长期以来,大家在收集华为交换机日志是往往通过syslog协议转发的方式,将华为交换机日志转发到日志收集器上,简单存储,但这样并没有将日志标准化,也就是OSSIM中对日志的归一化处理,在《开源安全运维平台-OSSIM最佳实践》一书的第七章专门讲解了日志收集与插件的自定义,本文将继续本书内容,为大家分享华为交换机插件,根据书中讲解,我们在OSSIM Agent插件目录中建立插件名称,huawei.cfg,编写插件大致格式可按书里面内容编写,不过还需要注意插件的导入过程,下面举个华为插件的实际例子。
[DEFAULT]
plugin_id=1728
[config]
type=detector
enable=yes
source=log
location=/var/log/huawei.log
create_file=yes
process=
start=no
stop=no
startup=
shutdown=
[translation]
SESSION_TEARDOWN=1
BOTNET=2
DETECT=3
CMDRECORD=4
DISPLAY_CMDRECORD=5
LOAD_OK=6
UPDATESUCCESS=7
LOAD_FAIL=8
PASS=9
OUT=10
TRAPLOG=11
LOGIN_SUCCED=9
LOGIN_SUCCEED=9
FIREWALLATCK=12
USER_ACCESSRESULT=13
USER_OFFLINERESULT=14
DATASYNC_CFGCHANGE=15
CMDCONFIRM_UNIFORMRECORD=16
SAVE=17
STREAM=18
LOGIN=9
LOADSUCC=19
LINK_STATE=20
STATUSUP=21
IF_ENABLE=22
ONLINESUCC=23
HOT_INSERT=24
BOARD_ENABLE=25
CMDCONFIRM_UNIFORMRECORD=26
ACTIVATION=27
DEV_REG=28
GETSERVERR=29
VIRUS=30
BOARD_ABSENT=31
REMOVABLE=32
REBOOT=33
WARMSTART=34
NLOGINIT=35
TRAP=11
RECOVERSUCCESS=37
UPDATE_SUCCESS=38
ENGINE_OK=39
这里是正则表达式的例子,需要有一定基础哦
[0001 - Huawei]
event_type=event
precheck="Application"
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:\s+(?P.*?)\(.*?Policy="(?P[^"]*)",\s+SrcIp=(?P[^,]*),\s+DstIp=(?P[^,]*),\s+SrcPort=(?P[^,]*),\s+DstPort=(?P[^,]*),\s+SrcZone=(?P[^,]*),\s+DstZone=(?P[^,]*),\s+User="(?P[^"]*)",\s+Protocol=(?P[^,]*),\s+Application="(?P[^,]*)",\s+Profile="(?P[^"]*)",\s+.*?(?:SignName|VirusName)="(?P[^"]*)",\s(?:DetectionType="(?P[^,]*)",)?.*?Action=(?P[^\)]*)"
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
protocol={$proto}
src_ip={$src_ip}
dst_ip={$dst_ip}
src_port={$src_port}
dst_port={$dst_port}
username={$user}
userdata1={$description}
userdata2={translate($severity)}
userdata3={$policy}
userdata4={$action}
userdata5={$det_type}
userdata6={$profile}
userdata7={$sig_name}
userdata8={$app}
userdata9={$dst_zone}
[0002 - Huawei Attack]
event_type=event
precheck="AttackType"
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?P\S+)\/(?P\d)\/(?P[^\(]*).*?AttackType="(?P[^"]*)",\s+.*?interface="(?P[^"]*)",\s+proto="(?P[^"]*)",\s+src="(?P[^:]*):(?P\d+)\s+",\s+dst="(?P[^:]*):(?P\d+)\s+",\s+begin\s+time="(?P[^"]*)",\s+end\s+time="(?P[^"]*)",\s+total\s+packets="(?P[^"]*)",\s+max\s+speed="(?P[^"]*)",\s+User="(?P[^"]*)",\s+Action="(?P[^"]*)""
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
src_ip={resolv($src_ip)}
dst_ip={resolv($dst_ip)}
src_port={$src_port}
dst_port={$dst_port}
username={$user}
protocol={$proto}
userdata1={$action}
userdata2={translate($severity)}
userdata3={$module}
userdata4={$begin_time}
userdata5={$end_time}
userdata6={$total_pkt}
userdata7={$speed}
userdata8={$interface}
userdata9={$attack}
[0003 - Huawei]
event_type=event
precheck="SourceVpnID"
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?:\d{4}-\d{2}-\d{2}\s+\d+\d+:\d+:\d+)\s+(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\):IPVer=(?P[^,]*),Protocol=(?P[^,]*),SourceIP=(?P[^,]*),DestinationIP=(?P[^,]*),SourcePort=(?P[^,]*),DestinationPort=(?P[^,]*),BeginTime=(?P[^,]*),EndTime=(?P[^,]*),SendPkts=(?P[^,]*),SendBytes=(?P[^,]*),RcvPkts=(?P[^,]*),RcvBytes=(?P[^,]*),SourceVpnID=(?P[^,]*),DestinationVpnID=(?P[^,]*)"
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
protocol={$proto}
src_ip={$src_ip}
dst_ip={$dst_ip}
src_port={$src_port}
dst_port={$dst_port}
userdata1={$module}
userdata2={translate($severity)}
userdata3={$send_pkt}
userdata4={$send_b}
userdata5={$rcv_pkt}
userdata6={$rcv_b}
userdata7={$src_vpn_id}
userdata8={$dst_vpn_id}
userdata9={$module}
[0004 - Huawei]
event_type=event
precheck="AuthenticationMethod"
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:(?P.*?)\(Task=(?P[^,]*),\s+Ip=(?P[^,]*),\s+VpnName=(?P[^,]*),\s+User=(?P[^,]*),\s+AuthenticationMethod="(?P[^,]*)",\s+Command="(?P[^,]*)""
