0

I have a cisco ftd sending logs tagged with local3(19) however I am still seeing some messages ending up in my users.log instead of where i have them configured to be sent. Is that where they would end up if untagged? or is there was way to verify they are being tagged with 'user' or facility code 1? I do not have user commented out in my rsyslog.conf. (Debian wheezy, rsyslog v5)

root@PHOENILOGOP2:/etc# more rsyslog.conf
#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


########################
### TROUBLESHOOTING ####
########################

$template myFormat,"%rawmsg%\n"
$ActionFileDefaultTemplate myFormat


#################
#### MODULES #### 
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514



###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############
$template Firewall,"/var/log/prd/fwlog-%$YEAR%-%$MONTH%-%$DAY%"
$template Switch,"/var/log/prd/rslog-%$YEAR%-%$MONTH%-%$DAY%"
$template Ironport,"/var/log/prd/iplog-%$YEAR%-%$MONTH%-%$DAY%"
# $template ACS,"/var/log/prd/acslog-%$YEAR%-%$MONTH%-%$DAY%"
$template FTD,"/var/log/prd/ftdlog-%$YEAR%-%$MONTH%-%$DAY%"
$template ISE,"/var/log/prd/iselog-%$YEAR%-%$MONTH%-%$DAY%
$template Meraki,"/var/log/prd/merakilog-%$YEAR%-%$MONTH%-%$DAY%
# $template Umbrella,"/var/log/prd/umbrellalog-%$YEAR%-%$MONTH%-%$DAY%"

#
# First some standard log files.  Log by facility.
#
Local7.* -?Firewall
# Local6.* -?Ironport
Local5.* -?Meraki
Local4.* -?Switch
Local3.* -?FTD
Local2.* -?ISE
# Local1.* -?Umbrella

auth,authpriv.*                 /var/log/auth.log
#*.*;auth,authpriv.none         -/var/log/syslog
#cron.*                         /var/log/cron.log
#daemon.*                       -/var/log/daemon.log
kern.*                          -/var/log/kern.log
#lpr.*                          -/var/log/lpr.log
#mail.*                         -/var/log/mail.log
user.*                          -/var/log/user.log;myFormat

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info                      -/var/log/mail.info
#mail.warn                      -/var/log/mail.warn
#mail.err                       /var/log/mail.err

#
# Logging for INN news system.
#
#news.crit                      /var/log/news/news.crit
#news.err                       /var/log/news/news.err
#news.notice                    -/var/log/news/news.notice
#
#
# Some "catch-all" log files.
#
#*.=debug;\
#       auth,authpriv.none;\
#       news.none;mail.none     -/var/log/debug
#*.=info;*.=notice;*.=warn;\
#       auth,authpriv.none;\
#       cron,daemon.none;\
#       mail,news.none          -/var/log/messages
#
#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*
#
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       /dev/tty8
#
# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
#daemon.*;mail.*;\
#       news.err;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       |/dev/xconsole



root@PHOENILOGOP2:/etc# service --status-all
 [ + ]  acpid
 [ + ]  atd
 [ - ]  bootlogs
 [ ? ]  bootmisc.sh
 [ ? ]  checkfs.sh
 [ ? ]  checkroot-bootclean.sh
 [ - ]  checkroot.sh
 [ - ]  console-setup
 [ + ]  cron
 [ - ]  exim4
 [ - ]  hostname.sh
 [ ? ]  hwclock.sh
 [ - ]  kbd
 [ - ]  keyboard-setup
 [ ? ]  killprocs
 [ ? ]  kmod
 [ - ]  lvm2
 [ - ]  motd
 [ ? ]  mountall-bootclean.sh
 [ ? ]  mountall.sh
 [ ? ]  mountdevsubfs.sh
 [ ? ]  mountkernfs.sh
 [ ? ]  mountnfs-bootclean.sh
 [ ? ]  mountnfs.sh
 [ ? ]  mpt-statusd
 [ ? ]  mtab.sh
 [ ? ]  networking
 [ + ]  nfs-common
 [ ? ]  open-vm-tools
 [ - ]  procps
 [ ? ]  rc.local
 [ - ]  rmnologin
 [ + ]  rpcbind
 [ + ]  rsyslog
 [ ? ]  sendsigs
 [ + ]  ssh
 [ - ]  sudo
 [ + ]  tftpd-hpa
 [ + ]  udev
 [ ? ]  udev-mtab
 [ ? ]  umountfs
 [ ? ]  umountnfs.sh
 [ ? ]  umountroot
 [ - ]  urandom


