Encrypting Syslog-ng using PCKS7 envelop in C#

Created By Saddam Abu Ghaida and Nicolai Tufar

Hello There,

in this article im going to add the code which makes your windows application log encrypted messages to Remote Syslog server using PCKS7 Envelop . in order to understand the logging part of code you need to read Syslog RFC

I hard coded the public key for the sake of convenience, since this code is an education code. Aside from the encryption part the code will open UDP connection to SYSLOG server construct the packet and send it.

Before we jump to the code we need to configure Syslog-ng server to accept remote logging, and this is being done by the following procedure.

edit “/etc/syslog-ng/syslog-ng.conf” and add the following

1. Add a filter for the log message, because its much better not to mix system logs with your app logs, and these is the reason why they created local facility.

 filter f_cryptor    {facility(local5); };

2. Define Destination: where the log should be saved

destination cryptor { file("/var/log/cryptor.log"); };

3. Put all all the things together. We don’t need to create our source since the default one is network enabled and it accepts from any one unless you disabled this intentionally, and it supports unix-dgram sockets for local logging, but i will include it for the sake of completeness

source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

        #
        # the default log socket for local logging:
        #
        unix-dgram("/dev/log");

        #
        # uncomment to process log messages from network:
        #
        udp(ip("0.0.0.0") port(514));
};
log { source(src); filter(f_cryptor); destination(cryptor); };

so now we can go to our code now


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
using System.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;

namespace Test.SysLog
{
class SysLog
{
public enum Priority
{
Emergency = 0,
Alert = 1,
Critical = 2,
Error = 3,
Warning = 4,
Notice = 5,
Informational = 6,
Debug = 7
}

public enum Facility : int
{
/* ftp://ftp.rfc-editor.org/in-notes/rfc3164.txt */
Kern = 0,
User = 1,
Mail = 2,
Daemon = 3,
Auth = 4,
Syslog = 5,
LPR = 6,
News = 7,
UUCP = 8,
Cron = 9,
AuthPriv = 10,
FTP = 11,
NTP = 12,
Audit = 13,
Audit2 = 14,
CRON2 = 15,
Local0 = 16,
Local1 = 17,
Local2 = 18,
Local3 = 19,
Local4 = 20,
Local5 = 21,
Local6 = 22,
Local7 = 23
}

private static UdpClient udp;
private static ASCIIEncoding ascii = new ASCIIEncoding();
private string machine = System.Net.Dns.GetHostName() + "";
private string sysLogLocalHostIpAddress;

private int facilitiyId;
private string sysLogRemoteHostIpAddress;

public static string testCertificate = "-----BEGIN CERTIFICATE-----" +
"MIIHmzCCBYOgAwIBAgIKG/LjjwAAAAABPDANBgkqhkiG9w0BAQUFADBbMRMwEQYK" +
"CZImiZPyLGQBGRYDY2NjMRIwEAYKCZImiZPyLGQBGRYCZ3IxEzARBgoJkiaJk/Is" +
"ZAEZFgNtb2ExGzAZBgNVBAMTEk1hbmFnaW5nLU9mZmljZS1DQTAeFw0xMTAxMjUx" +
"MjQyMTNaFw0xNTAxMjQxMjQyMTNaMIG4MRMwEQYKCZImiZPyLGQBGRYDY2NjMRIw" +
"EAYKCZImiZPyLGQBGRYCZ3IxEzARBgoJkiaJk/IsZAEZFgNtb2ExHzAdBgNVBAsT" +
"FkRlcGFydG1lbnRhbCBSZXNvdXJjZXMxDDAKBgNVBAsTA0lTRDEOMAwGA1UECxMF" +
"VXNlcnMxGjAYBgNVBAMTEVNhZGRhbSBBYnUgR2hhaWRhMR0wGwYJKoZIhvcNAQkB" +
"Fg5TR2hhaWRhQGNjYy5ncjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB" +
"ALY6rK5KhJlO4fkh1ZunTM4LUisu+YvE/cxREYprbV4Af7GAb0v9UdiSih/gq+Ow" +
"JYjEgh6q+fvQhoJyXDyxRkZfzVHeAH1ddz8LfTE6B/tYT2ZzJPcar2QLnmLD9tQV" +
"ow4mY9vyOBCqJPe2OmD80y98/0MQrAU8DEYa/i12lBPdSeKJ3N80fSXElmyTJhQg" +
"S5PMACZ2LKw7/+A8SUAECKEDvD4EHDHo5OVggKp0Ra+aYQkYizHkw8omA07MUD9k" +
"jXsxmwMa7g1KPaAqapn70Xi4ep0YXmAq++gxnU+XCvBi051Uqsua0UzvoaK4cf4/" +
"8sED838Rj7+K5ii/kWYvktsCAwEAAaOCAwEwggL9MD4GCSsGAQQBgjcVBwQxMC8G" +
"JysGAQQBgjcVCIP+ih2C99k+hO2VLIXKrkyH9NxhgWqDzpFEgpbeBQIBZAIBAzAp" +
"BgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcKAwQwCwYDVR0P" +
"BAQDAgWgMDUGCSsGAQQBgjcVCgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQw" +
"DAYKKwYBBAGCNwoDBDBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAO" +
"BggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFDsO" +
"8mot1uYAcRRJ3T90tysG24cQMB8GA1UdIwQYMBaAFI/oyI75Pahn9Ap+PYfFVFxy" +
"dYzhMIHKBgNVHR8EgcIwgb8wgbyggbmggbaGgbNsZGFwOi8vL0NOPU1hbmFnaW5n" +
"LU9mZmljZS1DQSxDTj1nci1tb2EtY2EtMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtl" +
"eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Y2Nj" +
"P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxE" +
"aXN0cmlidXRpb25Qb2ludDCBuQYIKwYBBQUHAQEEgawwgakwgaYGCCsGAQUFBzAC" +
"hoGZbGRhcDovLy9DTj1NYW5hZ2luZy1PZmZpY2UtQ0EsQ049QUlBLENOPVB1Ymxp" +
"YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24s" +
"REM9Y2NjP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0" +
"aW9uQXV0aG9yaXR5MD0GA1UdEQQ2MDSgIgYKKwYBBAGCNxQCA6AUDBJzZ2hhaWRh" +
"QG1vYS5nci5jY2OBDlNHaGFpZGFAY2NjLmdyMA0GCSqGSIb3DQEBBQUAA4ICAQCj" +
"SOZrYgFBsZMF4jZ/M0JTp+7GejWsTM7emlBUSi75xJ5ZUAhOrxrT9fRwIskUe+fR" +
"kY9wVaBQBs74eQHQnLGUXZTJyg89e2/LCbxlcLcCVLb6NziD87oemYS9tcFSlQUs" +
"NNCzz9xacnEWTRQFZAPdvh049NhtoysHAU4Uu3L/GEuguamrmQaVMg3GXpePs+Sp" +
"XXZswBfrU/AiDa3pGfYX3BvEMnagK/+bf73vstwQkGbMHQMFUn3RiT/JTtT4G3zf" +
"Qdh/PMlKSoPOMA5fQM1TrjQrG09/wn0TYpXwLrrbEX1rvhG8duWAyE6IiAhB6r2M" +
"Cz7pl5IYAltepNWNkv0aRUm56UNiIX0H80odgJXtYUyyc8mBlP7mz+keVkPD76zR" +
"BDmWLa7TBqL/I0JCIZ6iskR2tVoBt15yOnsInsRFr1+RSZgufluaPdkQtmeTSP4F" +
"6yPuurS/9nK+5hQdKXkvCU+mPLykeXGZMBRDP5H5wDviJhqrDcOqvs6jfM1qz/h3" +
"XH4bRSqJnVKs1Px8wB7I5Yqvg+gHtSrTFgl5MHaVnG116rWOGh6DNd4OP9KY/CAc" +
"NPVqGx8j6A4MeUddd/tjucIrI+TOqkD1DBLpuCffPNK3tWqglTybSTn1X6ejEx6X" +
"G5NfXW2tQ0lCvz4hq3u7q04uDWaM2XFb/M6pMXl2qg==" +
"-----END CERTIFICATE-----";

