Windows emergency response and system reinforcement (10) — log analysis of nginx and JBoss


Log analysis of nginx and JBoss

1、 Analyzing nginx logs using e.l.k security

1. Introduction to nginx log:

Nginx is a high-performance, lightweight web, reverse proxy and e-mail proxy server, which is the second most visited by Russia Site development;

NGX, for short, is widely used in high concurrency application systems because of its excellent performance and low resource consumption;

In the field of web server, it is widely used in the Internet, e-commerce, energy and transportation industries (Sina, Netease, Tencent, etc.);

It is similar to Apache in completing tasks, so the characteristics of log files are also similar.

2. Nginx log analysis:

The polling method of nginx log file is similar to that of Apache;

Nginx log file is divided into: access log( access.log ), error log( error.log );

The default log directory is logs in the installation directory nginx.conf Configuration file, view the specific log directory and log configuration fields and formats (nginx combined log format) and other information.

The principles of analysis are as follows

<1> . time of occurrence:

Based on timestamp, nginx logs with time stamp are imported into analysis platform or program for analysis;

Determine the specific time window of security events and locate the time point.

<2> How did it happen

Focus on HTTP request methods such as get, post and put;

Webshell, SQL injection, XSS cross site scripting attack, deserialization vulnerability, remote command execution, directory traversal (CD.. / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

Select *, etc;

Server response status: status codes, 500, 501, 404, 200, 302, 401, etc;

The number of bytes sent by the server: bytes (Trojan horse, CC, DDoS attack).

<3> The specific location of the attack:

Pay attention to the resource address URI of the request, and pay attention to the depth (shell upload) and breadth (sensitive directory file);

Parameters (injection) passed by the request resource:

Pay attention to the information (script) of user agents client;

The IP address of the client requesting the resource_ ip);

If the IP that the server responds to is planted with a Trojan horse, it can quickly go to the server for investigation, forensics and processing;

Referers refer to and recommend sites, such as XSS, CSRF, and cross domain attacks.

3. Use e.l.k to analyze nginx logs

<1> . e.l.k introduction:

E. L.k, short for elasticsearch, logstash and kibana, is the core suite.

Elasticsearch, a real-time full-text search and analysis engine, provides three functions of data collection, analysis and storage. It is a set of open rest and Java API structure, providing efficient search function and scalable distributed system. It is built on the Apache Lucene search engine library;

Logstash is a tool for collecting, analyzing and filtering logs. It supports almost any type of log, including access log, error log and custom application log. It can receive logs from a number of sources, including syslog, messaging (redis, rabbitmq), and

JMX, which can output data in a variety of ways, including e-mail, WebSockets, elastic search;

Kibana is a web-based graphical interface for searching, analyzing and visualizing log data stored in elastic search indicators. It uses the rest interface of elasticsearch to retrieve data, which not only allows users to create customized dashboard views of their own data, but also allows them to create special views

Query and filter data in different ways.

<2> . elasticsearch related information:

Storage directory of elasticsearch data: data / es data;

Configuration file of elasticsearch / etc / elasticsearch/ elasticsearch.yml ;

Start elasticsearch service / etc / init.d/elasticsearch start;

Interact with elasticsearch: curl – I – xget ‘IP:9200/_count?pretty’(9200 is the default port of elasticsearch)

    <3> Information about. Logstash:

Application directory: usr / share / logstash /;

Logstash configuration file location: etc / logstash / conf.d;

Format processing of nginx log fields: usr / share / logstash / patterns

Start logstash to process nginx log: logstash – F / etc / logstash / conf.d/nginx3.conf

<4> . kibana:

Application directory: usr / local / kibana;

Kibana configuration file / usr / local / kibana / config/ kibana.yml ;

Open / usr / local / kibana / bin / kibana

<5> . nginx log global usage distribution:



2、 JBoss log analysis and investigation

1. JBoss log introduction:

JBoss is an open source J2EE application service, which is widely used in China and the world;

JBoss code is licensed by LGPL and can be used in any commercial application for free;

JBoss has several versions: JBoss AS4, As5, as6, as7, etc;


It is a middleware, container and server for managing EJB, and supports EJB 1.1, EJB 2.0 and EJB3 specifications;

JBoss as is the basis of the upstream commercial application of JBoss enterprise application platform. In order to make the two products differentiated and avoid user confusion, in October 2016, JBoss as changed its name to wildfly.

