[asterisk-dev] Non-universalized log messages render security tools useless in Asterisk SVN-branch-1.8-r354348 or maybe other versions as well !!!

Matthew Jordan mjordan at digium.com
Mon Feb 13 09:47:18 CST 2012 


> Mathew, thanks for the input. The module res_security_log is
> registered and loaded just like you showed. The line security_log =>
> security is also inserted and uncommented in logger.conf. Yet, when
> any SIP calls come in, there are no logs generated. I think the
> assumption that res_security_log is working in Asterisk 10.x is not
> right. Or at least it may only work with AMI, not be complete,
> etc...

> Do you have any logs generated in the security_log file?

I set up a quick test by having some Polycom phones attempt to register
with no matching device defined in sip.conf.  Below is a snippet from the
resulting security log file:

[Feb 13 09:09:19] SECURITY[17362] res_security_log.c: SecurityEvent=
"InvalidAccountID",EventTV="1329145759-441311",Severity="Error",
Service="SIP",EventVersion="1",AccountID="7001",
SessionID="0x7f824c014c60",LocalAddress="IPV4/UDP/x.x.x.x/5060",
RemoteAddress="IPV4/UDP/y.y.y.y/5060"

This was done using Asterisk 10.  No major changes have been made to
the security event log framework since Asterisk 10 was released, so I
would expect this to work in any released version.  In my particular
case, this would be with Asterisk 10.2.0-rc2.

If no log file is being created, you most likely have some form of
permissions problem or other local configuration issue that is preventing
the file from being written.

> I am making a call from another Asterisk server and I have
> allowguest=no and no logs generate in the security_log file.

> Best,

> On Mon, Feb 13, 2012 at 10:06 AM, Matthew Jordan < mjordan at digium.com
> > wrote:

> > Sorry about that - hit the wrong button and set too soon :-)
> 

> > Anyway - with security_log => security in my logger.conf, a
> > security_log
> 
> > file was created on Asterisk start up. Verify that the
> > res_security_log
> 
> > module is being loaded - in a DEBUG log, you should see something
> > similar
> 
> > to the following:
> 

> > [Feb 13 09:01:25] DEBUG[17253] logger.c: Registered dynamic logger
> > level 'SECURITY' with index 18.
> 
> > [Feb 13 09:01:25] VERBOSE[17253] res_security_log.c: -- Security
> > Logging Enabled
> 
> > [Feb 13 09:01:25] VERBOSE[17253] loader.c: res_security_log.so =>
> > (Security Event Logging)
> 

> > >
> 
> > > > From: "Bruce B" < bruceb444 at gmail.com >
> 
> > > > To: "Asterisk Developers Mailing List"
> 
> > > > < asterisk-dev at lists.digium.com >
> 
> > > > Sent: Monday, February 13, 2012 8:49:34 AM
> 
> > > > Subject: Re: [asterisk-dev] Non-universalized log messages
> > > > render
> 
> > > > security tools useless in Asterisk SVN-branch-1.8-r354348 or
> > > > maybe
> 
> > > > other versions as well !!!
> 
> > >
> 
> > > > > > I also checked res_security_log and the module is loaded
> > > > > > but
> > > > > > it
> 
> > > > > > doesn't add ANY whatsoever logs in Asterisk 1.8. Is that an
> 
> > > > > > incomplete module?
> 
> > > > >
> 
> > > >
> 
> > >
> 
> > > > > Like Paul stated, support for logging security events in
> > > > > chan_sip
> 
> > > > > was
> 
> > > > > added in Asterisk 10. In Asterisk 1.8, I think only AMI
> > > > > security
> 
> > > > > events are logged. Also, make sure that you enable it in
> 
> > > > > logger.conf. The security events will be contained in a
> > > > > separate
> 
> > > > > log
> 
> > > > > file.
> 
> > > >
> 
> > >
> 
> > > > Thanks Michael. For the sake of testing I installed Asterisk
> > > > 10.1.2
> 
> > > > and I have res_security_log.so loaded and I have this line in
> 
> > > > logger.conf as per directions:
> 
> > >
> 
> > > > security => security
> 
> > >
> 
> > > > However, there are NO LOGS generated in this file. The best I
> > > > can
> 
> > > > see
> 
> > > > from Asterisk is this:
> 
> > > > [Feb 13 09:46:21] NOTICE[14762]: chan_sip.c:22906
> 
> > > > handle_request_invite: Sending fake auth rejection for device
> 
> > > > "Anonymous" <sip:Anonymous at anonymous.invalid>;tag=as55ac8bb5
> 
> > >
> 
> > > A NOTICE log message is not a security message. The wiki pages
> 
> > > linked
> 
> > > previously specify what you should see in the log security log
> > > file.
> 
> > >
> 
> > > https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format
> 
> > >
> 
> > > If it is configured correctly, you should see the log file
> > > specified
> 
> > > in logger.conf created on Asterisk start up. For example, when
> > > using
> 
> > > the following in logger.conf:
> 
> > >
> 
> > >
> 
> > >
> 
> > >
> 
> > > > To conclude, res_security_log does NOT log anything so far.
> > > > CDRs
> > > > do
> 
> > > > not include the source IP address and Asterisk doesn't mention
> > > > the
> 
> > > > source IP no where in Asterisk 1.8 or 10.x. Am I missing
> > > > something?
> 
> > > > Have you tested this yourself?
> 
> > >
> 
> > > > Regards,
> 
> > >
> 
> > > > --
> 
> > > > _____________________________________________________________________
> 
> > > > -- Bandwidth and Colocation Provided by
> > > > http://www.api-digital.com
> 
> > > > --
> 
> > >
> 
> > > > asterisk-dev mailing list
> 
> > > > To UNSUBSCRIBE or update options visit:
> 
> > > > http://lists.digium.com/mailman/listinfo/asterisk-dev
> 
> > >
> 
> > > --
> 
> > > _____________________________________________________________________
> 
> > > -- Bandwidth and Colocation Provided by
> > > http://www.api-digital.com
> > > --
> 
> > >
> 
> > > asterisk-dev mailing list
> 
> > > To UNSUBSCRIBE or update options visit:
> 
> > > http://lists.digium.com/mailman/listinfo/asterisk-dev
> 
> > >
> 

> > --
> 
> > _____________________________________________________________________
> 
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com
> > --
> 

> > asterisk-dev mailing list
> 
> > To UNSUBSCRIBE or update options visit:
> 
> > http://lists.digium.com/mailman/listinfo/asterisk-dev
> 

> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --

> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev

More information about the asterisk-dev mailing list