File: //usr/local/cwaf/scripts/cwatch/configure-syslog-cwatch.sh
#!/bin/bash
#Cwaf Configuration Script Version V.1.0 TLS relp support
#@Author Nxsiem Team
#trapping Control + C
#these statements must be the first statements in the script to trap the CTRL C event
show_usages()
{
echo "***********************************************"
echo ""
echo "./configure-syslog-cwaf.sh"" $""1 "" $""2 "" $""3 "
echo "All above parameters are mandatory."
echo "$""1= PRODUCT NAME (This value can only be set linux, modsecurity, cpanelaccess or $CPANELLOGIN values)"
echo "$""2= Comodo Authentication Token (This value is network token of customer on NxSIEM)"
echo "$""3= LOG File Path (This value is Log File Path of selected product)"
echo "***********************************************"
echo ""
}
trap ctrl_c INT
function ctrl_c() {
echo "INFO" "INFO: Aborting the script."
exit 1
}
########## Variable Declarations - Start ##########
#this variable for set product name. If you dont find the product name use ""
PRODUCT_NAME="$1"
## This variable will hold the Comodo authentication token provided by user.
# This is a mandatory input. You can change this parameter using MSSP Portal
Comodo_AUTH_TOKEN="$2"
# Host name for kafka-syslog (this is domain name)
LOGS_01_HOST="collector2.oncomodo.com"
#LOGS_01_HOST="209.126.110.244"
#Above address is staging
# Variables used in 22-comodo.conf file
Comodo_SYSLOG_PORT="10007"
# Comodo Syslog ID
Comodo_DISTRIBUTION_ID="6449"
log="log"
in="in"
CPANELLOGIN="cpanel$log$in"
#directory location spool files
RSYSLOG_SPOOLDIR=/var/spool/rsyslog
#directory location for syslog
RSYSLOG_ETCDIR_CONF=/etc/rsyslog.d
#name and location of Comodo syslog file
COMODO_RSYSLOG_LINUX_CONFFILE=$RSYSLOG_ETCDIR_CONF/23-linux-rsyslog.conf
COMODO_RSYSLOG_MODSECURITY_CONFFILE=$RSYSLOG_ETCDIR_CONF/23-modsecurity-rsyslog.conf
COMODO_RSYSLOG_CPANELLOGIN_CONFFILE=$RSYSLOG_ETCDIR_CONF/23-$CPANELLOGIN-rsyslog.conf
COMODO_RSYSLOG_CPANELACCESS_CONFFILE=$RSYSLOG_ETCDIR_CONF/23-cpanelaccess-rsyslog.conf
AUDIT_LOG_FILE_PATH="$3"
MODSECURITY_LOG_FILE="$3"
CPANELACCESS_LOG_FILE="$3"
CPANELLOGIN_LOG_FILE="$3"
create_linux_configuration()
{
inputStr="
module(load=\"omrelp\")
\$template ComodoLinuxServerTemplateAudit,\"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [$Comodo_AUTH_TOKEN@$Comodo_DISTRIBUTION_ID tag=\\\"cwaf-$PRODUCT_NAME\\\" product-name=\\\"$PRODUCT_NAME\\\"] %msg%\n\"
module(load=\"imfile\" PollingInterval=\"10\")
input(type=\"imfile\"
File=\"$AUDIT_LOG_FILE_PATH\"
Tag=\"linux-audit\"
Severity=\"error\"
Facility=\"local6\"
escapeLF=\"on\"
)
if \$syslogtag contains \"linux-audit\" then {
