| A/I Orange Book (1.0): An how-to for the realization of a resilient network of self-managed servers | ||
|---|---|---|
| Prev | Chapter 9. Log anonymization | Next |
The remaining system logs, passing through the syslog service (including mail log, IMAP logs, ssh access logs, and so on) are filtered, with email address and IP deletion, directly by the syslog daemon.
To implement this, we use a syslog-ng patch already included in the default Debian package, that allows the filtering of logs wih a regexp (included in /etc/syslog-ng/syslog-ng.conf):
filter f_strip { strip(ips); };
filter f_stripemail { strip("([0-9a-zA-Z]+[-._=+&])*[0-9a-zA-Z]+@([-0-9a-
zA-Z]+[.])+[a-zA-Z]{2,4}"); };
filter f_stripdomain { strip("([-0-9a-zA-Z]+[.]){2,}+([a-zA-Z]{2,4})"); };
Once this is done, we just need to insert the filter in the flow definitions:
filter f_proftpd { program("proftpd"); };
destination d_proftpd { file("/var/log/proftpd.log"); };
log {
source(s_all);
filter(f_proftpd);
filter(f_strip);
destination(d_proftpd);
flags(final);
};
This kind of log rewriting does not alter the possibility to use statistics tools apart from the fact you cannot aggregate connections coming from the same IP address.