Archive for January, 2012
Howto install Zorp 3.9.2 on Debian Squeeze 64 bit
This will guide you through the installation of the latest stable version of Zorp GPL (currently version 3.9.2) and get it to work with minimal configuration. This guide should work for most current Ubuntu Linux (as well as Debian Squeeze) distributions but may differ on some parts.
The sort way to download the zorpgpl-install-squeezefile, then extract zorp.sh script
[codesyntax lang="php"]
tar xvf zorpgpl-install-squeeze.tgz zorp.sh
[/codesyntax]
then run it
[codesyntax lang="php"]
./zorp.sh
[/codesyntax]
The detailed steps from the script see below:
Install required packages For Zorp GPL 3.9.2 compilation
First we update our package database, then we install all needed Debian packages: [codesyntax lang="php"]
apt-get update apt-get -y install git-core python2.6-dev gperf python-dns python-support dpkg-dev debhelper libssl-dev libglib2.0-dev libcap-dev zlib1g-dev python-openssl python-dev
[/codesyntax]
Install the kzorp
To get really working Zorp you need kzorp in the linux kernel. Let’s install:
[codesyntax lang="php"]
wget http://www.balabit.com/downloads/files?path=/kzorp/binaries/20110804/linux-image-2.6.32_kzorp.1.2_amd64.deb -O - > linux-image-2.6.32_kzorp.1.2_amd64.deb dpkg -i linux-image-2.6.32_kzorp.1.2_amd64.deb
[/codesyntax]
Download and build the Zorp GPL libraries
[codesyntax lang="php"]
mkdir -p /etc/zorp wget -O /usr/src/libzorpll_3.9.1.0.tar.gz http://www.balabit.com/downloads/files?path=/zorp/3.9.2/source/libzorpll_3.9.1.0.tar.gz tar xzf /usr/src/libzorpll_3.9.1.0.tar.gz -C /usr/src/ cd /usr/src/dist-libzorpll/ dpkg-buildpackage -b dpkg -i /usr/src/libzorpll3.9-1_3.9.1.0_amd64.deb /usr/src/libzorpll-dev_3.9.1.0_amd64.deb
[/codesyntax]
Download and build the Zorp GPL
[codesyntax lang="php"]
wget -O /usr/src/zorp_3.9.2.tar.gz http://www.balabit.com/downloads/files?path=/zorp/3.9.2/source/zorp_3.9.2.tar.gz tar xzf /usr/src/zorp_3.9.2.tar.gz -C /usr/src/ cd /usr/src/zorp-3.9.2/ dpkg-buildpackage -b
[/codesyntax]
Install the Zorp GPL package
[codesyntax lang="php"]
dpkg -i /usr/src/*.deb
[/codesyntax]
Copy a minimal config for Zorp GPL
[codesyntax lang="php"]
tar xvf $pwd/zorpgpl-install-squeeze.tgz -C /etc/zorp/ policy.py instances.conf zorpctl.conf
[/codesyntax]
This minimal config need for start Zorp successfully without errors.
Start the Zorp GPL instances
[codesyntax lang="php"]
zorpctl start
[/codesyntax]
Verify running Zorp instances
[codesyntax lang="php"]
zorpctl status [/codesyntax] You see the running Zorp instances per row (Only one instance with minimal config). Example: [codesyntax lang="php"]
Instance inter: running, 4 threads active, pid 5735
[/codesyntax]
You can verify the Zorp GPL version with zorpctl command:
[codesyntax lang="php"]
zorpctl version
[/codesyntax]
And verify the Zorp log in the messages file:
[codesyntax lang="php"]
tail -f /var/log/messages
[/codesyntax]
What is Zorp
Briefly Zorp is an open source proxy firewall with deep protocol analysis. It sounds very sophisticated at first, however, the explanation below will make it easy to understand.
Protocol analysis
Resulting from their functionality firewalls can analyze the network traffic to a certain extent, since without it, it would not be possible for the administrators to control the traffic. This is not different with Zorp. The difference between the firewall applications result from the depth of the analysis. For instance when administrators use Netfilter traffic can only be controlled up until layer 4 (traffic) of the ISO/OSI model. In contrast to that Zorp allows analyzation of even the topmost (application) layer, and can make decisions based on data originating from that layer. Decisions can be applied a certain traffic type, for example full access can be set to an FTP server for a group of users, or only a subset of commands can be granted to implement a read-only access.
Proxy firewall
Almost anything that comes to your mind can be applied on Zorp. First of all the fact that a proxy server makes independent connections with the participants of the network communication and relays messages between them separating the clients and the servers from each other. In this regard Zorp is better than its competitors as the analysis can take place at the application level, either firewall is used as a forward or a reverse proxy. To perform that Zorp implements application level protocol analyzers. These analyzers, called proxy in Zorp terminology, are written in C, extendable and configurable in Python. Nine of twenty five proxies of the commercial version of Zorp are available in the open source edition.
