Logging Configuration
Please reference Waratek Proposed Directory Structure document for proposed location of log configuration files
Overview
Waratek Agent allows the user to track down security events that occur when a security rule is triggered in the Java application. Each time a rule is triggered, an entry is written to the log file (unless logging has been turned off for that rule).
For example:
<10>1 2020-06-10T12:27:19.198+01:00 l-qa02 java 17097 - - CEF:0|ARMR:ARMR|ARMR|2.2|Protect against relative and absolute path traversal attacks|Execute Rule|High|rt=Jun 10 2020 12:27:19.196 +0100 dvchost=l-qa02 procid=17097 outcome=success act=protect msg=Path Traversal attack blocked path={"Path":"/home/spiracle/pathTraversal/testFilesParent/testFilesChild/../TestFile"} metadata="HeaderInfo":{"remoteAddr":"0:0:0:0:0:0:0:1","requestURI":"/spiracle/FileServlet01","sessionId":"3767AF331E581A52923E6A274332EF72","cookieNames":{"JSESSIONID":"3767AF331E581A52923E6A274332EF72","CUSTOMER_UUID":"05b7b9d7-2046-4014-b8c9-bc53c79790c5"}}
<13>1 2020-06-17T15:42:50.264+01:00 l-qa02 java 12190 - - CEF:0|ARMR:ARMR|ARMR|2.2|forced TLS on every connection|Execute Rule|Unknown|rt=Jun 17 2020 15:42:50.263 +0100 dvchost=l-qa02 procid=12190 outcome=success act=protect msg=TLS connection upgraded dst=0 SocketInfo={"port":0,"upgraded":true,"SupportedProtocols":"[SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]"}
In parallel with sending security log events to Elasticsearch, which are in turn consumed by the Portal, the Waratek agent also has the option of logging to other different locations:
- locally, to a log file or series of rolled-over log files;
- to a remote Syslog server using either UDP or TCP protocols.
Setup Logging Format
- Open the
<absoulte path to waratek agent>/conf_*/waratek.propertiesfile. - Add the following Waratek properties and make an adjustment according to the real-world requirement.
List of Waratek properties for logging configuration
-
com.waratek.log.mode: OPTIONAL PROPERTY type of location for logging security events. Can be one oflocal,remoteorboth, indicating the location that the Waratek agent will choose to log.- The default value is
local
- The default value is
-
com.waratek.log.host: MANDATORY PROPERTY WHEN when thecom.waratek.log.modeproperty is set toremoteorboth. The value should adhere to the following syntax:
[tcp:]<ip_address|hostname>:<port>
The default protocol is UDP. Please use the tcp: prefix to connect remotely via TCP protocol.
-
com.waratek.log.DomainNameHost: OPTIONAL PROPERTY specifies the fully qualified domain name (FQDN) for the hostname of host. The value can be either a hostname or an IP address.- When the provided hostname is not resolved, in other words, there's no DNS server to query on the network, the IP address of the selected interface will be used.
- When the contacted domain name host is not available. The hostname from local configuration (
/etc/hostname) will be used.
-
com.waratek.log.file: MANDATORY PROPERTY the security log file location. If this log file is not provided, security logging will be turned off.-
The value for the security log file location may be an absolute or relative path.
-
If a relative path is used, it is relative to the location of where the property is defined. This is either the location of the waratek.properties file, or the application startup folder if the property is defined as startup parameter.
-
For example either of the following values may be used to specify the log file :
com.waratek.log.file=/opt/waratek/conf_1/security.logcom.waratek.log.file=security.log
-
-
com.waratek.log.file.maxsize: OPTIONAL PROPERTY specifies the maximum file size (with a margin of some KBs) of a security log file. This flag should not be defined whencom.waratek.log.file.rotatedailyis set to true.-
The allowed formats of the flag com.waratek.log.file.maxsize are as follows :
<number>KB<number>MB<number>GB- the default is bytes if KB/MB/GB extension is not present
-
The default value of this flag is 10MB. Soon after the file reaches the limit the security log file is truncated
-
-
com.waratek.log.file.maxindex: OPTIONAL PROPERTY defines the maximum number of backed-up security log files that will be created. ForN=3, the following log files will be created:events.log,events.log.1,events.log.2andevents.log.3. Files are selected in a round-robin fashion.- The default value of this flag is 1, this means that a single backup file is created. When the log file size exceeds the limit, the backup file is removed, log file is moved to
<filename>.1and a new log file is created. - To disable rotation, set the value of this flag to 0
- The default value of this flag is 1, this means that a single backup file is created. When the log file size exceeds the limit, the backup file is removed, log file is moved to
-
com.waratek.log.file.rotatedaily: OPTIONAL PROPERTY specifies if the log file is rotated every 24hours, values accepted are true or false. -
com.waratek.log.file.redaction: OPTIONAL PROPERTY this flag lists a comma separated list of CEF extension names which are never included in the CEF event messages produced by the Agent, see example below
Here is a typical log message with no CEF extensions redacted
<10>1 2021-01-22T12:22:45.181Z l-dev java 5041 - - CEF:0|ARMR:ARMR|ARMR|2.2|xss_detect|Execute Rule|High|rt=Jan 22 2021 12:22:45.181 +0000 dvchost=l-dev procid=5041 appVersion=1 act=protect msg=XSSTest payload=<img foo error='100'='100' /> httpSessionId=A7E2E39171952A19199E407DC1090746 taintSource=HTTP_SERVLET httpRequestUri=/spiracle/xssContextMatrix.jsp httpRequestMethod=GET httpCookies=JSESSIONID=A7E2E39171952A19199E407DC1090746 remoteIpAddress=127.0.0.1
If we use com.waratek.log.cef.redaction=payload,httpSessionId,remoteIpAddress,httpCookies, the output is altered with information redacted
<10>1 2021-01-22T12:22:45.181Z l-dev java 5041 - - CEF:0|ARMR:ARMR|ARMR|2.2|xss_detect|Execute Rule|High|rt=Jan 22 2021 12:22:45.181 +0000 dvchost=l-dev procid=5041 appVersion=1 act=protect msg=XSSTest taintSource=HTTP_SERVLET httpRequestUri=/spiracle/xssContextMatrix.jsp httpRequestMethod=GET
In previous versions of the Waratek products, com.waratek.rules.log was used instead of com.waratek.log.file, but this flag is now deprecated and will be removed in the future releases.
XML logging configuration
XML logging configuration has been removed. All logging configuration previously achieved by XML can be achieved using the above list of Waratek properties.