Here’s another entry in our series of examples on how to use the new string presence check in Halo: how to make sure remote logging is enabled. For an introduction to this new feature, please see our previous Introduction to Search Expressions post.
Syslog (and its older brothers syslog-ng and rsyslog) all provide the ability to send a second copy of system log entries to a central syslog server. If an attacker breaks in and erases the local logs, you’ll still be able to go the central log server to get clues about how the breakin happened, and from where.
The /etc/syslog.conf line to make this happen looks like:
, where 220.127.116.11 is the IP address of your remote syslog server. Since both the asterisk and period have special meaning in Search Expressions, we need to place a backslash in front of them to get the literal characters (for reference, asterisk is like the plus sign we saw above, except asterisk matches 0 or more of the preceding object). We’ll use “s+” to require at least one whitespace character, and then we’ll place the syslog server IP address with “.”’s to match the periods in the address. Finally, we’ll place a “$” at the end to match the end of the line (it’s the end of the line equivalent to “^” matching at the beginning). That will catch typos in the address; if someone mistakenly enters “18.104.22.168”, this check will catch that we’re not ending the line in a “15”. Here’s the final check:
/etc/syslog.conf Contains ^*.*s+22.214.171.124$
You’ll need to substitute your own syslog server IP address, of course. If you have two or more central log servers, add a check for each one. If you’re using rsyslog you’ll need to use “/etc/rsyslog.conf” in the checks. For syslog-ng, the default config file is /etc/syslog-ng/syslog-ng.conf , but the format of that file is completely different, so you’ll need to rewrite the check too.