*.* action(type=\"omrelp\" target=\"$LOGS_01_HOST\" port=\"$Comodo_SYSLOG_PORT\" tls=\"on\" template=\"ComodoLinuxServerTemplateAudit\")
}
"
if [ -f $COMODO_RSYSLOG_LINUX_CONFFILE ]; then
rm $COMODO_RSYSLOG_LINUX_CONFFILE;
fi
echo "#TLS configuration" >> $COMODO_RSYSLOG_LINUX_CONFFILE
echo "$""WorkDirectory $RSYSLOG_SPOOLDIR" >> $COMODO_RSYSLOG_LINUX_CONFFILE
cat << EOIPFW >> $COMODO_RSYSLOG_LINUX_CONFFILE
$inputStr
EOIPFW
}
create_modsecurity_configuration()
{
inputStr="
module(load=\"omrelp\")
\$template ComodoModSecurityServerTemplateAudit,\"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [$Comodo_AUTH_TOKEN@$Comodo_DISTRIBUTION_ID tag=\\\"cwaf-$PRODUCT_NAME\\\" product-name=\\\"$PRODUCT_NAME\\\"] %msg%\n\"
module(load=\"imfile\" PollingInterval=\"10\")
input(type=\"imfile\"
File=\"$MODSECURITY_LOG_FILE\"
Tag=\"modsecurity-cwaf\"
Severity=\"error\"
Facility=\"local6\"
startmsg.regex=\"--.*-A--\"
escapeLF=\"on\"
)
if \$syslogtag contains \"modsecurity-cwaf\" then {
*.* action(type=\"omrelp\" target=\"$LOGS_01_HOST\" port=\"$Comodo_SYSLOG_PORT\" tls=\"on\" template=\"ComodoModSecurityServerTemplateAudit\")
}
"
if [ -f $COMODO_RSYSLOG_MODSECURITY_CONFFILE ]; then
rm $COMODO_RSYSLOG_MODSECURITY_CONFFILE;
fi
echo "#TLS configuration" >> $COMODO_RSYSLOG_MODSECURITY_CONFFILE
echo "$""WorkDirectory $RSYSLOG_SPOOLDIR" >> $COMODO_RSYSLOG_MODSECURITY_CONFFILE
cat << EOIPFW >> $COMODO_RSYSLOG_MODSECURITY_CONFFILE
$inputStr
EOIPFW
}
create_cpanelaccess_configuration()
{
inputStr="
module(load=\"omrelp\")
\$template ComodoCpanelAccessServerTemplateAudit,\"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [$Comodo_AUTH_TOKEN@$Comodo_DISTRIBUTION_ID tag=\\\"cwaf-$PRODUCT_NAME\\\" product-name=\\\"$PRODUCT_NAME\\\"] %msg%\n\"
module(load=\"imfile\" PollingInterval=\"10\")
input(type=\"imfile\"
File=\"$CPANELACCESS_LOG_FILE\"
Tag=\"cpanel-access\"
Severity=\"error\"
Facility=\"local6\"
escapeLF=\"on\"
)
if \$syslogtag contains \"cpanel-access\" then {
*.* action(type=\"omrelp\" target=\"$LOGS_01_HOST\" port=\"$Comodo_SYSLOG_PORT\" tls=\"on\" template=\"ComodoCpanelAccessServerTemplateAudit\")
}
"
if [ -f $COMODO_RSYSLOG_CPANELACCESS_CONFFILE ]; then
rm $COMODO_RSYSLOG_CPANELACCESS_CONFFILE;
fi
echo "#TLS configuration" >> $COMODO_RSYSLOG_CPANELACCESS_CONFFILE
echo "$""WorkDirectory $RSYSLOG_SPOOLDIR" >> $COMODO_RSYSLOG_CPANELACCESS_CONFFILE
cat << EOIPFW >> $COMODO_RSYSLOG_CPANELACCESS_CONFFILE
$inputStr
EOIPFW
}
create_cpanelLogin_configuration()
{
inputStr="
module(load=\"omrelp\")
