It can be a simple user/password shared among your users even if they have another personal user/password for the site. This way it will remove all faulty bots logins/access to your site and combining this with fail2ban you can provide reasonable good protection against bruteforce password guessing.

Example:
data dir: /usr/local/www/log1/

/usr/local/etc/apache24/Include/log1.conf

Alias /log1 "/usr/local/www/log1/"

<Directory "/usr/local/www/log1">
AllowOverride AuthConfig
Options None
Require ip 127.0.0.1
AuthType Basic
AuthName "Restricted area"
AuthBasicPRovider file
AuthUserFile "/usr/local/etc/apache24/passwords"
Require valid-user
</Directory>
Click to expand...

Create passwords file and add user:

htpasswd -c /usr/local/etc/apache24/passwords phishfry

To add another user to existing passwords file:

htpasswd /usr/local/etc/apache24/passwords user2
 
Phishfry said:
What I wonder is how versatile syslog-ng is.
Click to expand...
Extremely.
Phishfry said:
Can it collect Linux logs too?
Click to expand...
Yes, of course.

Just keep in mind that syslog is UDP and clear-text. So not the best way to transfer 'critical' data like system logging. Syslog-ng should support TCP and even SSL/TLS though. But FreeBSD's syslogd(8) won't. So you will need to replace it, that's actually quite easy, just stop syslogd(8) and enable syslog-ng(8), the default configuration should work fine as a drop-in replacement.
 
  • Like
Reactions: mer
I was showing raw output of the Web Power Switch logs.
Using syslog-ng I should be able to refine what fields are shown.

I want to add that this is not a server that will be up daily.
It is something I would use while on a roadtrip. Maybe 10 days a year.

My feeling is that it is safer to have the logs up on a webpage than having the Web Power Switch itself on the internet. It is a black box appliance and I have no control over. No SSH. No Telnet. Only Curl and a web server.
 
Phishfry said:
My feeling is that it is safer to have the logs up on a webpage than having the Web Power Switch itself on the internet. It is a black box appliance and I have no control over. No SSH. No Telnet. Only Curl and a web server.
Click to expand...
Then how will you teach it to send logs to a remote machine? :-/

Anyways, just make sure to restrict access to the logs. HTTP authentication, VPN have both been mentioned as options ;)
 
Zirias said:
how will you teach it to send logs
Click to expand...
It can't. Just is an option in the Web Power Switch html configuration page for syslog IP.
So I will send Web Power Switch log to a syslog-ng machine in DMZ and parse for inet.

That is the plan for now. syslog-ng has a webserver built in so I need to explore that option.
 
Thanks everyone for your inputs. I respect your strict security posture.

I have not even setup a DMZ machine yet. So I was just trying to get opinions.

Personally it seems minor exposing a user name and network address. Obviously I misjudged.
I am sure syslog-ng can restrict output fields.

If I restricted down to log fields showing 'Outlet 1 ON' and 'Outlet 2 OFF' and times only;
Do you think I still need authentication?
 
I guess the worry here is that machine name [ps7] is exposed.

Code: 
Jun 23 15:00:15 ps7[1960959]: Outlet 3 [Pump 1] is turned ON
Jun 23 15:10:15 ps7[1960959]: Scripting:[0] .USER thread #1. .50 OFF 3.
Jun 23 15:10:15 ps7[1960959]: Outlet 3 [Pump 1] is turned OFF
 
I see the hostname is the same on these boxes. Here is a second box I am using for programming.

Code: 
Jun 24 00:24:14 ps7[1973671]: Scripting:[0] .USER thread #11. .13 WAIT 39.
Jun 24 00:24:24 ps7[1973671]: Scripting:[1] .USER thread #14. .14 DISPLAY 5.
Jun 24 00:24:25 ps7[1973671]: Scripting:[1] .USER thread #14. .15 OFF 1.
Jun 24 00:24:25 ps7[1973671]: Outlet 1 [Outlet 1] is turned OFF
Jun 24 00:24:25 ps7[1973671]: Scripting:[1] .USER thread #14. .16 END.
So it seems hostname=ps7 and [1973671] is a unit identifier or serial number.
 
IMHO, filtering isn't the best approach. On the one hand, the filter might miss something (that's e.g. added later and you don't notice it). On the other hand, an admin should see unfiltered logs for the best chance to analyze things. Restricting who can see logs is a better match I'd say...
 
Phishfry said:
Thanks everyone for your inputs. I respect your strict security posture.

I have not even setup a DMZ machine yet. So I was just trying to get opinions.

Personally it seems minor exposing a user name and network address. Obviously I misjudged.
I am sure syslog-ng can restrict output fields.

If I restricted down to log fields showing 'Outlet 1 ON' and 'Outlet 2 OFF' and times only;
Do you think I still need authentication?
Click to expand...
I think the point is, why would anybody except you (or your designated coworkers) need to see this data?

It's simple enough to setup basic auth, so why not?
 
I have syslog-ng collecting from many sources now. This is going to compliment munin nicely.

I have decided to keep in on the local net for now. Work out what I really want for web interface.
 
You must log in or register to reply here.
Back
Top