search

jensvoid / lorg

Apache Logfile Security Analyzer
GNU General Public License v2.0
208 stars 50 forks source link

Problems with allowed input formats #10

Open valentina9214 opened 7 years ago

valentina9214 commented 7 years ago

Hi @jensvoid, I have an Access Log with this fields: date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem c-version sc-status sc(Content-Length) sc-bytes cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) sc(CACHE_STATUS) sc(BALANCER_WORKER_IP) cs(X-Forwarded-For) x-origin-ip rs-bytes. I insert an allowed input format in the lorg file: `'namext' => '%{%Y-%m-%d %H:%M:%S}t %h %<u %A %v %m %U \"%r\" %>s %O %I %O %T \"%{User-agent}i\" \"%{Cookie}i\" \"%{Referer}i\" \"%a\" \"%{x-forward-for}i\" \"%{BALANCER_WORKER_IP}e\" %I' When I create the HTML output file, I notice that the time is assigned to the client ip. So %{%Y-%m-%d %H:%M:%S}t is considered like an only field and it doesn't separate the 'date' and the 'time' fields. How can I do? Thanks! Valentina

`

jensvoid commented 7 years ago

Unfortunately, lorg does not understand mod_log_config {format}t style syntax yet.

Can may try to simply replace

'namext' => '%{%Y-%m-%d %H:%M:%S}t ...'

with

'namext' => '%t ...'

If that does not work, can you provide an (anonymized) sample line of your access log?

valentina9214 commented 7 years ago

Hi @jensvoid , I try to insert %t but it doesn't work.

An anonymized sample line of my Access Log can be: `# Fields: date time c-ip cs-username s-ip s-sitename cs-method cs-uri cs-uri-stem c-version sc-status sc(Content-Length) sc-bytes cs-bytes time-taken cs(User-Agent) cs(Cookie) cs(Referer) sc(CACHE_STATUS) sc(BALANCER_WORKER_IP) cs(X-Forwarded-For) x-origin-ip rs-bytes

2017-02-28 00:00:06 127.x.x.x public 10.x.x.x sitename.it GET /apache_... "GET /apache_pb.gif HTTP/1.0" 200 2658 8247 705 927 "Mozilla/4.08 [en] (Win98; I ;Nav)" "-" "-" "127.x.x.x" "0" "10.x.x.x:port" 277`

So, I would expect to use: 'namext' => '%{%Y-%m-%d %H:%M:%S}t %h %<u %A %v %m %U "%r" %>s %O %I %O %T "%{User-agent}i" "%{Cookie}i" "%{Referer}i" "%a" "%{x-forward-for}i" "%{BALANCER_WORKER_IP}e" %B

The date 2017-02-28 00:00:06 can not be changed because it is directly derived from the systems and follows the "Zulu time". Is there a method, using lorg, to analyze my access log, respecting strftime(3) format and without changing directly the log file?

Thanks for helping me. Valentina

jensvoid commented 7 years ago

Short answer: no. lorg cannot parse custom %{format}t timestamps yet. What you can do of course is to simply ignore timestamps and use dummy variables like %v %V instead:

'namext'     => '%v %V %h %u %A %v %m %U \"%r\" %s %O %I %O %T \"%{User-agent}i\" \"%{Cookie}i\" \"%{Referer}i\" \"%a\" \"%{x-forward-for}i\" \"%{BALANCER_WORKER_IP}e\" %B'

...which should list suspicious requests without their timestamps, which you can then manually grep for in the access logs. Sorry, no better solution right now.