Hi,
first let me thank Hannes for releasing aide 0.18 which makes it
possible to handle logs in a way that avoids false reports while still
providing some security for the logs. I really appreciate that.
The aide.conf(5) manual page has grown a number of examples to handle a
normal log that gets rotated like this:
logname => daemon writes to it
logname.1 => rotated log first generation
logname.2.gz => rotated log compressed to next generation
logname.x.gz => logs being rotated until numbers of rotations is reached
logname.xmax.gz => file vanishes after rotation
On my test systems this is working reasonably well. Now on to more
challenging things.
On my webservers, there is an anonymizing step included where a filter
resets the low bits of the IP address to de-personalize the data.
Additionally, some web server logs can go for days without a single
entry. This is done with the following logrotate configuration:
/var/log/apache/access.log {
missingok
daily
rotate 14
compress
compresscmd /usr/local/bin/compress-and-anonymize-log
compressext .gz
delaycompress
create 640 root adm
sharedscripts
postrotate
<systemctl reload apache2, scaffolding see Debian package>
for file in $1; do printf "::1 - - log %s was rotated on %s\n"
"${file}" "$(date +"%Y-%m-%d %H:%M:%S")" > ${file}; done
endscript
}
Lets give a short explanation for the less obvious parts of the
configuration. /usr/local/bin/compress-and-anonymize-log is a shell
script that basically is
python3 /usr/local/bin/anonip.py u-ipv4mask 8 --ipv6mask 72 \
--column 1 --replace 0.0.0.0 | gzip -9
So when logrotate works, apache.log.1 is first passed through anonip.py
(which is from https://github.com/DigitaleGesellschaft/Anonip.git), then
compressed with gzip -9 and finally written to apache.log.2.gz. All
other log rotation generations are handled identically to the normal
case. However, since the contents of the file is changed during the
anonymizing process, aide's "compressed" file attribut cannot do its
work.
Another necessary trick is the forced generation of a first log line
with valid timestamp in the postrotate script. This is necessary for
a server that may go without a single log entry between two rotations
(such as for error.log or some fallback catch-all log files) to force
all generations of the log to be different. Aide's "ignored change
filename" attribute will choke on a row of identical, empty files.
Here is my suggestion to handle this kind of log rotation:
Full = p+u+g+ftype+n+i+s+b+l+X+m+c+H
/var/log/apache$ d p+u+g+ftype+n+i+X
/var/log/apache/access\\.log$ f Full+growing+ANF+I
/var/log/apache/access\\.log\\.1$ f Full+ARF
/var/log/apache/access\\.log\\.2\\.gz$ f Full+I+ANF
/var/log/apache/access\\.log\\.([3-9]|1[0-3])\\.gz$ f Full+I
/var/log/apache/access\\.log\\.14\\.gz$ f Full+ARF
This seems to work reasonably well for a few days, but I am not fully
sure whether those rules can be improved. May I ask for your comments?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
_______________________________________________
Aide mailing list
Aide@ipi.fi
https://www.ipi.fi/mailman/listinfo/aide
