tested in field,

CSGSYY/bin/fwknop.sh

+#!/bin/sh
+read ip
+#id >>  /tmp/fwknop.log
+echo "connect ${ip}" >> /tmp/fwknop.log
+/home/ossec/bin/fwknop -a ${ip} --no-save-args --rc-file /home/ossec/etc/.fwknoprc -n manager  >> /tmp/fwknop.log 2>&1

CSGSYY/etc/.fwknoprc

+[manager]
+#ALLOW_IP 192.168.66.213
+ACCESS tcp/1514,tcp/1515
+#TIME_OFFSET -28800
+SPA_SERVER 192.168.7.165
+KEY_BASE64  ODg4ODg4OAo= 
+HMAC_KEY_BASE64 OTk5OTk5OTk5Cg== 
+USE_HMAC Y

CSGSYY/etc/internal_options.conf

+# internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
+#
+# DO NOT TOUCH THIS FILE. The default configuration
+# is at ossec.conf. More information at:
+# https://documentation.wazuh.com
+#
+# This file should be handled with care. It contain
+# run time modifications that can affect the use
+# of ossec. Only change it if you know what you
+# are doing. Again, look first at ossec.conf
+# for most of the things you want to change.
+
+
+# Analysisd default rule timeframe.
+analysisd.default_timeframe=360
+# Analysisd stats maximum diff.
+analysisd.stats_maxdiff=999000
+# Analysisd stats minimum diff.
+analysisd.stats_mindiff=1250
+# Analysisd stats percentage (how much to differ from average)
+analysisd.stats_percent_diff=150
+# Analysisd FTS list size.
+analysisd.fts_list_size=32
+# Analysisd FTS minimum string size.
+analysisd.fts_min_size_for_str=14
+# Analysisd Enable the firewall log (at logs/firewall/firewall.log)
+# 1 to enable, 0 to disable.
+analysisd.log_fw=1
+# Maximum number of fields in a decoder (order tag) [32..1024]
+analysisd.decoder_order_size=256
+# Output GeoIP data at JSON alerts
+analysisd.geoip_jsonout=0
+# Maximum label cache age (margin seconds with no reloading) [0..60]
+analysisd.label_cache_maxage=10
+# Show hidden labels on alerts
+analysisd.show_hidden_labels=0
+# Maximum number of file descriptor that Analysisd can open [1024..1048576]
+analysisd.rlimit_nofile=458752
+# Minimum output rotate interval. This limits rotation by time and size. [10..86400]
+analysisd.min_rotate_interval=600
+# Number of event decoder threads
+analysisd.event_threads=0
+# Number of syscheck decoder threads
+analysisd.syscheck_threads=0
+# Number of syscollector decoder threads
+analysisd.syscollector_threads=0
+# Number of rootcheck decoder threads
+analysisd.rootcheck_threads=0
+# Number of security configuration assessment decoder threads
+analysisd.sca_threads=0
+# Number of hostinfo decoder threads
+analysisd.hostinfo_threads=0
+# Number of Windows event decoder threads
+analysisd.winevt_threads=0
+# Number of rule matching threads
+analysisd.rule_matching_threads=0
+# Number of database synchronization dispatcher threads [0..32]
+analysisd.dbsync_threads=0
+# Decoder event queue size
+analysisd.decode_event_queue_size=16384
+# Decode syscheck queue size
+analysisd.decode_syscheck_queue_size=16384
+# Decode syscollector queue size
+analysisd.decode_syscollector_queue_size=16384
+# Decode rootcheck queue size
+analysisd.decode_rootcheck_queue_size=16384
+# Decode security configuration assessment queue size
+analysisd.decode_sca_queue_size=16384
+# Decode hostinfo queue size
+analysisd.decode_hostinfo_queue_size=16384
+# Decode winevt queue size
+analysisd.decode_winevt_queue_size=16384
+# Decode Output queue
+analysisd.decode_output_queue_size=16384
+# Archives log queue size
+analysisd.archives_queue_size=16384
+# Statistical log queue size
+analysisd.statistical_queue_size=16384
+# Alerts log queue size
+analysisd.alerts_queue_size=16384
+# Firewall log queue size
+analysisd.firewall_queue_size=16384
+# FTS log queue size
+analysisd.fts_queue_size=16384
