Log Macro Usage

A log macro is utilized by expanding its value and by causing that expansion to be presented as a filter expression to a log get* or logdump command.

The following is an example of what you type to perform log macro expansion using logmacro as a sub-command to ssadm, consider the following, while logged in to Screen:

admin% ssadm -r Screen logmacro print
NAME="probed-ports" ENABLED VALUE="icmp
or dstport telnet or dstport rlogin or dstport rsh or dstport ftp
or srcport X11 or port adminweb"
admin% ssadm -r Screen logmacro print sys=
SYS="Screen" NAME="suspicious" ENABLED
VALUE="logwhy 256 logiface le0 ( not from trusted or to hidden )
macro probed-ports"

The above shows two macros defined. The first, probed-ports is Screen-non-specific and ostensibly defines services that are thought to be targets for initial probes leading to security attacks. The second, suspicious, is specific to Screen and contains a more complete macro for filtering potential probes; it restricts itself to packets logged because there was no rule found or they had source addresses that were illegal on their interface ("logwhy 256"), further to packets arriving on a specific (presumably outside) interface ("logiface le0"), yet further to packets originating from non-trusted hosts or targeted at hosts that are non-published ("not from trusted or to hidden"), and yet further to restrictions imposed by the macro "probed-ports".

As a brief aside, the verb names,flat produces a list of names that are available for macro expansion on a particular Screen.

For example, while logged in to Screen, type:

admin% ssadm -r Screen logmacro names,flat
"probed-ports"
"suspicious"

Screen-specific issues of macros have been hidden, listing macro names as they are used by embedded macro references.

Assuming the following definitions have been created and activated for registry items:

edit> list Address
"abraham" HOST 1.2.3.4
"hidden" RANGE 129.9.9.0 129.9.9.255
"john" HOST 2.3.4.5
"martin" HOST 3.4.5.6
"trusted" GROUP { "abraham" "martin"
"john" } { }
edit> list Service
"rlogin" SIMPLE FORWARD "tcp" PORT
513
"rsh" SIMPLE FORWARD "tcp" PORT 514
"telnet" SIMPLE FORWARD "tcp" PORT
23
"X11" SIMPLE FORWARD "tcp" PORT 6000-6063

The following is an example of what you type to expand the given macro, while logged in to Screen:

admin% ssadm -r Screen logmacro expand suspicious
logwhy 256 logiface le0 ( not ( from
1.2.3.4 or from 2.3.4.5 or from 3.4.5.6 ) or to 129.9.9.0..129.9.9.255
) ( icmp or dstport 23 or dstport 513 or dstport 514 or ( srcport
20 or dstport 21 ) or srcport 6000..6063 or port adminweb )

This usage illustrates various expansion and resolution operations performed by expand. The clause "from trusted" has been replaced by the registry values for the GROUP "trusted". The clause "to hidden" has also been resolved to a registry RANGE, using the logdump syntax for IP address ranges "a.b.c.d..e.f.g.h."

The embedded macro reference "macro probed-ports" has been expanded. The clauses that can be resolved from the registry ("dstport telnet", "dstport rlogin", "dstport rsh", "dstport ftp", and "srcport X11"), have been expanded using registry values whereas clauses that were not found in the registry ("icmp" and "port adminweb") were left to be resolved by logdump itself. The "dstport ftp" clause further illustrates some special processing employed for that protocol, and the expansion of the "srcport X11" clause shows the logdump syntax for port ranges "x..y".

Resolution of SunScreen registry items performed by expand is made using those of the currently activated policy and for the Screen whereon the expand operation is executed.

The logmacro expand mechanism has been designed facilitate simple command-line usage in conjunction with the other log processing facilities of SunScreen.

The following is an example of what you type to employ the above macro to retrieve the suspicious items in the current log on the Screen and display them, while logged in to Screen:

admin% ssadm -r Screen log get `ssadm -r Screen logmacro expand suspicious` | ssadm logdump -V