Re: [ossec-list] Red Hat 7.0 and OSSEC
Hi, since this is on my questions list, I jump right in (instead of creating another thread) if I understood it right, on systemd/journald distros you have to install rsyslog additonally in order for the ossec rules to still work?! otherwise the ossec rules wouldn't fire since they can't read the binary output by journald ? so it would mean journald + rsyslog for log collection logstash forwarder (to transport the logs if you have an ELK) environment and ossec-agent (to analyze the logs) ?! does this make sense, or am I completely far off?! On Tuesday, June 3, 2014 at 7:41:37 PM UTC+2, Jeremy Rossi wrote: > > * Aaron Hunter > [2014-06-03 09:00:06 > -0700]: > > >It's journald that concerns me the most. journald replaces (r)syslog > >entirely. It does not provide syslog format log files nor even text based > >log files. Instead, as I understand it, journald uses only a binary log > >format. This means that the text format based OSSEC rules will no longer > >work on a pure journald system. OSSEC would have to talk directly to > >journald (through D-BUS?) and its rules would have to be re-written for > the > >new binary format. That sounds like a significant undertaking which is > why > >I raised this question. journald is a wholesale replacement of the > current > >syslog based logging system with an entirely different paradigm. > > from: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/pdf/Migration_Planning_Guide/Red_Hat_Enterprise_Linux-7-Beta-Migration_Planning_Guide-en-US.pdf > > > On Red Hat Enterprise Linux 7, rsyslog and journald coexist. The data > collected by journald is forwarded to rsyslog, which can perform further > processing and store text-based log files. By default, rsyslog only > stores the journal fields that are typical for syslog messages, but can > be configured to store all the fields available to journald. Red Hat > Enterprise Linux 7 therefore remains compatible with applications and > system configurations that rely on rsyslog. > > > > >I think syslog can still be installed and connected to journald as a > >work-around but I'm not certain. > > It sure can ;) > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
* Aaron Hunter [2014-06-03 09:00:06 -0700]: It's journald that concerns me the most. journald replaces (r)syslog entirely. It does not provide syslog format log files nor even text based log files. Instead, as I understand it, journald uses only a binary log format. This means that the text format based OSSEC rules will no longer work on a pure journald system. OSSEC would have to talk directly to journald (through D-BUS?) and its rules would have to be re-written for the new binary format. That sounds like a significant undertaking which is why I raised this question. journald is a wholesale replacement of the current syslog based logging system with an entirely different paradigm. from: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/pdf/Migration_Planning_Guide/Red_Hat_Enterprise_Linux-7-Beta-Migration_Planning_Guide-en-US.pdf On Red Hat Enterprise Linux 7, rsyslog and journald coexist. The data collected by journald is forwarded to rsyslog, which can perform further processing and store text-based log files. By default, rsyslog only stores the journal fields that are typical for syslog messages, but can be configured to store all the fields available to journald. Red Hat Enterprise Linux 7 therefore remains compatible with applications and system configurations that rely on rsyslog. I think syslog can still be installed and connected to journald as a work-around but I'm not certain. It sure can ;) -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
journald and syslog, whichever your flavor, coexist without issue so I wouldn't be too concerned about it. -- Later, Darin On Tue, Jun 3, 2014 at 12:30 PM, dan (ddp) wrote: > On Tue, Jun 3, 2014 at 12:00 PM, Aaron Hunter wrote: >> It's journald that concerns me the most. journald replaces (r)syslog >> entirely. It does not provide syslog format log files nor even text based >> log files. Instead, as I understand it, journald uses only a binary log >> format. This means that the text format based OSSEC rules will no longer >> work on a pure journald system. OSSEC would have to talk directly to >> journald (through D-BUS?) and its rules would have to be re-written for the >> new binary format. That sounds like a significant undertaking which is why I >> raised this question. journald is a wholesale replacement of the current >> syslog based logging system with an entirely different paradigm. >> >> I think syslog can still be installed and connected to journald as a >> work-around but I'm not certain. >> > > OSSEC does not have any support for journald. I'd skip it, or start > working on adding support. But preferably skip journald. > >> --Aaron >> >> >> >> >> On Tuesday, June 3, 2014 9:16:19 AM UTC-4, Darin Perusich wrote: >>> >>> The ossec package I maintain for OpenSUSE has full systemd support and >>> it works without issue, it is after all a "drop in" replacement for >>> sysvinit and maintains full backwards comparability. >>> >>> https://build.opensuse.org/package/show/server:monitoring/ossec-hids >>> -- >>> Later, >>> Darin >>> >>> >>> On Tue, Jun 3, 2014 at 8:10 AM, Jeremy Rossi >>> wrote: >>> > * dan (ddp) [2014-06-03 08:01:37 -0400]: >>> > >>> > >>> >> On Tue, Jun 3, 2014 at 7:38 AM, Aaron Hunter >>> >> wrote: >>> >>> >>> >>> I wanted to know if the introduction of systemd and journald cause any >>> >>> problems for OSSEC. I am preparing to test RHEL 7.0 and was hoping to >>> >>> hear >>> >>> from others about any issues they may have encountered. >>> >>> >>> >> >>> >> As long as the system still writes logs in the "standard" syslog >>> >> formats, there shouldn't be any issues*. >>> > >>> > >>> > Reading the Rhel beta docs things will be fine for the most part ;) some >>> > tuning will be needed like everything that changes, but overall and for >>> > most things it will just work. >>> > OSSEC does not talk directly to systemd or its children processes, but >>> > if someone would like to it add we always welcome patchs/pull requests. >>> > -- >>> > >>> > --- You received this message because you are subscribed to the Google >>> > Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