Modularity
One of the key features of the Zorp is customization. It would not be possible without the modular structure of the software. During everyday use it does not require any extra effort to get the benefits of the application level analysis of the network protocols, if we do not have any special requirements. To keep the application level traffic under control we do not have to care about neither the lower layers of the protocol, nor the details of the application level. We only have to concentrate on our goal (for example replacing the value of a specific HTTP header), everything else is done by the proxy. If the proxy to our favourite protocol is not given, Zorp can handle the connection in lower layers and we have the possibility to perform application level analysis manually.
Transport layer security is an independent subsystem in Zorp as far as it possible, so the SSL/TLS parameters can be set independently from the applied application level protocol (for example HTTP,SMTP, …). Consequently each proxy can work within an SSL connection, including the case when we perform the protocol analysis. Zorp is a proxy firewall, neither more nor less, but can be adapted to tasks other than protocol analysis, such as virus scanning or spam filtering by integrating it with external applications.
Open source
Zorp is not only an open source product, but also a free software as it is licensed under GPL and LGPL. The reason of the two licenses is the fact that Zorp is released in two parts. The application level proxy firewall itself (Zorp), under the terms of GPL and a related library (libzorpll), under LGPL. Both of them are approved by the Free Software Foundation as copyleft licences. It must be noted that the Zorp is dual-licensed, where Zorp/Zorp GPL is the open source version and Zorp Professional is the proprietary one with some extra features and proxies.
Official Zorp GPL support page can be found here.
Ready-to-use virtual machines sporting Zorp GPL can be downloaded here.
The content of blog post can be used freely under the terms of Creative Commons Attribution-ShareAlike 2.5 license.
Reading e-books
For many years, I was looking for a good and affordable e-book reader. I read a lot on the computer, as many text I read are not available in a printed form. Some of them would be even obsolete before I could print them 
But being environmentally cautious, I try to avoid printing anyway whenever it is possible. Reading from the screen has many disadvantages: it’s not so friendly to the eyes and also one can easily be disturbed by incoming e-mail, instant messages, etc. But this Christmas finally brought me an e-book reader!
syslog-ng git repo moved to github
I’ve been playing with github the last couple of months for git hosting, and since I like what I see and users seem to have found this out on their own, I figured this should be official.
The git repository is being moved from their old git.balabit.hu location to:
syslog-ng 3.3
http://github.com/bazsi/syslog-ng-3.3.git
syslog-ng 3.4
http://github.com/bazsi/syslog-ng-3.4.git
Older releases (like 3.2) will remain on git.balabit.hu for now. Please update your git clones with the new URL.
The syslog-ng webpages will be updated shortly.
syslog-ng Insider – January 2012
Dear syslog-ng users,
This is the 10th issue of the syslog-ng Insider, a monthly newsletter that brings you syslog-ng related news.
Your feedback and news tips about the next issue is welcome at
documentation(at)balabit.com
POLL
We would like to know, which features of syslog-ng do you regard as most important. Please check our survey.
FEATURED NEWS
syslog-ng 3.3.4 is being prepared
The release of 3.3.3 brought many new users to the latest syslog-ng version, which helped to uncover some more bugs in advanced configurations. Until a new release arrives, please check the git tree ( git://git.balabit.hu/bazsi/syslog-ng-3.3 ) and the mailing list archives, if your problem is addressed by a patch.
If working directly from git is problematic in your environment, a daily shapshot of 3.3 development is available at http://packages.madhouse-project.org/syslog-ng/3.3/syslog-ng-3.3-HEAD.tar.gz.
Meet us at FOSDEM 2012 in Brussels!
There will be one or two presentations held by BalaBit guys this year. As schedule and rooms are not yet final, please check http://www.fosdem.org/ if you want to meet us or drop me an e-mail!
Junction
Version 3.4 of syslog-ng is under intensive development. One of the new features, the “junction”, which makes syslog-ng.conf even more flexible, was just introduced on the syslog-ng mailing list: https://lists.balabit.hu/pipermail/syslog-ng/2012-January/018074.html.
OTHER SHORT NEWS
WHITE PAPERS
- SIEM solutions are the core of enterprise security. But they are not much use without data integrity and high performance centralized log collection. Learn how to enhance your SIEM with syslog-ng from our latest white paper.
ARCHIVE
syslog-ng flexibility improvements
Update: The syntax of this feature has slightly changed due to discussions on the mailing list (e.g. change the log keyword to channel), and I’ve updated it to use the current syntax.
syslog-ng is often referred as a very flexible application when it comes to processing logs. Over the years however, I began to feel that some things are a bit more difficult to achieve in the configuration language than it should be. For instance it is sometimes too rigid when you need a combination of parsers (patterndb with db-parser) and rewrite rules to achieve the goal you wanted. Parsers and rewrite rules are distinct part of the configuration, it is not possible to combine them into a single functionality. Also, declaring objects first and then referencing them later, makes the configuration easy to read, however sometimes it is quite cumbersome, when you only need to invert the result of an already existing filter.
