Tutorial: Syslog
Contents
This tutorial discusses the plugin syslogDecode. It extracts relevant information from the Syslog protocol which is used to convey any sort of of message logging.
Preparation
Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.
First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$Then compile the following plugins
$ t2build tranalyzer2 basicFlow syslogDecode txtSink
...
BUILD SUCCESSFUL
$If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:
$ mkdir ~/data ~/results
$Download the sample pcap here: syslog.pcap. Now you’re all set.
syslogDecode
Let’s look at the plugin configuration first:
$ syslogDecode
$ vi src/syslogDecode.h...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define SYSL_FSN 0 // Format for Syslog severity/facility messages:
// 0: Numbers
// 1: Names
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Let’s configure human readable Names in the output. Recompile and run t2 on the supplied pcap.
$ t2conf syslogDecode -D SYSL_FSN=1 && t2build syslogDecode
...
$ t2 -r ~/data/syslog.pcap -w ~/results/ -s================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 98533
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.8.14
02: syslogDecode, 0.8.14
03: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/syslog.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1049480704.380000 sec (Fri 04 Apr 2003 18:25:04 GMT)
[WRN] snapL2Length: 126 - snapL3Length: 112 - IP length in header: 116
Dump stop : 1049480709.437000 sec (Fri 04 Apr 2003 18:25:09 GMT)
Total dump duration: 5.057000 sec
Finished processing. Elapsed time: 0.000606 sec
Finished unloading flow memory. Time: 0.000707 sec
Percentage completed: 100.00%
Number of processed packets: 32
Number of processed bytes: 4324 (4.32 K)
Number of raw bytes: 4452 (4.45 K)
Number of pcap bytes: 4860 (4.86 K)
Number of IPv4 packets: 32 [100.00%]
Number of A packets: 32 [100.00%]
Number of A bytes: 4324 (4.32 K) [100.00%]
Average A packet load: 135.12
Average B packet load: 0.00
--------------------------------------------------------------------------------
syslogDecode: Aggregated syslogStat=0x01
syslogDecode: Number of Syslog packets: 32 [100.00%]
syslogDecode: Number of Syslog message types: 10
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of UDP packets: 32 [100.00%]
Number of UDP bytes: 4324 (4.32 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 7
Number of processed A flows: 7 [100.00%]
Number of request flows: 7 [100.00%]
Total A/B flow asymmetry: 1.00
Total req/rply flow asymmetry: 1.00
Number of processed packets/flows: 4.57
Number of processed A packets/flows: 4.57
Number of processed total packets/s: 6.33
Number of processed A+B packets/s: 6.33
Number of processed A packets/s: 6.33
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 1.38
Average full raw bandwidth: 7043 b/s (7.04 Kb/s)
Average snapped bandwidth : 6840 b/s (6.84 Kb/s)
Average full bandwidth : 7043 b/s (7.04 Kb/s)
Max number of flows in memory: 7 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0408000200004000
[WRN] L3 SnapLength < Length in IP header
[WRN] Timestamp jump, probably due to multi-path packet delay or NTP operation
[INF] IPv4 flows
$So the aggregated syslogStat currently has only one bit which states, there is syslog.
$ tawk -V syslogStat=0x01The syslogStat column with value 0x01 is to be interpreted as follows:
bit | syslogStat | Description
=============================================================================
0 | 0x01 | Syslog detectedIf you look into the flow file, you will see the severity and facility counts and the number of distinct severity,facility pair counts. Note that the severity and facility is human readable.