+# Database synchronization message queue size [0..2000000]
+analysisd.dbsync_queue_size=16384
+# Upgrade message queue size
+analysisd.upgrade_queue_size=16384
+# Interval for analysisd status file updating (seconds) [0..86400]
+# 0 means disabled
+analysisd.state_interval=5
+
+
+# Logcollector file loop timeout (check every 2 seconds for file changes)
+logcollector.loop_timeout=2
+
+# Logcollector number of attempts to open a log file [2..998]
+logcollector.open_attempts=8
+
+# Logcollector - If it should accept remote commands from the manager
+logcollector.remote_commands=0
+
+# Logcollector - File checking interval (seconds) [0..1024]
+logcollector.vcheck_files=64
+
+# Logcollector - Maximum number of lines to read from the same file [100..1000000]
+# 0. Disable line burst limitation
+logcollector.max_lines=10000
+
+# Logcollector - Maximum number of files to be monitored [1..100000]
+logcollector.max_files=1000
+
+# Time to reattempt a socket connection after a failure [1..3600]
+logcollector.sock_fail_time=300
+
+# Logcollector - Number of input threads for reading files
+logcollector.input_threads=4
+
+# Logcollector - Output queue size [128..220000]
+logcollector.queue_size=1024
+
+# Sample log length limit for errors about large message [1..4096]
+logcollector.sample_log_length=64
+
+# Maximum number of file descriptor that Logcollector can open [1024..1048576]
+# This value must be higher than logcollector.max_files
+logcollector.rlimit_nofile=1100
+
+# Force file handler reloading: close and reopen monitored files
+# 0: Disabled
+# 1: Enabled
+logcollector.force_reload=0
+
+# File reloading interval, in seconds, if force_reload=1 [1..86400]
+# This interval must be greater or equal than vcheck_files.
+logcollector.reload_interval=64
+
+# File reloading delay (between close and open), in milliseconds [0..30000]
+logcollector.reload_delay=1000
+
+# Excluded files refresh interval, in seconds [1..172800]
+logcollector.exclude_files_interval=86400
+
+# State generation updating interval, in seconds [0..3600]
+# 0 means state file creation and updating is disabled
+logcollector.state_interval=60
+
+# Logbuilder IP update interval [0..3600]
+logcollector.ip_update_interval=60
+
+# Remoted counter io flush.
+remoted.recv_counter_flush=128
+
+# Remoted compression averages printout.
+remoted.comp_average_printout=19999
+
+# Verify msg id (set to 0 to disable it)
+remoted.verify_msg_id=0
+
+# Don't exit when client.keys empty
+remoted.pass_empty_keyfile=1
+
+# Number of shared file sender threads
+remoted.sender_pool=8
+
+# Limit of parallel request dispatchers [1..4096]
+remoted.request_pool=1024
+
+# Timeout to reject a new request (seconds) [1..600]
+remoted.request_timeout=10
+
+# Timeout for request responses (seconds) [1..3600]
+remoted.response_timeout=60
+
+# Retransmission timeout seconds [0..60]
+remoted.request_rto_sec=1
+
+# Retransmission timeout milliseconds [0..999]
+remoted.request_rto_msec=0
+
+# Max. number of sending attempts [1..16]
+remoted.max_attempts=4
+
+# Shared files reloading interval (sec) [1..18000]
+remoted.shared_reload=10
+
+# Maximum number of file descriptor that Remoted can open [1024..1048576]
+remoted.rlimit_nofile=458752
+
+# Maximum time waiting for a client response in TCP (seconds) [1..60]
+remoted.recv_timeout=1
+
+# Merge shared configuration to be broadcasted to agents
+# 0. Disable
+# 1. Enable (default)
+remoted.merge_shared=1
+
+# Keys file reloading latency (seconds) [1..3600]
+remoted.keyupdate_interval=10
+
+# Number of parallel worker threads [1..16]
+remoted.worker_pool=4
+
+# Interval for remoted status file updating (seconds) [0..86400]
