misp-docker Change for rsyslog

References https://github.com/MISP/misp-docker/pull/211#issuecomment-2593188623

Issue to track change proposal. @ostefano which config file is best to use to store the default settings (item 3 & 4)?

In Dockerfile: Add COPY rsyslog file /etc/rsyslog.d/40-misp.conf

# Enable slash in program names
global(parser.PermitSlashInProgramname="on")

if ($programname == '/var/www/MISP/app/tmp/logs/' or $programname == 'mispsyslog') then {
    action(type="omfile" file="/var/www/MISP/app/tmp/logs/mispsyslog.log" fileOwner="root" fileGroup="root" fileCreateMode="0644")
    & stop
}

In Dockerfile: Add COPY logrotate file /etc/logrotate.d/misp

/var/www/MISP/app/tmp/logs/mispsyslog.log 
{
    su root root
    rotate 8
    dateext
    missingok
    notifempty
    compress
    weekly
    size 50M
    maxsize 500M
    copytruncate
}

Set MISP syslog identifier (Security.syslog_ident=mispsyslog)
- In core/files/etc/misp-docker/critical.defaults.json or core/files/etc/misp-docker/minimum_config.envars.json?
Enable MISP syslog (Security.syslog_ident=true)
- In core/files/etc/misp-docker/critical.defaults.json or core/files/etc/misp-docker/minimum_config.envars.json?
Add a paragraph in README.md

Jan 16 '25 08:01 cudeso

Re (3) and (4) I would add them to initialisation.

Would renaming the log file to misp-syslog.log be an option?

Could you explain what is the end result? What would misp-syslog.log were this changeset merged?

Jan 16 '25 09:01 ostefano

An example of MISP logging via syslog:

Those prepended with "mispsyslog" have the MISP syslog identifier. But in order to catch everything, you also need to check for the programname "/var/www/MISP/app/tmp/logs/"

2025-01-16T08:20:01.261962+00:00 f8253ec82f47 mispsyslog[2515]: login -- User (1): [email protected] -- {"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","ip":"192.168.42.248","accept_lang":"en-US,en;q=0.9","geoip":"None","ua_pattern":"mozilla/5.0 (*mac os x*) applewebkit* (*khtml*like*gecko*) *chrome/* safari/*","ua_platform":"MacOSX","ua_browser":"Chrome"}
2025-01-16T08:20:01.262503+00:00 f8253ec82f47 /var/www/MISP/app/tmp/logs/[2515]: User (1): [email protected] -- login -- {"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","ip":"192.168.42.248","accept_lang":"en-US,en;q=0.9","geoip":"None","ua_pattern":"mozilla/5.0 (*mac os x*) applewebkit* (*khtml*like*gecko*) *chrome/* safari/*","ua_platform":"MacOSX","ua_browser":"Chrome"}
2025-01-16T08:20:06.520407+00:00 f8253ec82f47 mispsyslog[2515]: logout -- User (1): [email protected] --
2025-01-16T08:20:06.522230+00:00 f8253ec82f47 /var/www/MISP/app/tmp/logs/[2515]: User (1): [email protected] -- logout
2025-01-16T08:20:19.711430+00:00 f8253ec82f47 mispsyslog[2514]: login -- User (1): [email protected] -- {"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","ip":"192.168.42.248","accept_lang":"en-US,en;q=0.9","geoip":"None","ua_pattern":"mozilla/5.0 (*mac os x*) applewebkit* (*khtml*like*gecko*) *chrome/* safari/*","ua_platform":"MacOSX","ua_browser":"Chrome"}
2025-01-16T08:20:19.713315+00:00 f8253ec82f47 /var/www/MISP/app/tmp/logs/[2514]: User (1): [email protected] -- login -- {"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","ip":"192.168.42.248","accept_lang":"en-US,en;q=0.9","geoip":"None","ua_pattern":"mozilla/5.0 (*mac os x*) applewebkit* (*khtml*like*gecko*) *chrome/* safari/*","ua_platform":"MacOSX","ua_browser":"Chrome"}
2025-01-16T08:20:31.730241+00:00 f8253ec82f47 mispsyslog[2515]: add -- Syslog event
2025-01-16T08:20:31.736215+00:00 f8253ec82f47 mispsyslog[2515]: tag -- Attached global tag "tlp:red" to event #565
2025-01-16T08:20:40.241195+00:00 f8253ec82f47 mispsyslog[2515]: tag_local -- Attached local tag "workflow:state="incomplete"" to event #565
2025-01-16T08:20:51.134871+00:00 f8253ec82f47 mispsyslog[2515]: add -- Attribute from Event #565: Network activity/hostname www.circl.lu
2025-01-16T08:20:56.214168+00:00 f8253ec82f47 mispsyslog[2515]: add -- Attribute from Event #565: Network activity/ip-src 185.194.93.14

Jan 16 '25 10:01 cudeso