Versions Compared

Old Version 16

changes.mady.by.user Eran

Saved on

compared with

New Version Current

changes.mady.by.user Eran

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Background

The Linux Servers logs analysis App for Ubuntu automatically Collect - Read - Parse - Analyzes - Reports all machine generated log data of the server and presents a comprehensive set of graphs and reports to analyze machine generated data. Use a predefined set of dashboards and widgets to visualize and address the system software, code written, and infrastructure during development, testing, and production.  This Linux for Ubuntu logs analysis App helps measure, troubleshoot, and optimize your servers integrity, stability and quality with the several visualization and investigation dashboards.

Steps:

  1. The Ubuntu App is running on messages/syslog, auth/secure, mail, kern, cron and audit standard logs.
    When adding/editing the logs to XpoLog it is mandatory to apply the correct log type(s) to each of the logs:
    1. Ubuntu - all logs that the application will analyze must have Ubuntu as a log type.
    2. linux - all logs that the application will analyze must have linux as a log type.
    3. syslog - only the syslog logs must also be configured to have messages as a log type.
    4. auth - only the auth logs must also be configured to have auth as a log type.
    5. cron - only the cron log must also be configured to have cron as a log type.
    6. maillog - only the mail log must also be configured to have mail as a log type.
    7. kernel - only the kern log must also be configured to have kernel as a log type.
    8. audit - only the audit log must also be configured to have audit as a log type.
    9. dnf - only the dnf log must also be configured to have dnf as a log type.
    10. ufw - only the ufw log must also be configured to have ufw as a log type.

  2. Once the required information is set, on each log click next and edit the log pattern, this step is crucial to the accuracy and deployment of the Ubuntu App. Use the following patterns for each of the logs:
    1. Ubuntu syslog log:
      First Pattern:
      {date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}: [{text:time-taken,ftype=time-taken;,}] {text:Message,ftype=message}
      Second Pattern:
      {date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}:{regexp:User,ftype=accountid;refName=message,([passed|failed|closed|opened] for user |password for invalid user |password for |USER=| user \u0027| user )[XPLG_PARAM([^\s\.\u005D\u0027]+)].*}{regexp:Sourceip,ftype=sourceip;refName=Message,(\d+\.\d+\.\d+\.\d+).*} {text:Message,ftype=message;,}

    2. Ubuntu auth log:
      {date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}:{regexp:User,ftype=accountid;refName=message,([passed|failed|closed|opened] for user |changed password expiry for\s|password for invalid user |password for |password changed for\s|USER=|User unknown:\s|unknown user:\s|user \u0027|user=|user | user:\sname=)[XPLG_PARAM([^\s\.\u005D\u0027\,\u003A\u0028]+)].*}{regexp:Sourceip,ftype=sourceip;refName=Message,(\d+\.\d+\.\d+\.\d+).*}{regexp:Group,ftype=group;refName=Message,(group\s'|group:\sname=|group added.*name=)[XPLG_PARAM([^'\s,]+)].*} {regexp:uid,ftype=uid;refName=Message,uid=([^\s\u0029]+).*}{regexp:rhost,ftype=rhost;refName=Message,rhost=([^\s]+),*}{text:Message,ftype=message;,}

    3. Ubuntu cron log:
      {date:Date,MMM dd HH:mm:ss} {text:Server,ftype=server} {text:Process,ftype=process}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}: {text:Message,ftype=message}

    4. Ubuntu mail log:
      {date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{number:process id}]{block,end,emptiness=true}: {regexp:session,refName=Message;ftype=session,^(\w+):}{regexp:From,refName=Message;ftype=from,\s+from=\u003C?([^\u003E,]+)}{regexp:To,refName=Message;ftype=to,\s+to=\u003C?([^\u003E,]+)}{regexp:Size,refName=Message;ftype=size,size=([^\s,]+).*}{regexp:Class,refName=Message;ftype=class,class=([^\s,]+).*}{regexp:nrcpts,refName=Message;ftype=nrcpts,nrcpts=([^\s,]+).*}{regexp:msgID,refName=Message;ftype=msgid,msgid=<([^>]+).*}{regexp:Proto,refName=Message;ftype=protocol,proto=([^\s,]+).*}{regexp:Stat,refName=Message;ftype=status,stat=([^\s,]+).*}{regexp:Relay,refName=Message;ftype=relay,relay=([^\s,]+).*}{string:Message,ftype=message;,}


    5. Ubuntu kernel log:
      {date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}:{block,start,emptiness=true} [{text:time-taken,ftype=time-taken;,}]{block,end,emptiness=true} {text:Message,ftype=message}

