Shulou(Shulou.com)06/01 Report--

This upgrade does not add new alarms, but adds business log analysis. The protocol uses port udp 514 and shares a port with syslog. Since there are a variety of business logs to adapt and analyze, you must first determine the format. The format of the log is described in detail below. The key content is distinguished by spaces, and the attributes and values are separated by the equal sign. The three letters secisland business log in the whole log are necessary, and other fields can be absent. However, for the accuracy of audit and analysis, it is recommended to add everything that can be added. Examples of formats are as follows:

Secisland business log time= "2015-04-26 15:42:34" user= "zhang san" type=loginin biz= "oa" model= "web" srcip=192.168.1.1 srcport=442 srcprocess= "ie" host=oa1 hostip=192.168.1.1 hostport=80 result=success protocol=http httpurl= "http://aaa/login" desc=" test aa "

Field content remarks

The fixed value of secisland business log represents the business log flag that seci-log can recognize.

Time time format is fixed year-month-day hours: minutes: seconds, requiring double quotation marks at both ends

User user name needs to be in double quotation marks

The type time type can be arbitrary. Loginin and loginout are built into the system. When these two are used, the login alarm can be generated.

Biz business system name, with double quotation marks

Model module name in double quotation marks

Srcip source ip

Srcport source port

Srcprocess source process name in double quotation marks

Host Hostnam

Hostip Service ip

Hostport service port

Result result

Protocol protocol

Httpurl httpurl with double quotation marks

Desc description with double quotation marks

Code example

Lists two examples of udp client code for the most mainstream java and c #, and other languages are similar:

Java

Public static void sendSyslog (String address, int port, String message) throws UnknownHostException,IOException {DatagramSocket socket = new DatagramSocket (); InetAddress client = InetAddress.getByName (address); byte [] buffer = message.getBytes (); DatagramPacket packet = new DatagramPacket (buffer, buffer.length, client, port); socket.send (packet); socket.close ();}

C#

Public static void sendSyslog (string address, int port, string message) {byte [] data = new byte [1024]; IPEndPoint ipep = new IPEndPoint (IPAddress.Parse (address), port); Socket server = new Socket (AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp); data = Encoding.ASCII.GetBytes (message); server.SendTo (data, data.Length, SocketFlags.None, ipep); server.Close ();}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.