On Tue, Jun 3, 2014 at 12:00 PM, Aaron Hunter wrote: > It's journald that concerns me the most. journald replaces (r)syslog > entirely. It does not provide syslog format log files nor even text based > log files. Instead, as I understand it, journald uses only a binary log > format. This means that the text format based OSSEC rules will no longer > work on a pure journald system. OSSEC would have to talk directly to > journald (through D-BUS?) and its rules would have to be re-written for the > new binary format. That sounds like a significant undertaking which is why I > raised this question. journald is a wholesale replacement of the current > syslog based logging system with an entirely different paradigm. > > I think syslog can still be installed and connected to journald as a > work-around but I'm not certain. > OSSEC does not have any support for journald. I'd skip it, or start working on adding support. But preferably skip journald. > --Aaron > > > > > On Tuesday, June 3, 2014 9:16:19 AM UTC-4, Darin Perusich wrote: >> >> The ossec package I maintain for OpenSUSE has full systemd support and >> it works without issue, it is after all a "drop in" replacement for >> sysvinit and maintains full backwards comparability. >> >> https://build.opensuse.org/package/show/server:monitoring/ossec-hids >> -- >> Later, >> Darin >> >> >> On Tue, Jun 3, 2014 at 8:10 AM, Jeremy Rossi >> wrote: >> > * dan (ddp) [2014-06-03 08:01:37 -0400]: >> > >> > >> >> On Tue, Jun 3, 2014 at 7:38 AM, Aaron Hunter >> >> wrote: >> >>> >> >>> I wanted to know if the introduction of systemd and journald cause any >> >>> problems for OSSEC. I am preparing to test RHEL 7.0 and was hoping to >> >>> hear >> >>> from others about any issues they may have encountered. >> >>> >> >> >> >> As long as the system still writes logs in the "standard" syslog >> >> formats, there shouldn't be any issues*. >> > >> > >> > Reading the Rhel beta docs things will be fine for the most part ;) some >> > tuning will be needed like everything that changes, but overall and for >> > most things it will just work. >> > OSSEC does not talk directly to systemd or its children processes, but >> > if someone would like to it add we always welcome patchs/pull requests. >> > -- >> > >> > --- You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
It's journald that concerns me the most. journald replaces (r)syslog entirely. It does not provide syslog format log files nor even text based log files. Instead, as I understand it, journald uses only a binary log format. This means that the text format based OSSEC rules will no longer work on a pure journald system. OSSEC would have to talk directly to journald (through D-BUS?) and its rules would have to be re-written for the new binary format. That sounds like a significant undertaking which is why I raised this question. journald is a wholesale replacement of the current syslog based logging system with an entirely different paradigm. I think syslog can still be installed and connected to journald as a work-around but I'm not certain. --Aaron On Tuesday, June 3, 2014 9:16:19 AM UTC-4, Darin Perusich wrote: > > The ossec package I maintain for OpenSUSE has full systemd support and > it works without issue, it is after all a "drop in" replacement for > sysvinit and maintains full backwards comparability. > > https://build.opensuse.org/package/show/server:monitoring/ossec-hids > -- > Later, > Darin > > > On Tue, Jun 3, 2014 at 8:10 AM, Jeremy Rossi > wrote: > > * dan (ddp) > [2014-06-03 08:01:37 > -0400]: > > > > > >> On Tue, Jun 3, 2014 at 7:38 AM, Aaron Hunter > > >> wrote: > >>> > >>> I wanted to know if the introduction of systemd and journald cause any > >>> problems for OSSEC. I am preparing to test RHEL 7.0 and was hoping to > >>> hear > >>> from others about any issues they may have encountered. > >>> > >> > >> As long as the system still writes logs in the "standard" syslog > >> formats, there shouldn't be any issues*. > > > > > > Reading the Rhel beta docs things will be fine for the most part ;) some > > tuning will be needed like everything that changes, but overall and for > > most things it will just work. > > OSSEC does not talk directly to systemd or its children processes, but > > if someone would like to it add we always welcome patchs/pull requests. > > -- > > > > --- You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
Jeremy Rossi wrote: > :) cool would love to see some new action-response based on this. Do > you have anything in mind? Still wrapping my head around it, but as soon as I have something interesting, I'll be sure to post it.. :) > -Jeremy Rossi -- --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