+# 0 means disabled
+remoted.state_interval=5
+
+# Guess the group to which the agent belongs
+# 0. No, do not guess (default)
+# 1. Yes, do guess
+remoted.guess_agent_group=0
+
+# Cleans residual data from unused groups/multigroups
+# Minimum number of seconds between cleanings [1..2592000]
+# 0 means never clean up residual data
+remoted.group_data_flush=86400
+
+# Receiving chunk size for TCP. We suggest using powers of two. [1024..16384]
+remoted.receive_chunk=4096
+
+# Sending chunk size for TCP. We suggest using powers of two. [512..16384]
+remoted.send_chunk=4096
+
+# Send buffer size for queue messages to send. We suggest using powers of two. [65536..1048576]
+remoted.send_buffer_size=131072
+
+# Sleep time to retry delivery to a client in TCP (seconds) [1..60]
+remoted.send_timeout_to_retry=1
+
+# Deallocate network buffers after usage.
+# 0. Do not deallocate memory.
+# 1. Shrink memory to the reception chunk.
+# 2. Full memory deallocation.
+remoted.buffer_relax=1
+
+# Keepalive options
+# Time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes [1..7200]
+remoted.tcp_keepidle=30
+# The time (in seconds) between individual keepalive probes [1..100]
+remoted.tcp_keepintvl=10
+# Maximum number of keepalive probes TCP should send before dropping the connection [1..50]
+remoted.tcp_keepcnt=3
+
+# Timeout to execute remote requests [1..3600]
+execd.request_timeout=60
+
+# Max timeout to lock the restart [0..3600]
+execd.max_restart_lock=600
+
+# Maild strict checking (0=disabled, 1=enabled)
+maild.strict_checking=1
+
+# Maild grouping (0=disabled, 1=enabled)
+# Groups alerts within the same e-mail.
+maild.grouping=1
+
+# Maild full subject (0=disabled, 1=enabled)
+maild.full_subject=0
+
+# Maild display GeoIP data (0=disabled, 1=enabled)
+maild.geoip=1
+
+
+# Monitord day_wait. Amount of seconds to wait before rotating/compressing/signing [0..600]
+# the files.
+monitord.day_wait=10
+
+# Monitord compress. (0=do not compress, 1=compress)
+monitord.compress=1
+
+# Monitord sign. (0=do not sign, 1=sign)
+monitord.sign=1
+
+# Monitord monitor_agents. (0=do not monitor, 1=monitor)
+monitord.monitor_agents=1
+
+# Rotate plain and JSON logs daily. (0=no, 1=yes)
+monitord.rotate_log=1
+
+# Days to keep old ossec.log files [0..500]
+monitord.keep_log_days=31
+
+# Size of internal log files to rotate them (Megabytes) [0..4096]
+monitord.size_rotate=512
+
+# Maximum number of rotations per day for internal logs [1..256]
+monitord.daily_rotations=12
+
+# Number of minutes for deleting a disconnected agent [0..9600]. (0=disabled)
+monitord.delete_old_agents=0
+
+# Syscheck perform a delay when dispatching real-time notifications so it avoids
+# triggering on some temporary files like vim edits. (ms) [0..1000]
+syscheck.rt_delay=5
+
+# Maximum number of directories monitored for realtime on windows [1..1024]
+syscheck.max_fd_win_rt=256
+
+# Maximum number of directories monitored for who-data on Linux [1..4096]
+syscheck.max_audit_entries=256
+
+# Maximum level of recursivity allowed [1..320]
+syscheck.default_max_depth=256
+
+# Check interval of the symbolic links configured in the directories section [1..2592000]
+syscheck.symlink_scan_interval=600
+
+# Maximum file size for calcuting integrity hashes in MBytes [0..4095]
+# A value of 0 MB means to disable this filter
+syscheck.file_max_size=1024
+
+# Rootcheck checking/usage speed. The default is to sleep 50 milliseconds
+# per each PID or suspictious port.
+rootcheck.sleep=50
+
+# Time since the agent buffer is full to consider events flooding
+agent.tolerance=15
+# Level of occupied capacity in Agent buffer to trigger a warning message