    6. Ubuntu audit log:
      First Pattern:
      type={text:Type,ftype=eventid}{map:Event Description,ftype=eventdescription;refIndex=0,file:knowledge/repository/system/linux/map/linux-audit.prop}{map:Category,ftype=category;refIndex=0,file:knowledge/repository/system/linux/map/linux-audit-categories.prop} msg=audit({timestamp:Date,yyyy-MM-dd HH:mm:ss.SSS}:{text:Message ID}): {properties:values,keysSep==;propSep=space;,pid#_#ftype=pid#_#name=PID;uid#_#name=UID;auid#_#ftype=auid;old-auid#_#ftype=oldauid#_#name=Old auid;ses#_#ftype=sessionid#_#name=Sessionid;sub;tty;old-ses;res;proctitle;arch;syscall;success;exit;items}msg=''{properties:msg,keysSep==;propSep=space;,op#_#ftype=op#_#name=OP;exe#_#ftype=exe;hostname#_#ftype=machine#_#name=Hostname;addr#_#ftype=sourceip;terminal#_#ftype=terminal#_#name=Terminal;res#_#ftype=status#_#name=Status;acct#_#ftype=accountid;fp#_#ftype=fp;kind#_#ftype=kind;direction#_#ftype=direction;spid#_#ftype=spid;suid#_#ftype=suid;rport#_#ftype=rport#_#name=Rport;port#_#ftyperport#_#name=Port;comm#_#ftype=comm;unit#_#ftype=unit;id#_#ftype=uid#_#name=ID}''{regexp:New Name,ftype=newname;refName=OP,new name:\s+([^\s]+).*}{regexp:New GID,ftype=newgid;refName=OP,new gid:\s+(\d+)}{regexp:Operation,ftype=operation;refName=OP,([^\u003B]+).*}
      Second Pattern:
      type={text:Type,ftype=eventid}{map:Event Description,ftype=eventdescription;refIndex=0,file:knowledge/repository/system/linux/map/linux-audit.prop}{map:Category,ftype=category;refIndex=0,file:knowledge/repository/system/linux/map/linux-audit-categories.prop} msg=audit({timestamp:Date,yyyy-MM-dd HH:mm:ss.SSS}:{text:Message ID}): {properties:values,keysSep==;propSep=space;,pid#_#ftype=pid#_#name=PID;uid#_#name=UID;auid#_#ftype=auid;old-auid#_#ftype=oldauid#_#name=Old auid;ses#_#ftype=sessionid#_#name=Sessionid;sub;tty;old-ses;res;proctitle;arch;syscall;success;exit;items;acct#_#ftype=accountid;exe#_#ftype=exe;hostname#_#ftype=machine#_#name=Hostname;addr#_#ftype=sourceip;terminal#_#ftype=terminal#_#name=Terminal;subj;msg;grantors;op#_#ftype=op#_#name=OP;fp#_#ftype=fp;kind#_#ftype=kind;direction#_#ftype=direction;spid#_#ftype=spid;suid#_#ftype=suid;rport#_#ftype=rport#_#name=Rport;port#_#ftyperport#_#name=Port;comm#_#ftype=comm;unit#_#ftype=unit}{regexp:New Name,ftype=newname;refName=OP,new name:\s+([^\s]+).*}{regexp:New GID,ftype=newgid;refName=OP,new gid:\s+(\d+)}{regexp:Operation,ftype=operation;refName=OP,([^\u003B]+).*}{regexp:Status,ftype=status;refName=res,(\w+).*} 

    7. Ubuntu dnf log:
      {date:Date,yyyy-MM-dd'T'HH:mm:ssZ} {priority:Priority,ftype=priority,INFO;NOTICE;WARN;WARNING;DEBUG;DDEBUG;SUBDEBUG;CRITICAL} {string:Message,ftype=message}

    8. Ubuntu ufw log:
      {date:Date,MMM dd HH:mm:ss} {text:Hostname.ftype=hostname} {text:Process,ftype=process}: [{text:Kernel Time,ftype=kerneltime}] [{text:LogPrefix,ftype=logprefix}] {properties:Message,keysSep==;propSep=space;,IN#_#ftype=interfacein;OUT#_#ftype=interfaceout;MAC#_#ftype-mac;SRC#_#ftype=sourceip;DST#_#ftype=targetip;LEN#_#ftype=length#_#name=Payload Length;TOS#_#ftype=servicetype#_#name=Type Of Service;PREC#_#ftype=precedence#_#name=Precedence;TTL#_#ftype=ttl;ID#_#ftype=id#_#name=Identification;PROTO#_#ftype=protocol;SPT#_#ftype=sourceport#_#name=SourcePort;DPT#_#ftype=targetport#_#name=TargetPort;WINDOW#_#name=windowssize;RES#_#ftype=flags#_#name=TCP Flags;URGP}