Could it be that it is setting input to /var/log/secure and then
immediately overwriting that with /tmp/sec ????
try starting it with input only specified once as /var/log/secure and
see what happens.
Regards,
Bill
-----Original Message-----
From: Michael Andrus [mailto:[email protected]]
Sent: Thursday, February 26, 2009 1:33 PM
To: [email protected]
Subject: [Simple-evcorr-users] SEC not processing events in log
Hi,
I am having trouble getting SEC to process events in a live log file
generated by syslog-ng, while the same events are processed successfully
when copied from that log file and echoed directly into a temporary
input file.
/var/log/secure is the live log file generated via syslog-ng
/tmp/sec is a plain text file which I echo lines of log data into to
test the SEC rules.
I am running SEC 2.5.1 with perl 5.8.5 on CentOS 4 as root with the
following options:
/usr/bin/sec -conf=/etc/sec/sec.conf -input=/var/log/secure
-input=/tmp/sec -syslog=user -pid=/var/run/sec.pid -debug=6 -detach
Any ideas why the events would be triggered from /tmp/sec but not from
/var/log/secure?
Here is my SEC configuration, if that helps.
# SEC configuration file
# CentOS 4 SSH PAM_OPIE Failed authentication # Warning: This may ban an
overzealous user who's having trouble w/ OPIE # Feb 26 14:32:14 darkstar
sshd[10026]: error: PAM: Authentication failure for admin from x.x.x.x
type=SingleWithThreshold ptype=RegExp pattern= (\w+) sshd\[\d+\]: error:
PAM: Authentication failure for \w+ from (\d+\.\d+\.\d+\.\d+) desc=$0
action=event 0 matched; write - SSH brute force attack from $2!;
shellcmd /usr/bin/test "$2" != "`/sbin/ifconfig eth0 | /bin/grep "inet
addr"|awk -F" " '{print $2}'| /bin/egrep -o
"[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"`" && /usr/local/sbin/apf -d $2 sec.ssh
; shellcmd /bin/echo "$1: SSH BFA from $2" | /bin/mail -s "$1: SSH BFA
from $2" r...@darkstar
window=15
thresh=3
# CentOS 4 SSH PAM_OPIE Invalid user
# Feb 26 13:53:44 darkstar sshd[30185]: Failed keyboard-interactive/pam
for invalid user lygia from x.x.x.x port 3965 ssh2
type=SingleWithThreshold ptype=RegExp pattern= (\w+) sshd\[\d+\]: Failed
keyboard-interactive/pam for invalid user \w+ from (\d+\.\d+\.\d+\.\d+)
port \d+ ssh2 desc=$0 action=event 0 matched; write - SSH brute force
attack from $2!; shellcmd /usr/bin/test "$2" != "`/sbin/ifconfig eth0 |
/bin/grep "inet addr"|awk -F" " '{print $2}'| /bin/egrep -o
"[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"`" && /usr/local/sbin/apf -d $2 sec.ssh
; shellcmd /bin/echo "$1: SSH BFA from $2" | /bin/mail -s "$1: SSH BFA
from $2" r...@darkstar
window=15
thresh=3
Thanks!
Michael A.
------------------------------------------------------------------------
------
Open Source Business Conference (OSBC), March 24-25, 2009, San
Francisco, CA -OSBC tackles the biggest issue in open source: Open
Sourcing the Enterprise -Strategies to boost innovation and cut costs
with open source participation -Receive a $600 discount off the
registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
