Loading...
 
Skip to main content

Watcher modules

 Error
Unable to retrieve information for structure id "4020"
 


Overview

Watcher modules are processes that run autonomously if once started - usualy by the Watcher master when it is started as a 'one-shot' service.

 

Installing a module

Modules reside in a sub directory 'modules/' of the Watcher $MASTER_PATH

Watcher revision 1.3 comes as a 'complete package' and modules are included in the package: i.e. there is no need to install modules separately as it was in revision 1.2
 

Configure the module

After unpacking the delivery file you should scan the .conf file and change variables to values that fit your situation.

 

Configure the system logger

For the 'realtime intrusion detection' feature the system logger needs to be configured to match the "PIPE=" value from the .conf file.

Depending on the system logger that your system is using ('rsyslog' or 'syslog-ng' you have to configure the /etc/rsyslog.conf or /etc/syslog-ng/syslog-ng.conf file appropriately

Example: /etc/rsyslog.conf (Debian, Ubuntu,...)
Copy to clipboard
... auth,authpriv.* /var/log/auth.log |/var/log/.pipes/WatchLG ... mail.* -/var/log/mail.log |/var/log/.pipes/WatchMX

 

Example: /etc/syslog-ng/syslog-ng.conf (RHEL style)
Copy to clipboard
... destination d_auth { file("/var/log/secure"); pipe("/var/log/.pipes/WatchLG"); }; destination d_mail { file("/var/log/maillog"); pipe("/var/log/.pipes/WatchMX"); }; ...

 

For the WEB module (WatchWB) the system logger uses one of the spare 'localX' facilities. For Watcher the 'local2' facility was chosen. Since the WEB server writes it own log files the Watcher WEB module only needs a FIFO (named pipe) to feed the module.

Example: /etc/rsyslog.conf - WEB module
Copy to clipboard
Add this line to your /etc/rsyslog.conf ... local2.* |/var/log/.pipes/WatchWB ...

As an alternative you may create a file /etc/rsyslog.d/apache2.conf and put above configuration line into this file.

Example: /etc/syslog-ng/syslog-ng.conf - WEB Module
Copy to clipboard
To be done ...

 

Configure logrotate

Log files grow with time and should be subject of 'logrotate' so that old logs are expired and replaced by new and empty log files.

The Watcher master only writes to the standard facility of the system and the system logger writes these log to standard log file (/var/log/messages and others) which is already treated by the system; i.e. you don't have to care for this. The same applies for the logging of the dynloaders in Watcher, as these are treated as part of the Watcher master.

But the modules -as being autonomous- write their log and trace files to autonomous places and so need a separate 'logrotate file' in '/etc/logrotate.d/...' .

Create a separate logrotate file (e.g. with name 'Watcher')  in /etc/logrotate.d

  • The 'log' files are written to a common place defined by $LOG_DIR (in $MASTER_PATH/common.conf; default: /var/log)
  • The 'trace' file go into the module path so that they are at hand when viewing them; e.g. when testing/debugging rules.

 

Example: /etc/logrotate.d/Watcher
Copy to clipboard
# # Module log files ... # /var/log/Watch??.log { monthly } # # Module trace files ... in $MASTER_PATH #|..MASTER_PATH..| #vvvvvvvvvvvvvvvvv /root/bin/Watcher/modules/Watch??/Watch??.trace { weekly }