ironsyslog is a highly experimental integration of diverse Log-Messages Systems into a MAP-Infrastructure. The integration aims to share security related informations, given by many systems, with other network components in the TNC architecture via IF-MAP. ironsyslog was developed within the SIMU research project.
Java Other
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
src
.checkstyle
.gitignore
CHANGELOG.txt
NOTICE.txt
README.md
pom.xml

README.md

ironsyslog

ironsyslog is a highly experimental integration of diverse Log-Messages Systems into a MAP-Infrastructure. The integration aims to share security related informations, given by many systems, with other network components in the [TNC architecture] 1 via IF-MAP.

ironsyslog consists of three components:

  • The "syslog server" - gets the information from the logging clients (they need to be configured to use this syslog server as the - where necessary additional - logging point)

  • An Event Processing Engine processes the different log messages as a handler for syslog events and fetches the latest information.

  • The Publisher consumes the high-level events, where the information are transformed into IF-MAP Metadata and published to a MAP server.

    The metadata that ironsyslog publishes depends on the mapping defined by the rules in the event processing step.

The binary package (ironsyslog-x.x.x-bundle.zip) of ironsyslog is ready to run, all you need is to configure it to your needs. If you like to build ironsyslog by your own you can use the latest code from the GitHub repository.

Requirements

To use the binary package of ironsyslog you need the following components:

  • OpenJDK Version 1.7 or higher
  • MAP server implementation (e.g. [irond] 3)
  • Clients logging toward the syslog server
  • optionally ironGui to see whats going on

To build and comile source code by yourself Maven 3 is also needed.

Configuration

To setup the binary package you need to import the ironsyslog and MAP server certificates into ironsyslog.jks. If you want to use ironsyslog with irond the keystores of both are configured with ready-to-use testing certificates.

The remaining configuration parameters can be done through the ironsyslog.properties file in the ironsyslog package. In general you have to specify:

  • the syslog server ip, port and protocol where ironsyslog is supposed to be listening on,
  • the MAP-Server URL and credentials.

Secondly you have to setup the rules:

  • Some example rules are provided in the rules folder.
  • Configure the enabled rules in the config.yml

For example here is a rule to extract the information if a dhcpcd event (ip-mac assertions):

rule "dhcpd DHCPACK"
when
	$ise:IronSyslogServerEvent(message.contains("dhcpd"), message.contains("DHCPACK"))
then
	debug("Rule \"" + drools.getRule().getName() + "\" fired.");
	String message = $ise.getMessage();
	Pattern p = Pattern.compile("dhcpd: DHCPACK on (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) to (..:..:..:..:..:..) via (.*)");
	Matcher m = p.matcher(message);
	if (m.find()) {
		String networkInterface = m.group(3);
		String ipAddress = m.group(1);
		String macAddress = m.group(2);
		insert ( new DhcpAckEvent(ipAddress, macAddress, $ise.getHost(), networkInterface) );
	}
end

The according configuration file:

 # All rule files have to end with the ".drl" extension and follow the following folder structure:
\# - rules/drools/
\#   - service/ : Syslog service rule for event transformation
\#   - publish/ : ifmap rule for event publishing
\#   - other/* : all remaining rules
\# Inside the "other" folder an arbitrary folder structure can be used
\# Services in the service/ folder to be included
serviceInclude:
  - dnsmasq-dhcp
\# Publish rules in the publish/ folder to be excluded
publishExclude:

Building

You can build ironsyslog by executing:

$ mvn package

in the root directory of the ironsyslog project. Maven should download all further needed dependencies for you. After a successful build you should find the ironsyslog-x.x.x-bundle.zip in the target sub-directory.

Running

To run the binary package of ironsyslog simply execute:

$ ./start.sh

Feedback

If you have any questions, problems or comments, please contact trust@f4-i.fh-hannover.de

LICENSE

ironsyslog is licensed under the [Apache License, Version 2.0] 4.

Note

ironsyslog is an experimental prototype and is not suitable for actual use.

Feel free to fork/contribute.