Client-side agent for listening ot files/directories/database changes
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts
src
windows-service
.gitignore
.travis.yml
LICENSE
MS_SQL_README.md
README.md
pom.xml

README.md

Build Status

logsentinel-agent

Client-side agent for listening ot files/directories/database changes.

Running:

java -jar logsentinel-agent-{version}.jar --spring.config.location=/var/conf/logsentinel-agent.yaml

API credentials must be specified in the configuration file, as well as details of the watched resource (file, directory, database)

Multiple target types can be specified, e.g.

target.types:
    - RELATIONAL_DATABASE
    - ACCESS_LOG

Here's a list of properties that should be supplied in the YAML properties file for each particular watch type:

  • FILE, DATABASE_LOG, ACCESS_LOG - watchIntervalMillis and watchFilePath
  • ACCESS_LOG - accessLogFormat and accessLogIgnoredPaths (a YAML list)
  • DIRECTORY - watchDirPath
  • MSSQL_AUDIT_LOG - mssqlLogsPath, jdbcConnectionString, jdbcUsername, jdbcPassword
  • LINUX_AUDIT_LOG - it extends FILE watch type, so same properties must be configured. It applies only for Linux OS. watchFilePath should point to Linux audit log, which by default is /var/log/audit/audit.log uid is extracted as Actor Id, and type as Action type. All other elements in the log are sent as key-value pairs
  • DATABASE - watchSqlQueries is a list of queries executed to fetch data. Last query clause must be FROM or WHERE. If you need to use more complex query use wrapping: select * from (). Each query is a nested structure where you should specify: query, jdbcConnectionString, jdbcUsername, jdbcPassword. criteriaColumn is used to only fetch entries inserted after the last run Condition is added at where clause as 'where criteriaColumn > ?' Following properties are used to map entries metadata to database columns: actorDisplayNameColumn,actorIdColumns, actionColumn, entityIdColumn, entityTypeColumn
  • WINDOWS_EVENT_LOG - sourceTypes (list of: Application, Security, etc.), sources (optional filter for included sources) and excludedSources (optional filter for excluded sources)
  • ALL of the above - sendLogRate, keystorePath, keystorePassword and keystoreAlias

Below is a sample YAML configuration file:

applicationId: ba2f0680-5424-11e8-b88d-6f2c1b6625e8
organizationId: ba2cbc90-5424-11e8-b88d-6f2c1b6625e8
secret: d8b63c3d82a6deb56b005a3b8617bf376b6aa6c181021abd0d37e5c5ac9911a1

# BUSINESS_LOGIC_ENTRY, DATABASE_QUERY, SYSTEM_EVENT
entryType: BUSINESS_LOGIC_ENTRY

# FILE, RELATIONAL_DATABASE, DATABASE_LOG, DIRECTORY, ACCESS_LOG, MSSQL_AUDIT_LOG, LINUX_AUDIT_LOG, AXON_DB, WINDOWS_EVENT_LOG
targetTypes:
  - FILE
  - WINDOWS_EVENT_LOG
  - DIRECTORY
  - RELATIONAL_DATABASE

logsentinelBaseUrl: https://api.logsentinel.com

keystorePath: path
keystorePassword: pass
keystoreAlias: alias

includeMacAddress: false
includeLocalIp: false
timestampInitialUseCurrent: true

fileAgent:
  watchIntervalMillis: 30000
  watchFilePaths:
    - /var/logs/system.log
  sendLogsRate: 30000

accessLogFileAgent:
  accessLogFormat: format
  accessLogIgnoredPaths:
    - path1
    - path2

directoryAgent:
  watchDirPath: /var/logs
  sendLogsRate: 30000

databaseAgent:
  jdbcConnectionString: jdbc:mysql://192.168.1.101/db
  jdbcUsername: root
  jdbcPassword: pass
  sendLogsRate: 30000
  watchSqlQueries:
    - sql: select * from logs
      criteriaColumn: timestamp
      actorDisplayNameColumn: actorDisplayName
      actorIdColumns: actorId #comma separated
      actionColumn: action
      entityIdColumn: entityId
      entityTypeColumn: entityType
      entityTypeValue: entityType
      actionValue: action
    - sql: select * from events
      criteriaColumn: timestamp2
      actorDisplayNameColumn: actorDisplayName2
      actorIdColumns: actorId2 #comma separated
      actionColumn: action2
      entityIdColumn: entityId2
      entityTypeColumn: entityType2
      entityTypeValue: entityType2
      actionValue: action2

windowsEventLogAgent:
   sourceTypes: 
    - Application
    - Security
   sources:
   excludedSources:
   
axonDBAgent:
  trackingToken: 0
  action: LOG_AXON
  batchEnabled: false
  batchInterval: 10000