AIX consists of a large number of software elements which could be categorized or grouped together based for example on a common functionality or provided service.
One of such groups is AIX error handling system known as syslog, which operates along the following principle: ”when we notice some predefined condition (of a various severity) requiring an attention (of a different level) we will acknowledge this situation sending a message to another machine, user or users and/or write it into a local file(s) of a chosen name(s).
By the default syslog does nothing. You have to define what type of messages you want to look for and where to send the acknowledgment of their existence. These definitions are kept in /etc/syslog.conf. Any change in the content of this file requires a refresh of the syslog daemon.
Each entry line in syslog.conf consists of two mandatory (selector and action) and one optional part (rotation). Each field in a line must be separated by one or more tabs or spaces.
f1.p1;f2.p2;fN;pN destination rotation/size/time/compress/archive
where: f1,f2,fN are different AIX facilities and p1,p2,pN are priorities as show next.
From the syslog point of view AIX environment is divided into the following facilities:
| kern | kernel |
| user | User level |
| Mail subsystem | |
| daemon | System daemons |
| auth | Security or authorization |
| syslog | syslogd daemon |
| lpr | Line-printer subsystem |
| news | News subsystem |
| uucp | uucp subsystem |
| * | All facilities |
Priorities (as listed in the syslog.conf man page):
emerg – Specifies emergency messages (LOG_EMERG). These messages are not distributed to all users. LOG_EMERG priority messages can be logged into a separate file for reviewing.
alert – Specifies important messages (LOG_ALERT), such as a serious hardware error. These messages are distributed to all users.
crit – Specifies critical messages not classified as errors (LOG_CRIT), such as improper login attempts. LOG_CRIT and higher-priority messages are sent to the system console.
err - Specifies messages that represent error conditions (LOG_ERR), such as an unsuccessful disk write.
warning – Specifies messages for abnormal, but recoverable, conditions (LOG_WARNING).
notice – Specifies important informational messages (LOG_NOTICE). Messages without a priority designation are mapped into this priority message.
info – Specifies informational messages (LOG_INFO). These messages can be discarded, but are useful in analyzing the system.
debug – Specifies debugging messages (LOG_DEBUG). These messages may be discarded.
none - Excludes the selected facility. This priority level is useful only if preceded by an entry with an * (asterisk) in the same selector field.
priority (high to low): emerg/panic,alert,crit,err(or),warn(ing),notice,info,debug
Choosing a particular priority means all messages from this level and higher.
Destination:
The next line shows how to sent syslog messages to two users: root and operator
*.kernel.notice;*.alert root,operator
The following line shows how to redirect syslog messages to file sysmsg in directory /var/adm/
*.err;kern.notice;auth.notice /var/adm/sysmsg
The last three lines show how to redirect to two files in different directories simultanioulsy sending the same message to a remote machine (syslog server?).
auth,authpriv.info /var/adm/autho.wmd rotate size 100k files 4
auth,authpriv.info /tmp/autho.tmp rotate time 1d
auth,authpriv.info @wsm.edu
To start syslogd in the debug mode:
Why this post? Today we were busy deploying a third party security software, and asked to redirect AIX syslog messages to an external syslog server. Unfortunately we hit a “wall”. The security vendor’s computer and software were not able to “receive” our syslog messages . As often, the burden of proving that the fault does not belong with AIX was ours. So here it is. How to prove that an AIX hosts sends out info on a specific port (syslog uses port 514)? For this post, let’s agree that the host sending info is called “AixClient” and the host acting as the syslog server is called “SysSrv”.
AixClient in its /etc/syslog.conf has the following entries identifying the SysSrv server:
auth,authpriv.info @SysServer
Now, as the rootuser, I start the iptrace instructing not to include the arp info and to intercept any traffic on port 514 (the default port used by syslog. The output will land in /tmp/iptrace.bin.
AixClient:/etc>startsrc -s iptrace -a “-a -p 514 /tmp/iptrace.bin”
0513-059 The iptrace Subsystem has been started. Subsystem PID is 1474736.
Now, I abandon rootauthority:
AixClient:/etc>exit
To acquire it again in order to trigger the authorization even that will be intercepted by syslog and sent to SysServer.
AixClient:/home/duszyk>su -
root's Password:
It is time to stop the iptrace and to examine contents of its output file.
AixClient:/root>stopsrc -s iptrace
0513-044 The iptrace Subsystem was requested to stop.
Before, the output can be analyzed, it has to be converted to ASCII format.AixClient:/root>cd /tmp
AixClient:/tmp>ipreport -nrs /tmp/iptrace.bin >> iptrace.txt
Finally, let us see what we got!
AixClient:/tmp>cat iptrace.txt
IPTRACE version: 2.0
Packet Number 1
ETH: ====( 132 bytes transmitted on interface en0 )==== 10:23:30.412249261
ETH: [ 00:14:5e:d1:0e:4e -> 00:00:5e:00:01:17 ] type 800 (IP)
IP: < SRC = 159.14.245.62 > (AixClient)
IP: < DST = 10.21.22.1 > (SysSrv)
IP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=118, ip_id=37961, ip_off=0
IP: ip_ttl=30, ip_sum=53cb, ip_p = 17 (UDP)
UDP:
UDP: [ udp length = 98 | udp checksum = 979d ]
UDP: 00000000 3c33373e 4d617220 31302031 303a3233 |<37>Mar 10 10:23|
UDP: 00000010 3a333020 4d657373 61676520 666f7277 |:30 Message forw|
UDP: 00000020 61726465 64206672 6f6d2062 69656e74 |arded from bient|
UDP: 00000030 7473743a 2073753a 2066726f 6d206475 |tst: su: from du|
UDP: 00000040 737a796b 20746f20 726f6f74 20617420 |szyk to root at |
UDP: 00000050 2f646576 2f707473 2f30 |/dev/pts/0 |
Packet Number 2
ETH: ====( 132 bytes transmitted on interface en0 )==== 10:23:30.412309535
ETH: [ 00:14:5e:d1:0e:4e -> 00:0d:60:de:04:e4 ] type 800 (IP)
IP: < SRC = 159.14.245.62 > (AixClient)
IP: < DST = 159.14.245.155 > (nimprdp1.chop.edu)
IP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=118, ip_id=37964, ip_off=0
IP: ip_ttl=30, ip_sum=df33, ip_p = 17 (UDP)
UDP:
UDP: [ udp length = 98 | udp checksum = 2306 ]
UDP: 00000000 3c33373e 4d617220 31302031 303a3233 |<37>Mar 10 10:23|
UDP: 00000010 3a333020 4d657373 61676520 666f7277 |:30 Message forw|
UDP: 00000020 61726465 64206672 6f6d2062 69656e74 |arded from bient|
UDP: 00000030 7473743a 2073753a 2066726f 6d206475 |tst: su: from du|
UDP: 00000040 737a796b 20746f20 726f6f74 20617420 |szyk to root at |
UDP: 00000050 2f646576 2f707473 2f30 |/dev/pts/0 |
++++++ END OF REPORT ++++++
processed 2 packets
Summary of RPC CALL packets
10:08 PM
Comentarios
Publicar un comentario