ISE Lab: LogAgent

LogAgent is a Java class designed to continuously read and scan syslog messages for lines that may indicate security violations or exception conditions. LogAgent is designed to receive messages directly from syslogd through a FIFO created at setup time. As messages come in from the system logger facility, they are checked for matches on a number of pre-configured regular expressions. If a match is discovered, the message that matched is sent to a reporter module along with an integer priority of matching that particular regular expression.

Using LogAgent, log files are not processed after that fact they are processed immediately as log messages are created by the system. If a message that could indicate a possible security flaw is sent to the system logger, LogAgent will immediately receive and process the message, and possibly take action.

LogAgent is configurable with any number of regular expressions to scan for. This allows scanning incoming log messages exactly letter to the letter, or loosely, scanning for a single word in the entire message. This allows for a highly configurable setup where the LogAgent can scan for specific security violation messages, as well as non-specific system exception messages that may arise. The system also allows for easy extension and customization by allowing an operator to easily extend the list of regular expressions being scanned for to make the LogAgent more specific to a particular setup. The ability to assign priorities to all messages being scanned for also allows associating various actions to the detection of specific messages. Because some log messages may require immediate attention from the operator, LogAgent can be easily set up to take actions depending on the priority of the message. For example, LogAgent can be made to page the operator if a message of a high priority is scanned.