To solve this situation, I’ve set out to implement an idea I had on mind for some time now. It is quite difficult to describe the feature in clear and concise words, as it is a combination of various changes that together makes syslog-ng configuration more flexible and easier to use, without sacrificing readability. Curious? Please read on.
In-line objects
Perhaps the simplest of all features is that you can now define the contents of a given object right on the spot, without having to use a separate statement. For example, earlier you had to write:
log {
source(s_local);
filter(f_postfix);
destination(d_postfix);
};
Sometimes, f_postfix filter is only used once and is trivial. This can now be written as:
log {
source(s_local);
filter { program("^postfix/"); };
destination(d_postfix);
};
Furthermore both the source() and destination() options can be written in-line, you simply use braces instead of parentheses. The same functionality applies to everything: sources, destinations, filters, parsers and rewrite rules.
Junctions
A limited form of junctions has been supported since syslog-ng 3.0 in the form of “embedded log statements”, which has been generalized now. Within syslog-ng, when a message is received it is dispatched to a log processing path or pipeline, which carries out the task at hand. A junction is a point in the log processing path where the processing is performed on multiple independent branches, each doing its own specific thing with the message.
The limited functionality in 3.0 only allowed the processing tree to split (or fork) into independent branches, each of the branches was a “sink”, where processing also ended. Configuration example:
log {
source(s_all); filter(f);
log { filter(f1); destination(d1); };
log { filter(f2); destination(d2); };
};
This sample forks the processing path into two branches starting with the “log” keyword within the top-level log statement. The first branch evaluates the filter f1 and the writes matching messages to the d1 destination, effectively sending all messages that match (f AND f1) to d1. Likewise, d2 receives all messages that match (f AND f2).
The limitation of the embedded log statement concept was simple: it could only be listed at the very end of a log statement, and the end-result of the branches couldn’t be processed further. Effectively the message at the end of each branch “fell off”. Junctions on the other hand makes it possible to do things to messages once the branches converge to the same point again. Repeating the sample above, it is now possible to write:
log {
source(s_all); filter(f);
junction {
channel { filter(f1); destination(d1); };
channel { filter(f2); destination(d2); };
};
destination(d_all);
};
The new thing is that you can now add processing after the branches finish their processing. A bit more useful example would be:
log {
source(s_apache_files);
source(s_syslog);
junction {
channel { filter(f_apache_files); rewrite(r_apache_remove_file_header); parser(p_apache); flags(final); };
channel { filter(f_apache_syslog); parser(p_apache); flags(final); };
};
destination(d_files);
};
This example does an alternative processing of incoming logs based on where the message came from.
Everything is a log expression
This feature is probably the most complicated, however provides very nice properties and expressiveness to the configuration. From now on, not just the well known log statement allows the specification of log processing rules, but all the objects in the syslog-ng configuration file can use the same expressive power.
It is now possible to use embedded log statements, junctions and in-line object definitions within source, destination, filter, rewrite and parser definitions. Huh, you could ask: what does it bring to me as a benefit? Well, until now, objects of different types were separate entities, connected using log statements, with this change a source can also specify a rewrite rule and that combination used as a log source in a log statement.
For instance, a usual source definition looked like this:
source s_apache {
file("/var/log/apache/error.log");
};
If you wanted to process this log file in a specific way, you needed to define the accompanying processing rules (parsers and rewrite expressions) and combine them in a log statement. But how about this:
source s_apache {
channel {
source { file("/var/log/apache/error.log"); };
parser(p_apache_parser); };
};
};
log { source(s_apache); ... };
Can you see? The s_apache source used a file source and the reference of a specific parser and all messages read from the apache error log file would be processed by that parser. The log statement is just as simple as if s_apache would be a “normal” source definition. This feature allows pairing the essential log preprocessing functionality very close to the source itself, making it very easy to write and read the log statements. As an added bonus, it becomes very easy to distribute application specific source & parser definitions as an SCL configuration snippet.
Where?
This stuff is available in the syslog-ng 3.4 git tree, on master. It passes the included regression test, so it is at least dogfoodable. The nice thing about the implementation is that it only slightly increased the code size, but brought a lot of new features. If you have trouble getting the code from git, let me know, I’m willing to create an alpha release, so that it becomes easier to play with it.
Feedback
I see a lot of potential in this functionality, however my examples may have not been the best ones. I would really appreciate any kind of feedback, please be sure to send those to the syslog-ng mailing list or post me as a private email.
Rsyslog vs. syslog-ng
Every few days I find references to an rsyslog vs. syslog-ng comparison on the rsyslog site, which has not been updated for more than three years. Since it contains some outdated information about syslog-ng (some of which was incorrect at the time of publishing), I want to make some corrections and updates. Here is a short summary.
RECENT POST
The turn-key appliance for log management helps meet compliance requirements ... [Read More]
Hi, We have published the latest edition of The Shell Control Box ... [Read More]
You may remember the Lumberjack project I wrote ... [Read More]
Twitter
LinkedIn
