IMCAFS

 Home

research on log audit system based on php

Posted by barello at 2020-03-16
all

Introduction

After the completion of the computer protection mechanism, it is necessary to monitor and audit the operation process of the monitoring system. The log file is an important part of the security system, and it is the historical record of the running state of the computer system. With the development of the Internet, network behavior tracking becomes more and more important. The traditional log audit system has standardized functions, which can be deployed on a single server to meet the common needs of enterprise applications. Through the collection of directory and content of Web log files, the server access summary can be obtained. However, most audit tools are not very flexible and adaptable. They can simply handle standardized log files, and it is difficult to achieve general management of related information in different log files. In addition, the traditional tools use file system technology, when the number of audit files increases to a certain amount, the processing speed and performance will decline rapidly. More importantly, this single system cannot audit the behavior of multi service integration within a certain range. Log audit system is mainly used in the infrastructure of current information release system. Comprehensively monitor and record the dynamic information and structural changes of information system, provide real-time alarm and output comprehensive analysis log and data, and provide a security event management platform with large monitoring range, rapid response and strong analysis ability.

functional design

The log information is dumped to the initial database on the log processing workstation. On the one hand, the data in the initial database is used for statistical query, on the other hand, the log audit module is used to detect these data. If it detects a suspicious intrusion, the warning will be sent and the warning information will be inserted into the database of the warning log. The system administrator can get the warning log information through the front-end user interface. Display various log functions and basic configuration in the log setting module. PHP and MySQL combine to realize fast log search and accurate log query, and provide network security solutions for enterprises.

Main modules

Collect various OS logs, web server logs, database logs and FTP server logs, and process them in a unified format.

In the audit system, the collected logs are processed and analyzed in real time, and then the corresponding warning is generated according to the rule base, and the warning information is sent by email and SMS.

Process and analyze the logs collected in the post audit system, and generate reports.

Regularly back up the logs collected in the audit system, and support the import of various logs.

Provide user management interface. Due to the B / S structure of the audit system, users can manage the system through a browser to achieve efficient joint status query of logs.

Vsftp logs can track the detailed operations of FTP login users on Linux, including time log, upload or download time, login IP, download or upload file size, etc. all these logs will be stored in mysql, with powerful search function (information can be found by querying date, IP or user name), providing a large monitoring range, response and Audit management platform with strong time and analysis ability. Apache logs various events that occur every day, through which administrators can record the cause of errors or track attackers. When users access the database, the operation records are managed by MySQL log records. The administrator can check whether the log records have malicious tampering or deletion behavior, so as to ensure the security of the system.

Implementation of main modules

Read the log files and store them in the database. Some of the codes are as follows:

...... $page=file('xferlog'); $table_count=$db_news->fn_row_table('log'); if(count($page)>$table_count){// Determine the data in the table to add options for($insert_id=$table_count;$insert_id<count($page);$insert_id++) { $hang=explode(' ', $page[$insert_id]); $insert_content="'',"; if (count($hang)==18){ for($ae_i=0;$ae_i<count($hang)-1;$ae_i++) {$insert_content.="'$hang[$ae_i]',";} $insert_content.="'$hang[$ae_i]'";} else { ......

Through the shell real-time monitoring service combined with PHP. The system can check the service for each period of time to determine whether the service is normal. If an exception is thrown, the administrator will notify via SMS or email to handle it immediately, so as to avoid unnecessary and serious loss caused by special services. There are two monitoring methods, one is to monitor the network board traffic. If the network board traffic is too large, a warning will be sent to the management; the other is to monitor whether the current service process is running. If the service process is killed, an alarm will be sent automatically for management. The user can configure the mobile number, warning threshold and email address in the warning system. Some of the codes are as follows:

...... function alarm($file_name_alarm){ $arr=file($file_name_alarm); $tel='13000000000'; $totel="13000000000"; $tpass="0000000"; $allowdata="104857600"; $email='[email protected]'; $arr_count=count($arr); if($_POST['submit']){ if($_POST['tel']) $tel=$_POST['tel']; if($_POST['totel']) ...... if(preg_match("/^(email)/",$arr[$i])){ $arr[$i]="email=$email \n";} } $str=implode("",$arr); $fpTo=fopen($file_name_alarm,"w"); fwrite($fpTo,$str); fclose($fpTo); $fpFrom=fopen($file_name_alarm,"r"); $str=fread($fpFrom,filesize($file_name_alarm)); fclose($fpFrom); return $str; $str1=alarm('alarm_shell/a.sh'); $str2=alarm('alarm_shell/1.sh'); echo "<table align=\"center\"><tr><td class=\"ziti14\">Set your nic flow warning!</td>"; echo "<td class=\"ziti14\">Set your VSFTP state warning</td><tr>"; echo "<tr><td class=\"ziti14\">".wordscut(nl2br($str1),260)."</td>"; ......

Open various pages and sessions, each page only needs to use this page. Some of the codes are as follows:

...... include_once ("mysql.class.php"); include_once ("config.php"); include_once ("page.class.php"); include_once ("action.class.php"); $db = new action($mydbhost, $mydbuser, $mydbpw, $mydbname, ALL_PS, $mydbcharset); $uid = $_SESSION[uid]; $shell = $_SESSION[shell]; $name = $_SESSION[name]; ......

Verify users when they log in to the system and check that they have accounts, passwords, and permissions to log in. Some of the codes are as follows:

...... public function Get_user_shell($uid, $shell) { $query = $this->select('dotcom_user', '*', '`log_admin_id` = \'' . $uid. '\''); $us = is_array($row = $this->fetch_array($query)); $shell = $us ? $shell == md5($row[log_admin_name] . $row[log_admin_passwd] . "TKBK") : FALSE; return $shell ? $row : NULL; } public function Get_user_shell_check($mulu,$uid, $shell ,$qx='',$power=20){  if ($row=$this->Get_user_shell($uid, $shell)) {      if ($row[log_admin_power]<$power){          return $row;}      elseif($row[log_admin_power]>=$power && $qx==1){      return $row;}      elseif($row[log_admin_power]>=$power&&$qx==''){      $this->Get_admin_msg('../main.php','      Permission denied, you have no right operation ');      exit ();      }  }  else {      if($mulu==1){          $this->Get_admin_msg('../index.php',' Login');}      else{$this->Get_admin_msg('index.php',' Login');      }  } } ......

summary

With the development of Internet, online behavior tracking is very important in some fields. It is an indispensable assistant tool for distance education and e-commerce. In view of the current situation of the network environment, a cross platform, all-round log audit system design is proposed, which enables network administrators to find network security risks from the complex log data. However, in the current solution, the data mining related to log audit is not considered, which needs to be improved and improved. It will be a necessary and effective method to save the work of network personnel through log audit system. The main feature of the system is that it can not only complete the normal log audit, but also build a framework to support user operation audit in an open environment. The system can collect and audit logs of various remote servers, and use database for log maintenance and information configuration, so that the amount of logs is greatly increased, and the query speed and performance are better than the file system. After improvement and improvement, we believe that there will be more discoveries in large-scale user behavior analysis and support undeniable log audit.

Note: This article is translated by rest members.

© 2023