Hi just an info for people that use Rsyslog + OSSEC like.
Rsyslog <http://www.rsyslog.com/> is a great alternative to the standard syslog shipped with Red Hat like distributions; I deployed that like RPMs on all my 150 servers and I see and search all the logs in a centralized MySQL Database. By default rsyslog uses a different timestamp log format, and the OSSEC agent can't properly recognize SSH brutal attacks; but adding the parameter RSYSLOG_TraditionalFileFormat to /etc/rsyslog.conf in every row like: *.info;mail.none;authpriv.none;cron.none /var/log/messages;RSYSLOG_TraditionalFileFormat the logs are printed in the old way, and the OSSEC agent stop SSH attacks with the usual iptables DROP rule. this is true for this Rsyslog release [r...@bastion ~]# rpm -qa|grep rsys rsyslog-3.21.3-4 rsyslog-mysql-3.21.3-4 [r...@bastion ~]# /var/log/messages , before and after the parameter RSYSLOG_TraditionalFileFormat ================================================================================ 2009-01-05T17:28:09.728507+01:00 bastion sshd[8917]: pam_unix(sshd:session): session opened for user XXX by (uid=0) 2009-01-05T17:28:09.733159+01:00 bastion sshd[8917]: Deprecated pam_stack module called from service "sshd" 2009-01-05T17:32:20.584804+01:00 bastion sshd[8988]: Did not receive identification string from AAA.BBB.CCC.DDD 2009-01-05T17:37:21.081645+01:00 bastion sshd[9011]: Did not receive identification string from UNKNOWN Jan 5 17:39:15 bastion sshd[8917]: Deprecated pam_stack module called from service "sshd" Jan 5 17:39:15 bastion sshd[8917]: Deprecated pam_stack module called from service "sshd" Jan 5 17:39:15 bastion sshd[8917]: pam_unix(sshd:session): session closed for user XXX Jan 5 17:39:16 bastion sshd[9052]: Deprecated pam_stack module called from service "sshd"
begin:vcard fn:Fabio Martinelli n:Martinelli;Fabio org:INFN Tor Vergata adr:;;via della ricerca scientifica, 1;ROME;;;ITALY email;internet:fabio.martine...@roma2.infn.it title:Grid Computing Group tel;work:+39 06 7259 4113 note;quoted-printable:Laurea V.O. in Informatica nel 2004, = =0D=0A= esperienze in = =0D=0A= ESA Frascati, = =0D=0A= ENEA Frascati, = =0D=0A= Accenture Roma, = =0D=0A= INFN Tor Vergata. x-mozilla-html:TRUE url:http://grid.roma2.infn.it/ version:2.1 end:vcard