2. Log analysis:

    Check out the nginx log analysis principles above.

  3. JBoss vulnerability introduction:

Compared with other famous middleware (Weblogic, Jenkins, WebSphere, etc.), the number of vulnerabilities in JBoss is relatively small. However, in recent years, Java deserialization vulnerability is rampant, JBoss is also suffering.

<1> The main types of high-risk vulnerabilities in. JBoss are as follows:

Getshell: a vulnerability that uses unauthorized access to enter JBoss background for file upload:


Exploit java to deserialize Remote Code Execution Vulnerability:

Cve-2015-4852, cve-2015-7501, cve-2017-7504, cve-2017-12149, cve-2013-4810

JBoss seam2 template injection vulnerability (cve-2010-1871).

<2> Main vulnerabilities of. JBoss in products:

      Jboss AS4:

JMX console weak password or password leakage leads to getshell;

Weak password of admin console or password leakage result in getshell

      Jboss AS5:

JMX console weak password or password leakage leads to getshell;

Getshell is caused by weak password or password leakage of admin console;

Cve-2013-4810 (jmxinvokerservlet, ejbinvokerservlet remote command execution vulnerability);

JBoss Java deserialization vulnerability.

      Jboss AS6:

JBoss Java deserialization vulnerability (e.g. cve-2017-12149);

JMX console weak password or password leakage leads to getshell, also known as RMI remote method call getshell;

Getshell is caused by weak password or password leakage of admin console;

      Jboss AS7:

Java deserialization vulnerability;

Console background weak password or password leakage causes getshell.

4. JBoss log analysis:

<1> . JBoss 6.1.0, log configuration file: (AS4, 5 similar)

Location: C: jboss-6.1.0. Final server default deploy JBoss- logging.xml(7) the function of recording access log by default is not enabled. )

    <2> . configuration field explanation:

Example of configuration field:


        prefix=”localhost_access_log.” suffix=”.log”

        pattern=”%h %l %u %t %r %s %b” directory=”${jboss.server.home.dir}/log”

        resolveHosts=”false” />


Lassname: the Java class name of the implementation, set to: org.apache.catalina . valves.AccessLogValve ;

Directory: the directory where the log files are stored;

Pattern: the field, format, and layout of the log information to be recorded. If it is common or combined, it indicates that the standard record format is used. There are also user-defined formats;

Prefix: prefix of log file name. If not specified, the default value is access_ log.(note that there is a small dot at the back)

Resolvehosts: convert the IP address of the remote host to the host name through DNS query, set to true. If it is false, the DNS query is ignored and the IP address of the remote host is reported;

Sufix: the suffix of the log file. (sufix=”.log”)(note that there is a small dot at the back)

Rotatable: the default value is true, which determines whether the log should be polled and flipped. If it is false, it will never be flipped, and the filedateformat is ignored and used cautiously;

Condition: open condition log;

Filedateformat: allows the use of custom date format in the log file name. The log format also determines the frequency of log file flipping.

%a: Remote IP

%A: Local IP

%b: The number of bytes sent, excluding the HTTP header. If it is 0, use “‘”

%B: The number of bytes sent, excluding the HTTP header

%h: The remote host name (if resolvehosts = false), and the remote IP address

%H: Request agreement

%l: The remote logical user name returned from identd always returns’ – ‘

%m: Method of request

%p: The local port number on which the request was received

%q: Query string

%R the first line of the request

%S response status code

%S user’s sessionid

        %T log and time, using the usual log format

%Remote user after u authentication (if it exists, otherwise it is’ – ‘)

%Uri path of u request

%V the name of the local server

%D the time, in milliseconds, that requests are processed

%T the time, in seconds, that requests are processed

5. Use e.l.k to analyze nginx logs

    Refer to nginx analysis above.