In terms of Seccubi - asset is a logical entity, that serves as container for similar log files. The similarity of log files you can define by yourself. It can either match the server you want to monitor, the group of servers, or you even can have set up with several assets per server (Require multiply clients).
Routing logs from the client to the asset is defined by the Asset Secret Key. So, when you create the Asset - secret key is generated automatically - then you have to provide this key to the Log client. In case you have multiply log clients with the same secret key - they all would send logs to the single asset.
Using main menu, navigate to Assets page, and click "Add Asset" button"
In the Popup menu - you can give the asset any name - it serves only as a label for you.
After this you have to add one or multiply asset files to the asset:
Stdin - this will trace output of your docker containers.
In case stdin option is check, in the input above - you need to specify docker container name. That will assure your logs will be forwarded to correct file
For the container you are reading from - you need to start with the option:
--log-driver=fluentd --log-opt tag=container_label_set_above
So, your docker run command will look something like:
docker run --log-driver=fluentd --log-opt tag=container_label_set_above -it docker_image
In case you start your containers with docker compose - you should add following section to your docker compose yaml file
logging:
driver: fluentd
options:
tag: container_label_set_above
Tail - for the files you want to read from the docker host machine. (You can also add docker container files here, if you will create proxy docker volume as a host)
In this case, in the input field - you specify absolute path to your file at your docker host machine. To route the log output from the file to the correct log - you need to add following parameter when you start your Seccubi Log Client:
-v /var/log/test.multiline.log:/var/log/test.multiline.log:ro
This will map your docker host log file to the Seccubi client
Sometimes it is needed to parse multiline log files, ie programming language stacktrace. In this case, you need to check the multiline logs checkbox and specify regular expression that will match the time entry of your lock stack
Fully function example of the demo account setup:
Download the docker compose file and run:
docker compose up -d
You may want to override existing config files with custom ones. For this purpose, you should simply mount file volume as read only. As a reference - you can download autogenerated set up from the Assets edit pop up. Please note, that file ids should be preserved for proper logging.
-v ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf:ro