* Jason Frisvold [2014-06-03 10:02:38 -0400]: Aaron Hunter wrote: I wanted to know if the introduction of systemd and journald cause any problems for OSSEC. I am preparing to test RHEL 7.0 and was hoping to hear from others about any issues they may have encountered. To be honest, I think I'm more interested in the firewalld piece.. :) I know it's "just" iptables on the back end, but I think there may be some really neat things we can do with firewalld... :) cool would love to see some new action-response based on this. Do you have anything in mind? -Jeremy Rossi -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
Aaron Hunter wrote: > I wanted to know if the introduction of systemd and journald cause any > problems for OSSEC. I am preparing to test RHEL 7.0 and was hoping to > hear from others about any issues they may have encountered. To be honest, I think I'm more interested in the firewalld piece.. :) I know it's "just" iptables on the back end, but I think there may be some really neat things we can do with firewalld... -- --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
The ossec package I maintain for OpenSUSE has full systemd support and it works without issue, it is after all a "drop in" replacement for sysvinit and maintains full backwards comparability. https://build.opensuse.org/package/show/server:monitoring/ossec-hids -- Later, Darin On Tue, Jun 3, 2014 at 8:10 AM, Jeremy Rossi wrote: > * dan (ddp) [2014-06-03 08:01:37 -0400]: > > >> On Tue, Jun 3, 2014 at 7:38 AM, Aaron Hunter >> wrote: >>> >>> I wanted to know if the introduction of systemd and journald cause any >>> problems for OSSEC. I am preparing to test RHEL 7.0 and was hoping to >>> hear >>> from others about any issues they may have encountered. >>> >> >> As long as the system still writes logs in the "standard" syslog >> formats, there shouldn't be any issues*. > > > Reading the Rhel beta docs things will be fine for the most part ;) some > tuning will be needed like everything that changes, but overall and for > most things it will just work. > OSSEC does not talk directly to systemd or its children processes, but > if someone would like to it add we always welcome patchs/pull requests. > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
* dan (ddp) [2014-06-03 08:01:37 -0400]: On Tue, Jun 3, 2014 at 7:38 AM, Aaron Hunter wrote: I wanted to know if the introduction of systemd and journald cause any problems for OSSEC. I am preparing to test RHEL 7.0 and was hoping to hear from others about any issues they may have encountered. As long as the system still writes logs in the "standard" syslog formats, there shouldn't be any issues*. Reading the Rhel beta docs things will be fine for the most part ;) some tuning will be needed like everything that changes, but overall and for most things it will just work. OSSEC does not talk directly to systemd or its children processes, but if someone would like to it add we always welcome patchs/pull requests. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
On Tue, Jun 3, 2014 at 7:38 AM, Aaron Hunter wrote: > I wanted to know if the introduction of systemd and journald cause any > problems for OSSEC. I am preparing to test RHEL 7.0 and was hoping to hear > from others about any issues they may have encountered. > As long as the system still writes logs in the "standard" syslog formats, there shouldn't be any issues*. *Personally I find the idea of systemd to be wretched, and can't wait to laugh at the upcoming Linux "registry" that replaces /etc. > > On Sunday, June 1, 2014 11:35:18 AM UTC-4, Jason Frisvold wrote: >> >> Aaron Hunter wrote: >> > Given the major changes in Red Hat 7.0 what do the OSSEC developers >> > recommend with respect to upgrading from 6.x to 7.0? >> >> What changes do you think will be a problem? >> >> >> -- >> --- >> Jason 'XenoPhage' Frisvold >> xeno...@godshell.com >> --- >> >> "Any sufficiently advanced magic is indistinguishable from technology.\" >> - Niven's Inverse of Clarke's Third Law > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
I wanted to know if the introduction of systemd and journald cause any problems for OSSEC. I am preparing to test RHEL 7.0 and was hoping to hear from others about any issues they may have encountered. On Sunday, June 1, 2014 11:35:18 AM UTC-4, Jason Frisvold wrote: > > Aaron Hunter wrote: > > Given the major changes in Red Hat 7.0 what do the OSSEC developers > > recommend with respect to upgrading from 6.x to 7.0? > > What changes do you think will be a problem? > > > -- > --- > Jason 'XenoPhage' Frisvold > xeno...@godshell.com > --- > > "Any sufficiently advanced magic is indistinguishable from technology.\" > - Niven's Inverse of Clarke's Third Law > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
2014-06-01 17:56 GMT+03:00 Aaron Hunter : > Given the major changes in Red Hat 7.0 what do the OSSEC developers > recommend with respect to upgrading from 6.x to 7.0? > > Well, did you notice any issues on rhel 7 rc? -- Eero -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Red Hat 7.0 and OSSEC
Aaron Hunter wrote: > Given the major changes in Red Hat 7.0 what do the OSSEC developers > recommend with respect to upgrading from 6.x to 7.0? What changes do you think will be a problem? -- --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com --- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Red Hat 7.0 and OSSEC
Given the major changes in Red Hat 7.0 what do the OSSEC developers recommend with respect to upgrading from 6.x to 7.0? Thank you. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.