as_logger – Audit series logger
For background on replicated audit series, please read “Replicated named audit series”.
Note
The as_logger module is an eccmgr (cluster manager) module, not an ecelerity module. For this reason, you cannot add this module using the web UI. You must manually change the eccluster.conf
file. For instructions on doing this see “Best Practices for Manually Changing Configuration Files”.
This module is designed for use on a cluster manager (eccmgr) instance. It journals replicated audit series to disk at a configurable, periodic interval. Audit series can be included or excluded from being journalled by specifying regular expressions in an inclusion or exclusion list. The files are stored in a configurable directory. The name of each file is formed from the series name followed by a timestamp. The content of each file is a serialized "snapshot" of the audit series at that moment (reflecting the interval ending at the moment the file is written). The audit series is reset at each interval so that each file represents only one data period.
Post-analysis of these data files can be performed using the cluster web console or via custom scripts. These data files can also be inspected from the cidr_server command line using the cidr_cli command. For more information see “The cidr_server
”.
as_logger { log_interval = 60 base_dir = "/var/log/eccluster/aslogger" # We can log *everything* by default, and # then list exclusions that should not be logged. series_include_default = "all" series_exclude = ( "spam$" "^other" ) ################################################# # Alternatively, we can log *nothing* by default, # and specify only the series we want to log. # series_include_default = none # series_include = ( "^keep-" "^myseries$ ) ################################################# }
**Configuration Change. ** As of version 3.1 this module is a singleton. In version 3.0 add an instance name when defining this module.
Valid configuration parameters are:
- base_dir
-
The directory where the serialized files should be created.
- log_interval
-
The interval in seconds at which the replicated audit_series should be serialized to disk. At this interval, files will be created in the directory specified by
base_dir
, named from the series name suffixed with a timestamp. - series_exclude
-
A list of regular expressions specifying series names which should be excluded from serialization. This option is only applicable when
series_include_default
is set toall
. Remember to use regular expression syntax; e.g., "series" performs a substring match; "^myseries$" is an exact match, etc. - series_include
-
A list of regular expressions specifying series names which should be included in serialization. This option is only applicable when
series_include_default
is set tonone
. Remember to use regular expression syntax; e.g., "series" performs a substring match; "^myseries$" is an exact match, etc. - series_include_default
-
This can have the value
all
ornone
. This controls whether all series are serialized, or not, by default. If left unspecified,none
is assumed.
The files created by the as_logger module are maintained by the cidr_maintain command. On Linux this command is run from the cron job, /etc/cron.d/msys-ecelerity-cidr-server
and on Solaris it's run from root's crontab, /var/spool/cron/crontabs/root
. In either case the entry looks like the following:
0 0 * * * /opt/msys/ecelerity/bin/cidr_maintain -c \ /opt/msys/ecelerity/etc/cidr_maintain.conf 2>&1 > /dev/null
The cidr_maintain command is invoked with the -c
option which points to the configuration file. In this case, the configuration options used with the cidr_maintain command are found in the /opt/msys/ecelerity/etc/cidr_maintain.conf
configuration file. Typical settings are shown below.
# Auto-Discover series cidr databases to maintain
# auto = true
auto = true
# Manually list series to maintain, as an alternative to 'auto' mode
# series = rbl zombie
# retain 30 days of data
retention = 30
# condense data one day or older
condense = 0
# Where to look for cidr database files
basedir = "/var/log/eccluster/aslogger"
The retention
setting determines when data is purged, condense
turns file compression off and on while basedir
sets the base directory for log files.
The auto
and series
options are useful if you wish to apply different settings to different audit series. For example, you could create a file with the following settings:
auto = "false"
series = "rbl"
condense = 30
retention = 60