The demo is hosted by Collax a op5 partner in Germany.

If you want to attend, register at:

http://www.collax.com/de/ueber-collax/events-collax-live/webcast-collax-monitoring-solution.html

• Code refactoring and bug fixes
• Possibility to turn on and off full text indexing
• Speed and robustness improvements to the query logic

Code refactoring and bug fixes

Over time as a project grows there comes need for refactoring. In this release we have refactored parts of the code to improve stability and maintainability. For example front-end controller design pattern was introduced in this release, which gave us the possibility to both improve security and simplify code. We fixed a possible message sorting issue and merged a couple of packages to simplify maintenance.

Possibility to turn on and off full text indexing

In op5 LogServer a user has 2 options for search in logs: one is the ‘host=test-host’ kind of search and the other is the full-text search – the ‘test-host’ kind of search, i.e. it just searches the whole log message for whatever you type. By default we create an index for full text search, that makes the full text search queries speedier. In some environments full text indexing of log messages are not really a good thing. For example if you have a lot of log messages from a firewall consisting messages that contains a lot of “non words”, binary data dumps and such. Log messages like that can hog your CPU
and affect the responsiveness of the op5 LogServer system.

You can now chose if you want to use full text indexing or not by a configurable setting in the GUI.

Note: If you turn off the full text index, searches using full text search will be slower.

Speed and robustness improvements to the query logic

Every search traverses the database by hour and ask it to return log messages up to the requested amount of matches, i.e. depending on how many messages you have chosen to view on the page. When the result of one hour is returned the query logic determines if it should query the database for another hour and also how many more matches that are required. This
gives us a more precise result.

This also leads us to a number of changes:

• “Unlimited search” mode as a special case is deprecated – now all the searches are done across all the DB
• The green line in the timeline now shows the time frame where the search was done to find the present results, even covering multiple days.
• The user can now stop the search (system will finish the search in current hour still – and then will stop)
• The interaction with the database is more clean and a number of possible deadlocks are eliminated.

Installation and Upgrade Notes

Upgrading requires op5 LogServer 3.0 or later. Upgrade is possible either by using yum or by using the .tar.gz install file available at http://www.op5.com/support/.

Documentation

Documentation for version 3.4 of op5 LogServer is available at http://www.op5.com/support/

Screenshots

This is a minor upgrade.

Whats new?

• Summary Reports
• Bidirectional editing of filters
• Hierarchical filters
• Configurable deafult filter per user
• Bugfixes

Read more about it in the release-notes and changelog

Background

I would like to have an alert if root has logged into my firewall. I think this is very important to know fast and where ever I am so I want a SMS sent to my cellphone. I have op5 Monitor with a GSM modem.

Theory

When root login a message will show up in the syslog i.e. /var/log/authlog

Nov 19 15:55:58 pedro sshd[12180]: Accepted password for root from 192.168.0.153 port 35896 ssh2

So I want op5 Monitor to detect this message in syslog and send a SMS if it occours.

The steps are:

• Send the message to op5 Logserver
• Create a filter that filter out that message
• Make op5 Monitor run this filter and send an alarm if it gets a hit.

Implementation

1-First step is to have a working op5 Logserver that get this message. I assume that a op5 Logserver is installed and configured in this guide.

In /etc/syslogd.conf I have the following line:

*.*                                                     @op5

It tells syslog to send every message to host op5, in this case it is my op5 Logserver, op5 Monitor and op5 Statistics machine. This is not recommended but my environment is very small.

2-Log in to op5 Logserver and verify that your login has been stored.

“Query builder”, enter in Host box, enter “Accepted password for root” in message.

3-Save the filter with a good name i.e. root_login_fw

4-Test that op5 Monitor can and detect the message

[root@op5 plugins]# ./check_ls_log -f root_login_fw -i 60 -c 0
CRITICAL - 1 matches for general filter 'root_login_fw':Accepted password for root from 192.168.0.153 port 35896 ssh2|query_time=0.05ms nr_matches=1;5;0

-f is filtername

-i is minutes back it should query the database

It works!

5-Create the op5 Monitor Service check on your firewall

Login to op5 Monitor

Click Configure

Pick the firewall in the list of hosts

Click Go

Click “Services for fw”

Pick “Add new service”, Click Go

Enter “Root Login” in Service Description

check_ls_log in check_command

check_command_args -f root_login_fw -i 60 -c 0

Enter the contact information.

Press Apply

Press “Test this service” to verify that it works

Press Save and you are done.

6-If you have logged in recently it should look something like this when looking att you service:

Links:

• op5
• op5 Monitor
• op5 Logserver
• op5 How-To integrate to logserver integration