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
src_ip={resolv($ip)}
username={$user}
userdata1={$identifier}
userdata2={translate($severity)}
userdata3={$task}
userdata5={$vpn_name}
userdata6={$method}
userdata7={$command}
userdata8={$module}
userdata9={$description}
[0005 - Huawei updates]
event_type=event
precheck="Version"
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:(?P.*?)\(SyslogId=(?P[^,]*),\s+(User=(?P[^,]*),\s+IP=(?P[^,]*),\s+)?Module=(?P[^,]*),.*?Version=(?P[^,]*),\s+(UpdateVersion=(?P[^,]*),\s+Status=(?P[^,]*),\s+)?Duration\(s\)=(?P[^,|\)]*)"
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
src_ip={resolv($ip)}
username={$user}
userdata1={$version}
userdata2={translate($severity)}
userdata3={$module}
userdata4={$module1}
userdata5={$version1}
userdata6={$duration}
userdata7={$status}
userdata8={$module}
userdata9={$description}
[0006 - Huawei login logout]
event_type=event
precheck="IP"
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:User\s+(?P\S+)\(IP:(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+ID:(?P\d+)\)\s+(?Plogin|logout)"
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
src_ip={resolv($user_address)}
username={$username}
userdata1={$version}
userdata2={translate($severity)}
userdata3={$module}
userdata5={$id}
userdata6={$action}
userdata7={$module}
userdata8={$identifier}
[0007 - Huawei config]
event_type=event
precheck="ConfigSource"
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?configure changed.*?EventIndex=(?P\d),\s+CommandSource=(?P\d+),\s+ConfigSource=(?P\d+),\s+ConfigDestination=(?P\d+)"
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
src_ip={resolv($hostname)}
userdata1={$version}
userdata2={translate($severity)}
userdata3={$module}
userdata4={$config_dst}
userdata5={$config_src}
userdata6={$command_index}
userdata7={$index}
userdata8={$identifier}
[0008 - Huawei access]
event_type=event
precheck="DEVICEMAC"
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)(?P\d\d)(?P\S+)\/(?P\d)\/(?P.*?)\((?P\w)\).*?:.*?DEVICEMAC:(?P[^;]*);DEVICENAME:(?P[^;]*);USER:(?P[^;]*);MAC:(?P[^;]*);IPADDRESS:(?P[^;]*);TIME:(?P[^;]*);ZONE:(?P[^;]*);DAYLIGHT:(?P[^;]*);ERRCODE:(?P[^;]*);RESULT:(?P[^;]*)"
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
src_ip={resolv($ip)}
username={$user}
userdata1={$result}
userdata2={translate($severity)}
userdata3={$module}
userdata4={$dec_mac}
userdata5={$dev_name}
userdata6={$errcode}
userdata7={$identifier}
userdata8={$daylight}
userdata9={$zone}
[0009 - Huawei login]
event_type=event
precheck="User login succeed"
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?P\S+)\/(?P\d)\/(?P.*?):.*?User login succeed.*?username\s+=\s+(?P[^,]*),\s+loginIP\s+=\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\s+loginTime\s+=\s+(?P[^,]*),\s+loginType\s=\s(?P[^,]*),\s+userLevel\s+=\s+(?P[^,|)]*)"
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
src_ip={resolv($ip)}
username={$user}
userdata1={translate($severity)}
userdata2={$module}
userdata3={$login_time}
userdata4={$login_type}
userdata5={$level}
[0030 - Huawei generic]
event_type=event
regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*?(?P\S+)\s+(?:%%)?(?P\d\d)?(?P\S+)\/(?P\d)\/(?P[^:|\(]*)(?:\((?P\w)\))?.*?:(?P.*)"
date={normalize_date($syslog_date)}
device={resolv($hostname)}
plugin_sid={translate($brief)}
src_ip={resolv($hostname)}
userdata1={translate($severity)}
userdata2={$module}
userdata3={$identifier}
userdata4={$msg}
userdata5={$version}
完成插件编写之后就要进行反复测试与修改,待测试通过后就要进行插件导入工作,最后是插件启用,如下图所示。
以上是华为交换机插件的一个例子,还有其他华为设备的日志也是照此编写,如果有不明白指出大家参阅《开源安全运维平台OSSIM最佳实践》一书或与该书作者联系。