+agent.warn_level=90
+# Level of occupied capacity in Agent buffer to come back to normal state
+agent.normal_level=70
+# Minimum events per second, configurable at XML settings [1..1000]
+agent.min_eps=50
+# Interval for agent status file updating (seconds) [0..86400]
+# 0 means disabled
+agent.state_interval=5
+
+# Maximum time waiting for a server response in TCP (seconds) [1..600]
+agent.recv_timeout=60
+
+# Apply remote configuration
+# 0. Disabled
+# 1. Enabled
+agent.remote_conf=1
+
+# Database - maximum number of reconnect attempts
+dbd.reconnect_attempts=10
+
+# Wazuh modules - nice value for tasks. Lower value means higher priority
+wazuh_modules.task_nice=10
+
+# Wazuh modules - maximum number of events per second sent by each module [1..1000]
+wazuh_modules.max_eps=100
+
+# Wazuh modules - time for a process to quit before killing it [0..3600]
+# 0: Kill immediately
+wazuh_modules.kill_timeout=10
+
+# Wazuh database module settings
+
+# Synchronize agent database with client.keys
+wazuh_database.sync_agents=1
+
+# Sync data in real time (supported on Linux only)
+# 0. Disabled
+# 1. Enabled (default)
+wazuh_database.real_time=1
+
+# Time interval between cycles (used only if real time disabled)
+# Default: 60 seconds (1 minute). Max: 86400 seconds (1 day)
+wazuh_database.interval=60
+
+# Maximum queued events (for inotify)
+# 0. Use system default
+wazuh_database.max_queued_events=0
+
+# Enable download module
+# 0. Disabled
+# 1. Enabled (default)
+wazuh_download.enabled=1
+
+# Maximum pending connections (1..1024)
+wazuh_db.sock_queue_size=128
+
+# Number of worker threads (1..32)
+wazuh_db.worker_pool_size=8
+
+# Minimum time margin before committing (1..3600)
+wazuh_db.commit_time_min=10
+
+# Maximum time margin before committing (1..3600)
+wazuh_db.commit_time_max=60
+
+# Number of allowed open databases before closing (1..4096)
+wazuh_db.open_db_limit=64
+
+# Maximum number of file descriptor that WazuhDB can open [1024..1048576]
+wazuh_db.rlimit_nofile=458752
+
+
+# Wazuh Command Module - If it should accept remote commands from the manager
+wazuh_command.remote_commands=0
+
+# Wazuh default stack size for child threads in KiB (2048..65536)
+wazuh.thread_stack_size=8192
+
+# Security Configuration Assessment DB request interval in minutes [0..60]
+# This option sets the maximum waiting time to resend a scan when the DB integrity check fails
+sca.request_db_interval=5
+
+# Enable it to accept execute commands from SCA policies pushed from the manager in the shared configuration
+# Local policies ignore this option
+sca.remote_commands=0
+
+# Default timeout for executed commands during a SCA scan in seconds [1..300]
+sca.commands_timeout=30
+
+# Network timeout for Authd clients
+auth.timeout_seconds=1
+auth.timeout_microseconds=0
+
+
+# Debug options.
+# Debug 0 -> no debug
+# Debug 1 -> first level of debug
+# Debug 2 -> full debugging
+
+# Windows debug (used by the Windows agent)
+windows.debug=0
+
+# Syscheck (local, server and Unix agent)
+syscheck.debug=0
+
+# Remoted (server debug)
+remoted.debug=0
+
+# Analysisd (server or local)
+analysisd.debug=0
+
+# Auth daemon debug (server)
+authd.debug=0
+
+# Exec daemon debug (server, local or Unix agent)
+execd.debug=0
+
+# Monitor daemon debug (server, local or Unix agent)
+monitord.debug=0
+
+# Log collector (server, local or Unix agent)
+logcollector.debug=0
+
+# Integrator daemon debug (server, local or Unix agent)
+integrator.debug=0
+
+# Unix agentd
+agent.debug=0
+
+# Wazuh DB debug level
+wazuh_db.debug=0
+
+wazuh_modules.debug=0
+
+# Wazuh Cluster debug level
+wazuh_clusterd.debug=0
+
+# EOF