public SysLog(string syslogserver, Facility f)
{
facilitiyId = (int)f;
sysLogLocalHostIpAddress = Dns.GetHostEntry(Dns.GetHostName()).AddressList[0].ToString();
sysLogRemoteHostIpAddress = Dns.GetHostEntry(syslogserver).AddressList[0].ToString();
}

//public void Send(string ipAddress, string body)
//{
// if (ipAddress == null || (ipAddress.Length < 5)) ipAddress = Dns.GetHostEntry(Dns.GetHostName()).AddressList[0].ToString();
// this.Send(Sender.Priority.Warning, DateTime.Now, body);
//}

public void Send(Priority severity, DateTime time, string body)
{

udp = new UdpClient(this.sysLogRemoteHostIpAddress, 514);
byte[] rawMsg;

// facility *8
// + Severity
// == Priority Type as a number
int prioritynumber = (this.facilitiyId * 8) + (int)severity;

string[] strParams = { string.Format("<{0}>", prioritynumber.ToString()), time.ToString("MMM dd HH:mm:ss "), this.machine, body };

rawMsg = ascii.GetBytes(string.Concat(strParams));
udp.Send(rawMsg, rawMsg.Length);
udp.Close();
udp = null;
}

// Encrypt Password
public string EncryptSyslog(String syslogMessage)
{

// Initialize the certificate
X509Certificate2 cert = new X509Certificate2();

//create string encoder
UTF8Encoding encoder = new UTF8Encoding();

// import certificate
cert.Import(encoder.GetBytes(certificate));

ContentInfo contentInfo = new ContentInfo(encoder.GetBytes(syslogMessage));
EnvelopedCms envelop = new EnvelopedCms(contentInfo);
CmsRecipient recip = new CmsRecipient(cert);
envelop.Encrypt(recip);
byte[] encoded = envelop.Encode();
return Convert.ToBase64String(envelop.Encode());
}

// Decrypt Password
public string DecryptSysLog(string syslogMessage)
{

UTF8Encoding encoder = new UTF8Encoding();

EnvelopedCms envelop = new EnvelopedCms();
envelop.Decode(Convert.FromBase64String(syslogMessage));
//envelop.Decrypt(envelop.RecipientInfos[0]);
envelop.Decrypt();

byte[] syslogMessageInBytes = envelop.ContentInfo.Content;

return encoder.GetString(syslogMessageInBytes);
}
}
}
Posted in Cryptography, Programming, System Administartion and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink. RSS feed for this post. Leave a trackback.

3 Responses to Encrypting Syslog-ng using PCKS7 envelop in C#

  1. Darrell says:

    Thanks for using the time and effort to write something so interesting.

    My site:
    internetanbieter vergleich dslvergleichdsl.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Swedish Greys - a WordPress theme from Nordic Themepark.