Identical records in IIS logs

I am not very knowledgeable about IIS 7, so I thought this was the right place to ask.

While inspecting the web server logs, I came across several instances of separate records that look just the same. For example:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2020-04-21 00:00:10 ABC.128.138.15 GET /MY/API/HERE departmentId=&prodLineId=&prodUnitId=&puGroupId=&FLId=null&startTime=2019-09-08T21:00:00.000Z&endTime=2019-09-09T21:00:00.000Z&status=null&itemType=&itemComponent=&howFound=&priority=&foundBy=&fixedBy=&flList= 80 - ABC.128.138.15 Apache-HttpClient/4.5.6+(Java/1.8.0_92) - 200 0 0 1453 2020-04-21 00:00:10 ABC.128.138.15 GET /MY/API/HERE departmentId=&prodLineId=&prodUnitId=&puGroupId=&FLId=null&startTime=2019-09-08T21:00:00.000Z&endTime=2019-09-09T21:00:00.000Z&status=null&itemType=&itemComponent=&howFound=&priority=&foundBy=&fixedBy=&flList= 80 - ABC.128.138.15 Apache-HttpClient/4.5.6+(Java/1.8.0_92) - 200 0 0 1453 

The question is – do those records correspond to two actual separate requests, or perhaps it was just one that for some reason got duplicated? This is not an isolated occurrence (there are hundreds more). Just for the record, these are all GET requests coming from the same source (an Apache Tomcat-based application that resides in the same web server and is invoking APIs in different application pools).

Thanks in advance,

Gabriel

Microsoft-Windows-SmbClient/Connectivity logs [closed]

When I’m investigating systems, the SMB client logs are a good place to tell me if a baddie tried mapping/navigating network shares and they often outlive the security logs.

Does anyone know a good reference to find out what exactly the codes mean? Such as event IDs? I tried Google and have not had much luck.

30805 30808 30800 30811 etc. 

Rsyslog not saving logs from another servers into custom directories [migrated]

I am receving logs on UDP 514 from another server and i have configured rsyslog.conf to save the logs to another custom directory but i am unable to do so, i confirmed through tcpdump logs are getting on 514 but not getting saved. Any thing i’ve missed?

Here’s the config i’ve made in rsyslog.conf

$  umask 0000  # ownership and permissions $  FileOwner punk $  FileGroup punk $  FileCreateMode 0640 $  DirCreateMode 0755   # save that when possible $  PreserveFQDN on   # local ruleset (to control local syslogging) $  RuleSet local $  template CustomFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" $  ActionFileDefaultTemplate CustomFormat  $  template prod1,"/ab/cs/edl/172.x.x.x/%$  now%.log"    if $  fromhost-ip == '172.x.x.x' then ?prod1   

Strange ufw logs

When securing my device (ubuntu) I noticed strange ufw logs. I am behind a router which should be blocking these kinds of requests? I realise these are using port 443 but I was under the impression that my outgoing connections to a website shouldn’t produce incoming connections to me.

[UFW BLOCK] IN=wlp1s0 OUT= MAC=b0:fc:36:e0:0f:2d:2c:30:33:34:bf:32:08:00 SRC=151.101.64.133 DST=<my ip> LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=0 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=0 RES=0x00 RST URGP=0 

Other info:

  • There was only one other device connected to the network.
  • This router was recently reset. upnp is disabled.
  • Recently plugged a usb stick into the pc.
  • I have all incoming connections blocked and only allow http, https and dns out.

After change to 13306, Galera logs error: Slave I/O: error connecting to master ‘repuser@:3306’

Working with Galera 25.3.23 on RHEL 7.3

Galera works good before. After changing the MySQL server port from 3306 to 13306, one of the node report error, after restart:

Slave I/O: error connecting to master 'repuser@<IP>:3306' - retry-time: 60  maximum-retries: 86400  message: Can't connect to MySQL server on '<IP>' (111 "Connection refused"), Internal MariaDB error code: 2003 

The other 2 nodes works fine after the restart.

Googled the web, but don’t find the way to specify the port number.

Also, if possible, please share the usage of the “repuser” ID.

Securing SMTP server and its logs

Looking for general mail server security best practices here.

I did some research and it’s really hard to find the information out there.

  1. How do you safe guard a smtp server log? Are there any encryption tools out there? Our reason is if the server is compromised, at least the logs are not in plaint text format for attackers to see without obtain our tool/keys.

  2. It seems like most SMTP servers out there stores recipient information in the log files, how can we ensure these information are not stored or at a minimum are scrambled. Is that possible?

Thank you and I’m still researching on the subject.

Custom message logs

We could really use custom message logs, in 2 formats, failed and success, for example:

[STEP1]

custom failed1=Cannot register on this page
custom failed1 condition=You cannot register

custom success1=Already logged in
custom success1 condition=>Logout<

How to show user’s liked posts and collections when the user logs in?

I want to create a plugin which enables a user to like and collect things(posts, links, qoutes, pictures etc) while he/she is logged in and the user would be able to see all his or her liked & collected times on his front-end profile page. What I know is how to create a user and assign roles programmatically. But I don’t know how to get posts “marked” as liked and enable them to add items in his collection ( my be with a button option which says “add to my collection”) and then save it to the users collection and show it on the front-end profile page. It would be really helpful if I could get directions that what should I search for ? i-e keywords to search. Any suggestion idea whould be appreciated. Thanks