D1.1 to D1.4: Data rerouter for the online capture of multi-source data (from Avs, HIDS, NIDS, ...) into a unified LTTng trace
Rsyslog + Snort CTF experiment
==============================
This document will guide you into using LTTng-ust to gather a trace from application
generating syslog entries such as Snort, without modifying the original application
Requirements
============
LTTng-ust
(including the LD Preload "fd protection" patch if you intend to run rsyslog as a deamon)
LTTng-tools for control
omlttngust output module for RSyslog (Available as an Rsyslog patch)
Rsyslog
A syslog writing application (we use Snort as a example)
LTTng-UST
=========
You'll the fd protection patch to run rsyslog as a deamon.
It's available from the mailing list:
http://lists.lttng.org/pipermail/lttng-dev/2013-October/021533.html
Or as a git branch: (The fd branch)
http://git.dorsal.polymtl.ca/~ybrosseau?p=lttng-ust.git;a=shortlog;h=ref...
git clone -b fdprotection git://git.dorsal.polymtl.ca/~ybrosseau/lttng-ust.git
Once you have that, you'll be able to launch your deamon with the following LD_PRELOAD environment variable:
LD_PRELOAD=/usr/local/lib/liblttng-ust-fork.so\ /usr/local/lib/liblttng-ust-fd.so
(You need the -fork and -fd preload)
LTTng-Tools
===========
No particular change necessary.
Just enable the proper userspace event (either with -u -a or with the specific event name (rsyslog:*)
omlttngust module for RSyslog
=============================
omlttngust is a new output module for Rsyslog. It takes the data from a syslog entry
and writes it to a LTTng-UST tracepoint. (Following different format depending on the configuration.
You can get it here:
http://git.dorsal.polymtl.ca/~ybrosseau?p=rsyslog.git
git clone -b lttngust git://git.dorsal.polymtl.ca/~ybrosseau/rsyslog.git
(It will be posted on a mailing list soon).
Currently 3 tracepoint are available
rsyslog:msg_string
rsyslog:msg_detailled
rsyslog:msg_detailled_time
msg_string: A simple tracepoint which only contains a string which is a copy of the
line writen in a syslog file.
msg_detailled: A tracepoint where each element of a syslog entry (facility, level, etc) are written into separate fields.
msg_detailled_time: Same as detailled, but add 2 string fields containing the syslog timestamp value.
msg_detailled is the default one.
The selection is done with the following configuration variable:
actionomlttngustmsgdetailled = on
actionomlttngustlogsyslogtime = off
(default values shown)
The first one select if we want the simple string or the detailled entries.
The second one select if we want to add the time to the detailled entries.
You'll need to specified that you want lttng-ust module at Rsyslog configure time:
./configure --enable-omlttngust
Make sure you see the following entry to confirm that you will have the module:
omlttngust module will be compiled: yes
Starting/Configuring rsyslog
============================
To write to an LTTng trace, you need to activate the module
You can do that by adding the following line in your /etc/rsyslog.conf
*.* :omlttngust:
You can also just config one facility, like AUTH by writing this:
auth.* :omlttngust:
You then launch rsyslog with your usual method or one of the following commmand:
As a deamon, with the LTTng-ust preload:
sudo LD_PRELOAD=/usr/local/lib/liblttng-ust-fork.so\ /usr/local/lib/liblttng-ust-fd.so /usr/local/sbin/rsyslogd
Or without the daemonisation:
sudo /usr/local/sbin/rsyslogd -n
Running Snort
=============
When you run snort, you need to configure it to send its output to syslog.
To do so, add (or uncomment) the following line in /etc/snort/snort.conf
output alert_syslog: LOG_AUTH LOG_ALERT
You'll then see snort entries in your syslog entries, probably /var/log/auth.log since it is configured to send to the LOG_AUTH facility.
When you activate tracing, you'll see entries like that:
[17:39:19.993170249] (+0.000003942) atwood rsyslog:msg_detailled_time: { cpu_id = 1 }, { message = " [1:384:5] ICMP PING [Classification: Misc activity] [Priority: 3] {ICMP} 132.207.72.10 -> 132.207.72.30", severity = 1, facility = 4, hostname = "atwood", progname = "snort", pid = "-", time_str = "Oct 7 17:39:19", time_gen_str = "Oct 7 17:39:19" }