...
- The Fedora App is running on messages/syslog, auth/secure, mail, kern, cron and cron audit standard logs.
When adding/editing the logs to XpoLog it is mandatory to apply the correct log type(s) to each of the logs:- fedora - all logs that the application will analyze must have fedora as a log type.
- linux - all logs that the application will analyze must have linux as a log type.
- messages/syslog - only the messages/syslog logs must also be configured to have messages/syslog as a log type.
- secure - only the auth/secure logs must also be configured to have secure as a log type.
- auth - only the auth/secure logs must also be configured to have auth/secure as a log type.
- cron - only the cron log must also be configured to have cron as a log type.
- mail maillog - only the mail log must also be configured to have mail as a log type.
- kernel - only the kern log must also be configured to have kernel as a log type.
- audit - only the kern log must also be configured to have audit as a log type.
- fedora - all logs that the application will analyze must have fedora as a log type.
- Once the required information is set, on each log click next and edit the log pattern, this step is crucial to the accuracy and deployment of the Debian fedora App. Use the following patterns for each of the logs:
- Linux fedora messages/syslog log:
First Pattern:
{date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}: [{text:time-taken,ftype=time-taken;,}] {text:Message,ftype=message}
Second Pattern:
{date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}:{text:Message,ftype=message;,}{regexp:User,ftype=useraccountid;refName=message,([passed|failed|closed|opened] for user |password for invalid user |password for |USER=|user )[XPLG_PARAM([^\s\.\u005D]+)].*) from} Linux auth}{regexp:Sourceip,ftype=sourceip;refName=Message,(\d+\.\d+\.\d+\.\d+).*} {text:Message,ftype=message;,} - fedora auth/secure log:
{date:Date,MMM dd HH:mm:ss} {text:SourceIPsource,ftype=source} {text:Processprocess name,ftype=process;,}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}:{regexp:User,ftype=accountid;refName=message,([passed|failed|closed|opened] for user |password for invalid user |password for |USER=|user )[XPLG_PARAM([^\s\.\u005D]+)].*}{regexp:Sourceip,ftype=sourceip;refName=Message,(\d+\.\d+\.\d+\.\d+).*} {text:Message,ftype=message;,} - Linux cron fedora cron log:
{date:Date,MMM dd HH:mm:ss} {text:Server,ftype=server} {text:Process,ftype=process}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}: {text:Message,ftype=message} - Linux mail fedora mail log:
{date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{number:process id}]{block,end,emptiness=true}: {regexp:session,refName=Message;ftype=session,^(\w+):}{regexp:From,refName=Message;ftype=from,\s+from=([^,]+)}{regexp:To,refName=Message;ftype=to,\s+to=([^,]+)}{regexp:Size,refName=Message;ftype=size,size=([^\s,]+).*}{regexp:Class,refName=Message;ftype=class,class=([^\s,]+).*}{regexp:nrcpts,refName=Message;ftype=nrcpts,nrcpts=([^\s,]+).*}{regexp:msgID,refName=Message;ftype=msgid,msgid=<([^>]+).*}{regexp:Proto,refName=Message;ftype=protocol,proto=([^\s,]+).*}{regexp:Stat,refName=Message;ftype=status,stat=([^\s,]+)}{text.*}{regexp:Relay,refName=Message;ftype=relay,relay=([^\s,]+).*}{string:Message,ftype=message;,} - Linux kernel fedora kernel log:
{date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}:{block,start,emptiness=true} [{text:time-taken,ftype=time-taken;,}]{block,end,emptiness=true} {text:Message,ftype=message} - fedora audit log:
type={text:type,ftype=eventid} msg=audit({timestamp:Date,yyyy-MM-dd HH:mm:ss.SSS}:{text:ID}):{regexp:pid,refName=Message,\spid=([0-9]*)}{regexp:uid,ftype=uid;refName=Message,[^a,s]uid=([0-9]*)[^:]}{regexp:auid,ftype=auid;refName=Message,(new auid=|[^old] auid=)[XPLG_PARAM([0-9]*)]}{regexp:old auid,refName=Message,old auid=([0-9]*)}{regexp:ses,ftype=sessionid;refName=Message,(new ses=|[^old] ses=)[XPLG_PARAM([0-9]*)]}{regexp:old ses,refName=Message,old ses=([0-9]*)}{regexp:subj,refName=Message,subj=([^ ]*)}{regexp:kind,refName=Message,kind=([^\s]+).*}{regexp:fp,refName=Message,fp=([^\s]*)}{regexp:direction,ftype=direction;refName=Message,direction=([^\s]*)}{regexp:spid,refName=Message,spid=([0-9]*)}{regexp:suid,ftype=suid;refName=Message,suid=([0-9]*)}{regexp:acct,ftype=accountid;refName=Message,acct="([^"]*)}{regexp:rport,ftype=rport;refName=Message,rport=([0-9]*)}{regexp:lport,ftype=lport;refName=Message,lport=([0-9]*)}{regexp:port,ftype=port;refName=Message,\sport=([0-9]*)}{regexp:exe,ftype=exe;refName=Message,exe="([^"]*)}{regexp:New Name,ftype=newname;refName=Message,new name:\s+([^\s]+).*}{regexp:New GID,ftype=newgid;refName=Message,new gid:\s+([^\s]+).*}{regexp:UID,ftype=uid;refName=Message,msg=\u0027op.*id=([^\s]+).*}{regexp:OP,ftype=operation;refName=Message,\u0027op=([^\u003B]+).*(id|acct)}{regexp:hostname,ftype=machine;refName=Message,hostname=([^,\s]*)}{regexp:addr,ftype=sourceip;refName=Message,[^l]addr=([^\s]*)}{regexp:terminal,ftype=terminal;refName=Message,terminal=([^\s ]*)}{regexp:res,ftype=status;refName=Message,res=(.*)\u0027}{string:Message,ftype=message}
- Linux fedora messages/syslog log: