Hack58.Tune Up Your Asterisk Logs

Hack 58. Tune Up Your Asterisk Logs

How much log detail is too much? That depends on whom you ask. Asterisk's log output can be pretty granular, which is bad for disk utilization and good for troubleshooting.

Log analysis should be the core of your daily system monitoring and security activities. Like other softPBX servers, Asterisk supports flexible logging, providing several levels of logging detail in several different files. It also supports using syslog.

By default, Asterisk stores its logs in /var/log/asterisk.

You configure Asterisk logging in the /etc/asterisk/logger.conf file, which Asterisk reads at boot time or whenever it is started. The first section of the file is [general], where you can assign a value to the dateformat option to specify what date format to use in Asterisk's logs. To figure out the syntax of the data formats, read the manpage for strftime( ) by running man strftime.

The next section, [logfiles], describes which files should be used for logging output and how detailed each should be. The syntax for this section is:

 filename => level,level,level… 

Consider the following logging configuration:

 [general] [logfiles] messages.log => notice,warning,error debug.log => notice,warning,error,debug,verbose 

In this example, messages.log will contain a digest version of Asterisk's logging output, and debug.log will get everything in minute detail. Be careful with logs, thoughAsterisk won't start once the logfiles reach 2 GB in size. On a busy system, a file like the preceding debug.log would hit that size pretty quickly, so make sure your logfile rotation includes Asterisk.

If you use console as a logfile name, Asterisk will assume you mean the console device, not an actual logfile. So, if you add this to the [logfiles] section, the desired level of logging will be output to the console session where Asterisk is launched:

 [logfiles] console => warning,error 

Some attackers cover their tracks by removing commonly used logfiles that could contain evidence of their tampering with the system. So it's generally a good idea to keep logfiles in a nondefault place. That way, if an attacker uses an automated program to remove logfiles, the program will be less likely to find and destroy Asterisk.

If you were an intruder and wanted to control Asterisk, you might start by attacking the Asterisk Managerthe remote API that allows users who've provided the right password to control certain aspects of Asterisk's operations via a TCP connection. If your Asterisk server is open to the Internet, pay special attention to Asterisk Manager log entries.

To change Asterisk's default log location, edit /etc/asterisk/asterisk.conf and change the astlogdir directive to a path of your choosing. (Then make sure that path has appropriate permissions to allow Asterisk to write files in whichever path you choose.) A sample asterisk.conf follows:

 [directories] astetcdir => /etc/asterisk astmoddir => /usr/lib/asterisk/modules astvarlibdir => /var/lib/asterisk astlogdir => /var/log/asterisk astagidir => /var/lib/asterisk/agi-bin astspooldir => /var/spool/asterisk astrundir => /var/run/asterisk 

Syslog can be a target for Asterisk logging output, too. To enable it, use a syslog keyword in the [logfiles] section, similar to the console keyword:

 syslog.local0 => warning,error 

VoIP Hacks
VoIP Hacks: Tips & Tools for Internet Telephony
ISBN: 0596101333
EAN: 2147483647
Year: 2005
Pages: 156

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net