search

duosecurity / duo_log_sync

MIT License
37 stars 28 forks source link

Add program in log #35

Open minikenshin opened 1 year ago

minikenshin commented 1 year ago

Hello team,

Today the log sent is like this : 2023-04-18T17:21:32+02:00 {"epkey": null, "hostname": null, "ip": "xx.xx.xx.xx", "location": END OF THE JSON.........}

It's not RFC compliant, you must have the machine name and progam name after the timestamp and before the message like this :

2023-04-18T17:21:32+02:00 myserver duo {"epkey": null, "hostname": null, "ip": "xx.xx.xx.xx", END OF THE JSON.........}

Could you, please, make the change to be compliant ? :) Thanks

MarkTripod-Duo commented 11 months ago

Which RFC are you basing the message format compliance against?

minikenshin commented 10 months ago

the RFC5414

On the tcpdump we can see the log send by your program to the syslog concentrator : 

17:36:36.054273 IP (tos 0x0, ttl 64, id 47721, offset 0, flags [DF], proto UDP (17), length 923)
    10.16.2.72.36109 > 10.16.2.14.syslog: [bad udp cksum 0x1c0e -> 0x7cf5!] [|syslog]
        0x0000:  4500 039b ba69 4000 4011 6473 0a10 0248  E....i@.@.ds...H
        0x0010:  0a10 020e 8d0d 0202 0387 1c0e 7b22 6163  ............{"ac
        0x0020:  6365 7373 5f64 6576 6963 6522 3a20 7b22  cess_device":.{"
        0x0030:  6570 6b65 7922 3a20 6e75 6c6c 2c20 2268  epkey":.null,."h
        0x0040:  6f73 746e 616d 6522 3a20 6e75 6c6c 2c20  ostname":.null,.

Here a log send by the linux system (here bash) : 

17:41:48.021363 IP (tos 0x0, ttl 64, id 17635, offset 0, flags [DF], proto UDP (17), length 123)
    10.16.2.72.34570 > 10.16.2.14.syslog: [bad udp cksum 0x18ee -> 0x4dee!] SYSLOG, length: 95
        Facility local0 (16), Severity info (6)
        Msg: Dec 19 17:41:47 coreauth002 bash[1640285]: (root:) tcpdump -ni ens160 udp port 514 -vv -X
        0x0000:  3c31 3334 3e44 6563 2031 3920 3137 3a34
        0x0010:  313a 3437 2063 6f72 6561 7574 6830 3032
        0x0020:  2062 6173 685b 3136 3430 3238 355d 3a20
        0x0030:  2872 6f6f 743a 2920 7463 7064 756d 7020
        0x0040:  2d6e 6920 656e 7331 3630 2075 6470 2070
        0x0050:  6f72 7420 3531 3420 2d76 7620 2d58 76
        0x0000:  4500 007b 44e3 4000 4011 dd19 0a10 0248  E..{D.@.@......H
        0x0010:  0a10 020e 870a 0202 0067 18ee 3c31 3334  .........g..<134
        0x0020:  3e44 6563 2031 3920 3137 3a34 313a 3437  >Dec.19.17:41:47
        0x0030:  2063 6f72 6561 7574 6830 3032 2062 6173  .coreauth002.bas
        0x0040:  685b 3136 3430 3238 355d 3a20 2872 6f6f  h[1640285]

You can see the name and the program at the begining of the line like the RFC 5414 describe it.