[ossec-list] rsyslog + ossec integration

Tue, 06 Jan 2009 11:50:04 -0800 

Hi

just an info for people that use Rsyslog + OSSEC like.

Rsyslog <http://www.rsyslog.com/> is a great alternative to the standard 
syslog shipped with Red Hat like distributions; I deployed that
like RPMs on all my 150 servers and I see and search all the logs in a 
centralized MySQL Database.

By default rsyslog uses a different timestamp log format, and the OSSEC 
agent can't properly recognize SSH brutal attacks; but adding the 
parameter RSYSLOG_TraditionalFileFormat to /etc/rsyslog.conf in every 
row like:

*.info;mail.none;authpriv.none;cron.none                
/var/log/messages;RSYSLOG_TraditionalFileFormat

the logs are printed in the old way, and the OSSEC agent stop SSH 
attacks with the usual iptables DROP rule.

this is true for this Rsyslog release
[r...@bastion ~]# rpm -qa|grep rsys
rsyslog-3.21.3-4
rsyslog-mysql-3.21.3-4
[r...@bastion ~]#


/var/log/messages , before and after the parameter 
RSYSLOG_TraditionalFileFormat
================================================================================
2009-01-05T17:28:09.728507+01:00 bastion sshd[8917]: 
pam_unix(sshd:session): session opened for user XXX by (uid=0)
2009-01-05T17:28:09.733159+01:00 bastion sshd[8917]: Deprecated 
pam_stack module called from service "sshd"
2009-01-05T17:32:20.584804+01:00 bastion sshd[8988]: Did not receive 
identification string from AAA.BBB.CCC.DDD
2009-01-05T17:37:21.081645+01:00 bastion sshd[9011]: Did not receive 
identification string from UNKNOWN
Jan  5 17:39:15 bastion sshd[8917]: Deprecated pam_stack module called 
from service "sshd"
Jan  5 17:39:15 bastion sshd[8917]: Deprecated pam_stack module called 
from service "sshd"
Jan  5 17:39:15 bastion sshd[8917]: pam_unix(sshd:session): session 
closed for user XXX
Jan  5 17:39:16 bastion sshd[9052]: Deprecated pam_stack module called 
from service "sshd"


begin:vcard
fn:Fabio Martinelli
n:Martinelli;Fabio
org:INFN Tor Vergata
adr:;;via della ricerca scientifica, 1;ROME;;;ITALY
email;internet:fabio.martine...@roma2.infn.it
title:Grid Computing Group
tel;work:+39 06 7259 4113
note;quoted-printable:Laurea V.O. in Informatica nel 2004, =
	=0D=0A=
	esperienze in =
	=0D=0A=
	ESA Frascati, =
	=0D=0A=
	ENEA Frascati, =
	=0D=0A=
	Accenture Roma, =
	=0D=0A=
	INFN Tor Vergata.
x-mozilla-html:TRUE
url:http://grid.roma2.infn.it/
version:2.1
end:vcard

Reply via email to