syslog utc timestamp data fields

[wr-sit]

Hi team,

when I turn on logging to file and to syslog I see the following:

opencanary.log: {"dst_host": "172.26.0.2", "dst_port": 22, "honeycred": false, "local_time": "2023-06-28 15:51:47.199237", "local_time_adjusted": "2023-06-28 15:51:47.199255", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "PASSWORD": "ideoteeee", "REMOTEVERSION": "SSH-2.0-OpenSSH_for_Windows_8.1", "USERNAME": "remotepenetrator"}, "logtype": 4002, "node_id": "opencanary-01", "src_host": "10.10.88.61", "src_port": 1906, "utc_time": "2023-06-28 15:51:47.199250"}

syslog message: <12>opencanaryd[9 :140261098514240]: opencanary-01 WARNING {"dst_host": "172.26.0.2", "dst_port": 22, "honeycred": false, "local_time": "2023-06-28 15:51:47.199237", "local_time_adjusted": "2023-06-28 15:51:47.199255", "logdata": {"LOCALVERSION": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "PASSWORD": "ideoteeee", "REMOTEVERSION": "SSH-2.0-OpenSSH_for_Windows_8.1", "USERNAME": "remotepenetrator"}, "logtype": 4002, "node_id": "opencanary-01", "src_host": "10.10.88.61", "src_port": 1906, "utc_time": "2023-06-28 15:51:47.199250"}

Config file (logger part):

 "logger": {
         "class": "PyLogger",
         "kwargs": {
             "formatters": {
                 "plain": {
                     "format": "%(message)s"
                 },
                 "syslog_rfc": {
                     "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
                 }
             },
             "handlers": {
                 "console": {
                     "class": "logging.StreamHandler",
                     "stream": "ext://sys.stdout"
                 },
                 "file": {
                     "class": "logging.FileHandler",
                     "filename": "/var/tmp/opencanary.log"
                 },
                 "syslog-unix": {
                     "class": "logging.handlers.SysLogHandler",
                     "formatter":"syslog_rfc",
                     "address": [
                         "syslog.lab.local",
                         514
                     ],
                     "socktype": "ext://socket.SOCK_DGRAM"
                 }
             }
         }
     },

Can you tell why there are 3 data fields containing a utc timestamp? Is it possible to change this behavior? In the config docs the syslog rfc is mentioned, can you tell me which rfc you used?

We have provided you with two different formatters. One is the plain message with incident information; the other is the Syslog RFC format. We have already added it to the syslog-unix handler for your convenience. Source: https://opencanary.readthedocs.io/en/latest/starting/configuration.html#

Many thanks!

[quinn-thinkst]

Hi @wr-sit,

Thanks for writing in!

Can you tell why there are 3 data fields containing a utc timestamp? Is it possible to change this behavior?

As you point out, there is some data redundancy here. The utc_time and local_time fields are equivalent for historical reasons (they were initially intended to be different, but due to a bug were both outputting UTC timestamps). In order to keep up compatibility for folks that had built around these outputs, both fields were left as they were and the third field, local_time_adjusted was added.

This field returns a localized timestamp matching the time zone of the system running the OpenCanary code. If the system time is set to UTC, you'll end up with matching timestamps in the output. At this time the behaviour can't be changed

In the config docs the syslog rfc is mentioned, can you tell me which rfc you used?

The syslog output is built following the RFC5424 specification, as implemented by python's logging.handlers.SysLogHandler class.

Please do let me know if this sufficiently covers your question or if there's anything else I can help you with.