CSGSYY/etc/local_internal_options.conf

+# local_internal_options.conf
+#
+# This file should be handled with care. It contains
+# run time modifications that can affect the use
+# of OSSEC. Only change it if you know what you
+# are doing. Look first at ossec.conf
+# for most of the things you want to change.
+#
+# This file will not be overwritten during upgrades.
+syslog-collector.debug=0

CSGSYY/etc/ossec.conf

+<!--
+  Wazuh - Agent - Default configuration for ubuntu 18.04
+  More info at: https://documentation.wazuh.com
+  Mailing list: https://groups.google.com/forum/#!forum/wazuh
+-->
+
+<ossec_config>
+  <client>
+    <server>
+      <address>192.168.7.165</address>
+      <port>1514</port>
+      <protocol>tcp</protocol>
+    </server>
+    <config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+</ossec_config>

CSGSYY/etc/rsyslog.conf

+#liuyawei V1.0
+module(load="imuxsock")
+module(load="imklog")
+#module(load="imudp")
+#input(type="imudp" port="514")
+#module(load="imtcp")
+#input(type="imtcp" port="514")
+action(type="omfwd" Target="127.0.0.1" Port="9000" Protocol="udp")
+
+template(name="FileFormat" type="list") {
+    property(name="timestamp" dateFormat="rfc3339")
+    constant(value=" ")
+    property(name="hostname")
+    constant(value=" ")
+    property(name="syslogtag")
+    property(name="msg" spifno1stsp="on" )
+    property(name="msg" droplastlf="on" )
+    constant(value="\n")
+    }
+
+$ActionFileDefaultTemplate FileFormat
+#$ActionFileDefaultTemplate RSYSLOG_DebugFormat 
+
+#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+$EscapeControlCharactersOnReceive off
+
+include(file="/etc/rsyslog.d/*.conf")
+include(file="/userdata/dgri/rsyslog.d/*.conf")
+#*.info;mail.none;authpriv.none;cron.none  /userdata/log/messages
+
+#authpriv.*                                /userdata/log/secure
+
+#mail.*                                    /userdata/log/maillog
+
+#cron.*                                    /userdata/log/cron
+
+#local7.*                                  /userdata/log/boot.log

CSGSYY/etc/wpk_root.pem

+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIJAOw14j1WO119MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTcwOTA3MTQ0NzEzWhcNMjIwOTA2MTQ0NzEzWjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAk9uKPt+unjNI6lWaklQ337C2FVivmKHDqTejMaes4G034lw2fWvXO3Dw
+yeSbph+alKATHOm0PPSzjTVo0kBbdI+OqcJ2ijBAxDXSucpa7+K6+R1Ip7VKclpu
+K0ZjsYX2qVfIOGpU0C5wlOvlMdgslNuFoDUms+1OaLOmXipyk0PUToH5/eZdn8HT
+hoUhyTqScm4DaL4ru30qu35Ig/Y/TjCPmH6UWXSu94Y1z6dVOAboKmjdDSMdpvig
+IqIzFR4x5CRavQV9ibn0ZzMt89nagq8LIZFsOVxJ9HlBjbX5gS2WV6HBQ/9rP6rY
+H1zcAd0U+Hahg4YV9qWzEVjtXv3fcwIDAQABo1AwTjAdBgNVHQ4EFgQUeMyOk8b0
+mT2Lqvdk09HspifCeKIwHwYDVR0jBBgwFoAUeMyOk8b0mT2Lqvdk09HspifCeKIw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAY0JxDblCMJ+EQNe1tSfv
+N2pHNjIoFCyvfteQyatSaTzRFguw1IKl6zOywL0CGY/VJDVjHeIv8BuIuS9f+Uio
+vCgKYAb9cj4amaIcZNikkNkip/L/bYrkqKJZ3khwCmRwnmx7Hfrdv3UT8iS3OCg/
+ACNg1j12kbWYfQFVPY6y/lx94FpTzkdu9JExKtgd+1lArbqHejSM5ofWznyry0Tn
+JFXa/lXRYX91TKNFGhHOKZQawMexJApKeleYEaElcUvdAlEqNBHWIrCle0jQ4to8
+LDahedaEZL2LsiDakXqWVD7+Vo2YulShKyTV7+11U/CIvpeE8Gg3J9x1OecyWiHr
+nQ==
+-----END CERTIFICATE-----