Sending web logs to Computer Security

Sending our web logs to lab Computer Security is a Good Thing, because then they can do intrusion detection, and analysis, etc.

This is done in two steps

  1. sending web logs to syslog
  2. sending syslog data to security
We'll discuss both of these, below.

Sending our web logs to syslog

We can send our weblogs to syslog by putting a pipe-to-command entry in our log messages for the webserver. We'll also save the logs like usual, so that we can run our logs processing commands, etc. This means we take entries like: 
ErrorLog "/var/log/www/error.log"
CustomLog "/var/log/www/access.log" extended_ncsa
(assuming our logs go in /var/log/www) and replace them with: 
ErrorLog  "|/bin/sh -c '/usr/bin/tee -a /var/log/www/error.log  | /usr/bin/logger -thttpd -plocal6.err'"
CustomLog "|/bin/sh -c '/usr/bin/tee -a /var/log/www/access.log | /usr/bin/logger -thttpd -plocal6.notice'" extended_ncsa
for apache 2.0.x or 
ErrorLog  "|/usr/bin/tee -a /var/log/www/error.log  | /usr/bin/logger -thttpd -plocal6.err"
CustomLog "|/usr/bin/tee -a /var/log/www/access.log | /usr/bin/logger -thttpd -plocal6.notice" extended_ncsa
for apache 2.2.x.

This has us using Unix "tee" to write the log where it was being written, but also sends the entries to "logger" (which is the command line utility to send things to syslog).

Log Format

Some installations of Apache will not define the extended_ncsa log format. The result is that nothing will be logged by Apache.
If this is the case for your installation, you can alternately use the format combined which is typically defined in default Apache installations.

In the above example for apache 2.2.x, this would change your configuration entry for your access log, to look like the following 

CustomLog "|/usr/bin/tee -a /var/log/www/access.log | /usr/bin/logger -thttpd -plocal6.notice" combined

Sending syslog data to CST

The syslog config file needs to be modified to handle these messages appropriately. There are two changes you probalby want to make here:
  1. Don't log web messages to /var/adm/messages
  2. Send all syslog stuff to CST via clogger.fnal.gov
This generally means editing your /etc/syslog.conf and changing 
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
to 
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local6.none     /var/log/messages

# send anything remotely interesting to clogger
# for intrusion detection, etc.
*.info							 @clogger.fnal.gov

Adding the "local6.none" to the /var/log/messages line keeps you from logging the webserver stuff in your /var/log/messages (since we're already logging them in the web log area...)

Adding the @clogger.fnal.gov line forwards things to clogger.fnal.gov.