$ cd ~/results
$ tcol syslog_flow.txt%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto syslogStat syslogMCnt syslogSev_Fac_Cnt
A 4 0x0400000200004000 1049480707.053999 1049480707.053999 0.000000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 198.209.154.254 us "University of Missouri - dba t" 7636 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Debug_local7_2
A 5 0x0400000200004000 1049480707.685000 1049480707.685000 0.000000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 204.184.55.252 us "University of Missouri - dba t" 4657 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Notice_local7_2
A 3 0x0408000200004000 1049480704.761000 1049480708.256000 3.495000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us "University of Missouri - dba t" 52553 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Notice_local7_14
A 6 0x0400000200004000 1049480708.476000 1049480708.476000 0.000000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.67.254 us "University of Missouri - dba t" 52553 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Notice_local7_2
A 1 0x0408000200004000 1049480704.380000 1049480709.386999 5.006999 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 150.199.14.10 us "University of Missouri-Columbi" 49392 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 2 Error_local7_2;Notice_local7_2
A 2 0x0408000200004000 1049480704.390000 1049480709.416999 5.026999 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.50 us "University of Missouri - dba t" 50654 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 3 Error_local7_2;Warning_local7_2;Notice_local7_2
A 7 0x0400000200004000 1049480709.437000 1049480709.437000 0.000000 1 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.249 us "University of Missouri - dba t" 6638 207.160.133.205 us "University of Missouri - dba t" 514 17 0x01 1 Warning_local7_2And the same for the packet mode including the whole message in the l7Content:
$ tcol syslog_packets.txt%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto syslogStat syslogSev syslogFac syslogMsg l7Content
1 1 0x0400000200004000 1049480704.380000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 150.199.14.10 us University of Missouri-Columbi 49392 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>127487: Apr 4 11:25:03: %LINK-5-CHANGED: Interface Async44, changed state to r
2 2 0x0400000200004000 1049480704.390000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.50 us University of Missouri - dba t 50654 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>186456: Apr 4 11:25:03: %LINK-5-CHANGED: Interface Async75, changed state to r
3 3 0x0400000200004000 1049480704.761000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432551: *May 11 00:38:12: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
4 3 0x0400000200004000 1049480704.761000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432552: *May 11 00:38:12: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
5 3 0x0400000200004000 1049480706.083000 1.322000 1.322000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432553: *May 11 00:38:13: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
6 3 0x0400000200004000 1049480706.092999 0.009999 1.331999 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432554: *May 11 00:38:14: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
7 3 0x0400000200004000 1049480706.103000 0.010001 1.342000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432555: *May 11 00:38:14: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
8 4 0x0400000200004000 1049480707.053999 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 198.209.154.254 us University of Missouri - dba t 7636 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Debug local7 <191>1284891: 9w5d: IP-EIGRP: Neighbor 198.209.154.1 not on common subnet for Etherne
9 3 0x0400000200004000 1049480707.204000 1.101000 2.443000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432556: *May 11 00:38:15: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
10 5 0x0400000200004000 1049480707.685000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 204.184.55.252 us University of Missouri - dba t 4657 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>310583: Apr 4 11:25:06: %LINK-5-CHANGED: Interface Async14, changed state to r
11 3 0x0400000200004000 1049480708.256000 1.052000 3.495000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.218.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>432557: *May 11 00:38:16: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
12 2 0x0400000200004000 1049480708.426000 4.036000 4.036000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.50 us University of Missouri - dba t 50654 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Error local7 <187>186457: Apr 4 11:25:08: %LINK-3-UPDOWN: Interface Async75, changed state to
13 6 0x0400000200004000 1049480708.476000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.67.254 us University of Missouri - dba t 52553 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Notice local7 <189>73830: *Mar 9 18:05:26: %QUICC_ETHER-5-LATECOLL: Unit 0, late collision e
14 1 0x0400000200004000 1049480709.386999 5.006999 5.006999 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 150.199.14.10 us University of Missouri-Columbi 49392 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Error local7 <187>127488: Apr 4 11:25:08: %LINK-3-UPDOWN: Interface Async44, changed state to
15 2 0x0400000200004000 1049480709.416999 0.990999 5.026999 3 eth:ipv4:udp 00:0b:bf:cb:ec:ca 08:00:20:d2:22:51 0x0800 207.160.203.50 us University of Missouri - dba t 50654 207.160.133.205 us University of Missouri - dba t 514 17 0x01 Warning local7 <188>186458: Apr 4 11:25:08: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0/0 (not full duplex), with Houston-AS3.tain.barkingd.abc FastEthernet0/0 (full dupl
...If you reset SYSL_FSN=0 the severity and facility are printed in number format. This is the default version which is better to be interpreted in post processing.
$ t2conf syslogDecode --reset && t2build syslogDecode
...
$Execute the pcap now and look into the files.
Have fun analyzing.