user.log example(should be tagged Local3(Facility 19) but is actually being tagged Local7(Facility 23), which doesn't explain why it is in user.log(Facility 1):
Aug 13 2020 13:21:23 TPK-COMCAST-FTD-01  %FTD-6-430003: EventPriority: Low, DeviceUUID: <DeviceUUID obsfucation), InstanceID: 3, FirstPacketSecond: 2020-08-13T13:21:23Z, ConnectionID: 6910, AccessControlRuleAction: Allow, SrcIP: 192.168.91.252, DstIP: 208.67.220.220, SrcPort: 40311, DstPort: 53, Protocol: udp, IngressInterface: TPK-COMCAST-INSIDE, EgressInterface: TPK-COMCAST-OUTSIDE, IngressZone: TPK-COMCAST-INSIDE, EgressZone: TPK-COMCAST-OUTSIDE, IngressVRF: Global, EgressVRF: Global, ACPolicy: TPK-COMCAST-FTD-ACCESS-POLICY, AccessControlRuleName: Umbrella VA DNS Outbound, Prefilter Policy: Default Prefilter Policy, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 127, ResponderBytes: 101, NAPPolicy: Balanced Security and Connectivity, DNSQuery: kdp.amazon.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_TTL: 24
Security_Pete
  • 99
  • 1
  • 1
  • 11
  • Can you add an example of a line that bothers you? – Gerard H. Pille Aug 11 '20 at 12:04
  • What is the meaning of "?" in "Local7.* -?Firewall" ? – Gerard H. Pille Aug 12 '20 at 14:41
  • This code was supplied to me with the help of @AaronCopley, but I believe they are calling the template referenced earlier. Thats how I understood it. I found [this](https://www.rsyslog.com/article60/) – Security_Pete Aug 12 '20 at 16:32
  • the line that bothers me is `user.* -/var/log/user.log;myFormat` Why would messages be ending up here tagged with 'Local7.'? – Security_Pete Aug 12 '20 at 16:36
  • I'd like to see a line from user.log that shouldn't be there. – Gerard H. Pille Aug 12 '20 at 18:15
  • added to the end of the question. – Security_Pete Aug 13 '20 at 13:30
  • Do you recognize this message? Is it some kind of firewall using a log format rsyslog doesn't recognize? – Gerard H. Pille Aug 13 '20 at 13:55
  • Yes, I do recognize it. it's one my my Cisco FTDs. So, I probably should have brought this up previously, this is v5 of rsyslog on a debian wheezy box from 2014/5. I recall finding out that this was very old, but it was working. – Security_Pete Aug 13 '20 at 13:59
  • Check the FTD's config. – Gerard H. Pille Aug 13 '20 at 14:24
  • I have done that, I can confirm it is set to Local3, but there must be something in there that is sending it to Local7. I need to upgrade the server to a more recent OS and rsyslog version. – Security_Pete Aug 13 '20 at 14:33
  • "is actually being tagged Local7(Facility 23)" How so? Where do you see this tagging? And if it was, it would be in fwlog, not in user.log. – Gerard H. Pille Aug 13 '20 at 17:27
  • I stood up a kiwi syslog server on another IP, had it send logs there as well. I see the Facility code on those logs. I just got off the phone with the Cisco TAC, they reported that those connection events are hard coded to Local7 and cant be modified. @GerardH.Pille I thank you for putting up with my questions, and I appreciate you taking the time to help. – Security_Pete Aug 13 '20 at 21:01

1 Answers1

1

If you add these at the top of your rsyslog configuration, you may find the information you seek:

$template myFormat,"%rawmsg%\n"
$ActionFileDefaultTemplate myFormat

rsyslog.com

Gerard H. Pille
  • 2,569
  • 1
  • 13
  • 11
  • I have added that to my config, but I have not found the information. I am watching the directory which contains the incoming messages, and only 2 files are actively being written to. The user.log and lastlog. When I do a tail ont hem I do not see any additional information other than what I have seen previously. No facility information. do I need to look else where? – Security_Pete Aug 09 '20 at 02:41
  • nvm, after reading on your link I see, I need to add 'myFormat' to the end. – Security_Pete Aug 09 '20 at 14:00
  • 1
    "Cut and Paste", it's not all that bad. ;-) – Gerard H. Pille Aug 09 '20 at 14:08
  • I am missing something. I have tried to add the 'myFormat' to the end of my user rule `user.* -/var/log/user.log;myFormat` However when I tail the messages I see no additional components contained in the messages. Have I not utilized the format correctly? – Security_Pete Aug 10 '20 at 12:19
  • Looks good. Is rsyslog running with the new configuration? – Gerard H. Pille Aug 10 '20 at 13:28
  • yes,and I restarted the service after each modification. – Security_Pete Aug 10 '20 at 13:57
  • Then I suppose another line in your configuration precedes the one using myFormat, or the messages you see are not "user.*". – Gerard H. Pille Aug 10 '20 at 15:02
  • I added the config to the question. Does it need to be above the commented out stuff at the top? Its the first uncommented line. I thought that would be good. It's Debian 7.9 wheezy and the corresponding rsyslog version. i didn't notice the release. – Security_Pete Aug 10 '20 at 17:57
  • Anything here: # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf ?? – Gerard H. Pille Aug 10 '20 at 18:09
  • What if another process is writing to user.log? Try fuser to check. – Gerard H. Pille Aug 10 '20 at 18:34
  • There is nothing in rsyslog.d, i have not installed anything on this box, our IS team may have put an agent on the device at install. I have also added the processes to the question. – Security_Pete Aug 11 '20 at 12:00
  • I pushed the logs to another device that captures the logs with the facility code. It was as I had feared, some messages tagged info were marked local 3 and the ones I wanted are marked debug and are tagged with local 7. Now local 7 i have ending up in my 'Firewall' rule. Now I'm scratching my head because they should end up there and not in 'user.log' – Security_Pete Aug 12 '20 at 12:12
  • Does rsyslog make a distinction between "Local7" and "local 7"/"local7" ? – Gerard H. Pille Aug 12 '20 at 14:44
  • They are being received as 'Local7.Debug' which matches my template that has 'Local7.*' I see the messages 'Local3.Info' from the same source being filtered properly. I'm not sure if that's what you meant. – Security_Pete Aug 12 '20 at 15:42
  • I've added a couple of questions under your OP. – Gerard H. Pille Aug 12 '20 at 15:52