\$template ComodoCpanelLoginServerTemplateAudit,\"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [$Comodo_AUTH_TOKEN@$Comodo_DISTRIBUTION_ID tag=\\\"cwaf-$PRODUCT_NAME\\\" product-name=\\\"$PRODUCT_NAME\\\"] %msg%\n\"
module(load=\"imfile\" PollingInterval=\"10\")
input(type=\"imfile\"
File=\"$CPANELLOGIN_LOG_FILE\"
Tag=\"cpanel-$log$in\"
Severity=\"error\"
Facility=\"local6\"
escapeLF=\"on\"
)
if \$syslogtag contains \"cpanel-$log$in\" then {
*.* action(type=\"omrelp\" target=\"$LOGS_01_HOST\" port=\"$Comodo_SYSLOG_PORT\" tls=\"on\" template=\"ComodoCpanelLoginServerTemplateAudit\")
}
"
if [ -f $COMODO_RSYSLOG_CPANELLOGIN_CONFFILE ]; then
rm $COMODO_RSYSLOG_CPANELLOGIN_CONFFILE;
fi
echo "#TLS configuration" >> $COMODO_RSYSLOG_CPANELLOGIN_CONFFILE
echo "$""WorkDirectory $RSYSLOG_SPOOLDIR" >> $COMODO_RSYSLOG_CPANELLOGIN_CONFFILE
cat << EOIPFW >> $COMODO_RSYSLOG_CPANELLOGIN_CONFFILE
$inputStr
EOIPFW
}
check_parameters()
{
if [ -z $PRODUCT_NAME ]; then
echo "Product Name Cannot be null!! Exiting..."
show_usages
exit 1;
fi
if [[ "$PRODUCT_NAME" == "linux" ]]; then
echo "Product Name Linux"
elif [[ "$PRODUCT_NAME" == "modsecurity" ]]; then
echo "Product Name Modsecurity"
elif [[ "$PRODUCT_NAME" == "cpanelaccess" ]]; then
echo "Product Name Cpanel Access"
elif [[ $PRODUCT_NAME == $CPANELLOGIN ]]; then
echo "Product Name Cpanel Login"
else
echo "Product Name Can only be \"linux\" , \"modsecurity\" , \"cpanelaccess\" or $CPANELLOGIN !! Exiting..."
show_usages
exit 1;
fi
if [ -z $Comodo_AUTH_TOKEN ]; then
echo "Network Token Cannot be null!! Exiting..."
show_usages
exit 1;
fi
if [ -z $MODSECURITY_LOG_FILE ]; then
echo "LogFile Path Cannot be null!! Exiting..."
show_usages
exit 1;
fi
if [ -z $AUDIT_LOG_FILE_PATH ]; then
echo "LogFile Path Cannot be null!! Exiting..."
show_usages
exit 1;
fi
if [ -z $CPANELACCESS_LOG_FILE ]; then
echo "LogFile Path Cannot be null!! Exiting..."
show_usages
exit 1;
fi
if [ -z $CPANELLOGIN_LOG_FILE ]; then
echo "LogFile Path Cannot be null!! Exiting..."
show_usages
exit 1;
fi
echo "$PRODUCT_NAME"
echo "$Comodo_AUTH_TOKEN"
echo "$MODSECURITY_LOG_FILE"
echo "$AUDIT_LOG_FILE_PATH"
echo "$CPANELACCESS_LOG_FILE"
echo "$CPANELLOGIN_LOG_FILE"
}
check_parameters
if [ ! -d $RSYSLOG_SPOOLDIR ]; then
mkdir -p "$RSYSLOG_SPOOLDIR"
fi
if [[ "$PRODUCT_NAME" == "linux" ]]; then
create_linux_configuration
elif [[ "$PRODUCT_NAME" == "modsecurity" ]]; then
create_modsecurity_configuration
elif [[ "$PRODUCT_NAME" == "cpanelaccess" ]]; then
create_cpanelaccess_configuration
elif [[ $PRODUCT_NAME == $CPANELLOGIN ]]; then
create_cpanelLogin_configuration
fi
service rsyslog restart
########## Get Inputs from User - Start ##########
########## Get Inputs from User - End ##########