Hello Dennis.
I CC'ed the ossec-list with this message, and place the two config files
were placed in-line. I figured that this might be useful for other
people on the list.
Yes, the Snoopy library is that. I don't know what distribution you're
using, but it's included with Ubuntu and Debian as the package name
"snoopy".
The line 'Udp (ip("192.168.16.16"), port(514));' tells Syslog-NG to
listen on UDP Port 514, on the specified IP address. I have multiple
interfaces on this machine, and only wanted one to accept Syslog over
the network.
The line 'destination df_syslog
{ file("/var/log/syslog-ng/$HOST/syslog"); };' defines a destination for
Syslog-NG to send logs to. Basically, $HOST is a Syslog-NG derives from
a reverse-DNS lookup on an IP adress of an incoming packet. This
destination defines a way of sending incoming SysLog messages into
separate directories, based on the HostName.
The line 'destination df_snoopy
{ file("/var/log/syslog-ng/$HOST/snoopy"); };' was put in so I could
redirect incoming SysLog messages tagged with the application "snoopy"
to a separate file, called 'snoopy'. Check out how my filters are
defined to figure out how this redirection is done.
The line 'destination ossec_syslog { udp(127.0.0.1, destport(1025)); };'
defines a network-based destination to forward SysLog messages to. In
this case, I've configured OSSEC to listen on udp:localhost:1025 for
SysLog messages, and I'm forwarding messages from specific hosts to it.
Again, check out the filters.
I did this because I wanted to save a copy of the incoming SysLog
message into the Host's respective $HOST/syslog, as well as run them
against OSSEC's PIX rules. I couldn't OSSEC to use the PIX rules against
a file-based syslog. *This may not be true with OSSEC 1.0. I just
haven't had the time to test it.
-----
Jeremy
On Wed, 2007-01-31 at 09:32 -0600, Dennis Borkhus-Veto wrote:
> Just a quick couple of questions
> The snoopy library you refer to is it Snoopy Logger
> http://sourceforge.net/projects/snoopylogger/ ?
> On your syslogng config in sources and destinations
>
> Udp (ip("192.168.16.16"), port(514));
> Is this the port that messages from 192.168.16.16 come in on ?
>
> And then
> destination df_syslog { file("/var/log/syslog-ng/$HOST/syslog"); };
>
> the file the messages are put in?
>
> explain what these two lines do
>
> destination df_snoopy { file("/var/log/syslog-ng/$HOST/snoopy"); };
>
> destination ossec_syslog { udp(127.0.0.1, destport(1025)); };
>
> I don't want to be a pest but I want to make sure I understand what
> this setup does
>
> Sincerely
>
> Dennis Borkhus-Veto
> Systems Administrator
> MEE Material Handling L.L.C
> [EMAIL PROTECTED]
>
> -----Original Message-----
> From: Jeremy Melanson [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 30, 2007 6:29 PM
> To: Dennis Borkhus-Veto
> Subject: Re: Syslog ossec
>
> I just send all of my syslog messages to my syslog-ng server. Then
> syslog-ng handles the redirection from UDP 514 to Ossec's port. I've
> attached my syslog-ng.conf and ossec.conf to this email.
>
> Keep in mind that the newer version of OSSEC supports wildcards in
> file/directory definition. So the ossec.conf file I have is a bit more
> complex than it needs to be.
>
>
> p.s. In case you're wondering, the Snoopy rules in syslog-ng.conf are
> for the Snoopy Library (which I highly recommend). I have all syslog
> messages coming from Snoopy redirected to a separate file for each
> server.
>
> -----
> Jeremy
>
> On Tue, 2007-01-30 at 18:24 -0600, Dennis Borkhus-Veto wrote:
> > I saw your message about your ossec-syslogng setup I would be very
> interested in seeing your condigs. Have you had any luck with equipment
> that won't allow you to specify the port it sends syslog messages to.
> > Dennis
syslog-ng.conf:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#
# Configuration file for syslog-ng under Debian
#
# attempts at reproducing default syslog behavior
# the standard syslog levels are (in descending order of priority):
# emerg alert crit err warning notice info debug
# the aliases "error", "panic", and "warn" are deprecated
# the "none" priority found in the original syslogd configuration is
# only used in internal messages created by syslogd
######
# options
options {
# disable the chained hostname format in logs
# (default is enabled)
chain_hostnames(0);
# the time to wait before a died connection is re-established
# (default is 60)
time_reopen(10);
# the time to wait before an idle destination file is closed
# (default is 60)
time_reap(360);
# the number of lines buffered before written to file
# you might want to increase this if your disk isn't catching
with
# all the log messages you get or if you want less disk activity
# (say on a laptop)
# (default is 0)
#sync(0);
# the number of lines fitting in the output queue
log_fifo_size(2048);
# enable or disable directory creation for destination files
create_dirs(yes);
# default owner, group, and permissions for log files
# (defaults are 0, 0, 0600)
#owner(root);
group(adm);
perm(0640);
# default owner, group, and permissions for created directories
# (defaults are 0, 0, 0700)
#dir_owner(root);
#dir_group(root);
dir_perm(0750);
# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(yes);
# maximum length of message in bytes
# this is only limited by the program listening on the /dev/log
Unix
# socket, glibc can handle arbitrary length log messages, but --
for
# example -- syslogd accepts only 1024 bytes
# (default is 2048)
#log_msg_size(2048);
};
######
# sources
# all known message sources
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the
syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP
logging messages
# (this is equivalent to the "-r" syslogd flag)
udp(ip("192.168.16.16"), port(514));
};
######
# destinations
destination df_syslog { file("/var/log/syslog-ng/$HOST/syslog"); };
# Destination for command monitoring log (comes in from a preloaded
library called 'snoopy')
destination df_snoopy { file("/var/log/syslog-ng/$HOST/snoopy"); };
destination ossec_syslog { udp(127.0.0.1, destport(1025)); };
######
# filters
# Catch everything...
filter f_all {
level(debug..emerg) and not
program("snoopy");
};
filter f_snoopy {
program("snoopy");
};
filter f_pixfw {
host("pixfirewall1") or
host("pixfirewall2") or
host("pixfirewall3") or
host("pixfirewall4") or
host("pixfirewall5") and not
program("snoopy");
};
######
# logs
# order matters if you use "flags(final);" to mark the end of processing
in a
# "log" statement
log {
source(s_all);
filter(f_all);
destination(df_syslog);
};
log {
source(s_all);
filter(f_pixfw);
destination(ossec_syslog);
};
log {
source(s_all);
filter(f_snoopy);
destination(df_snoopy);
};
ossec.conf:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[EMAIL PROTECTED]</email_to>
<smtp_server>mail.passkey.com.</smtp_server>
<email_from>[EMAIL PROTECTED]</email_from>
</global>
<connection>syslog</connection>
<allowed-ips>127.0.0.1</allowed-ips> <!-- addr of the device -->
<port>1025</port>
</remote>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
<include>ossec_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default every 2 hours -->
<frequency>21600</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<!-- Begin: More files to ignore... -->
<ignore>/etc/postfix/prng_exch</ignore>
<!-- END: More files to ignore... -->
</syscheck>
<rootcheck>
<rootkit_files>/usr/local/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/usr/local/ossec/etc/shared/rootkit_trojans.txt</rootkit_tr
ojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>8</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>nmapg</log_format>
<location>/usr/local/ossec/var/nmap-out.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/ciscorouter1/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/ciscorouter2/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/database1/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/database2/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/database3/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/snortbox1/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/systemmonitor1/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/proxy1/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/proxy2/syslog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error_main.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access_main.log</location>
</localfile>
</ossec_config>
