Mr. Knauss-
We're doing what you describe--using an OSSEC client to monitor a
centralized syslog host. We monitor approximately 150 hosts right now.
This has been very useful because we don't have administrative control
over most of the hosts that send us logs, so can't install OSSEC clients
on them.
This is a sample of the related settings in syslog-ng.conf:
#--------------
# output template
template t_default {
template("$R_ISODATE $SOURCEIP $MESSAGE\n");
template_escape(no); };
# Combined local file for OSSEC HIDS parsing
destination d_combined {
file("/var/log/COMBINED/all"
template(t_default)
owner(root)
group(logs)
dir_owner(root)
dir_group(logs)
perm(0640)
dir_perm(0750)
create_dirs(yes));
};
# Listen on syslog ports
source syslog_tcp {
tcp(ip(0.0.0.0) port(514) max_connections(100));
};
source syslog_udp {
udp(ip(0.0.0.0) port(514));
};
# Log remote messages
log {
source(syslog_tcp);
source(syslog_udp);
destination(d_combined);
};
#---------------
We then rotate the "/var/log/COMBINED/all" file nightly. OSSEC has no
trouble keeping up with the volume; we do about 200MB of logs per day.
For administrative reasons, we have to keep the OSSEC server separate from
the central syslog server, so we opted not to install OSSEC on the syslog
server in "server" mode (i.e., we can't have OSSEC listening on port 514
on the syslog server).
However, my OSSEC installation doesn't seem to be differentiating between
the hosts properly ni this configuration. Maybe someone on the list has
some suggestions? Caveat: I have not upgraded to OSSEC 1.2 yet.
Specifically:
1) Alerts from multiple hosts seem to get aggregated. For instance, if
multiple hosts get SSH scanned, only one alert gets fired. In some cases
this is OK, but in other cases we would like to be able to break the
alerts down by host, subnet, or other grouping. This is a sample alert
(with the IP addresses changed):
=======================
OSSEC HIDS Notification.
2007 Jun 14 15:48:56
Received From: (loghost) 10.0.0.1->/var/log/COMBINED/all
Rule: 40111 fired (level 10) -> "Multiple authentication failures."
Portion of the log(s):
2007-06-14T15:48:55-04:00 internalhost1 sshd(pam_unix)[14418]:
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=remotehost1 user=user1
2007-06-14T15:48:30-04:00 internalhost2 sshd(pam_unix)[2118]:
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=remotehost2 user=user2
=======================
As you can see, the IP address of the host that generates the alert is the
syslog host, NOT the actual host. I would like to see alerts come in with
the address of the generating host, instead of the loghost (or at least
have it as an option). If it was possible to configure an OSSEC client as
a "syslog relay" somehow, that might resolve it... or maybe there's
already a configuration option for this that I missed.
2) E-mail alerts don't have much information in the subject line. Does
anyone know if this is customizable? I may simply have overlooked this...
I am looking for something more like the following, so it's simple to see
with a glance at the subject line what the specific alert is:
OSSEC - (myhost) 10.0.0.1 - "Alert text"
I could probably also resolve issue 1 by having syslog-ng re-send all
incoming log entries over the network to the OSSEC server by simply
specifying another output stream in syslog-ng.conf, but it seems like it
would be more efficient to have the OSSEC client perform the work, instead
of re-sending all that traffic over the network. I suspect that what I
have in mind would require some sort of alert forwarding and replication
scheme between two OSSEC servers. Is anything like that on the horizon?
Thanks for any suggestions (and for a great product!)-
James Ervin
ITS Control Center
UNC-Chapel Hill
work: (919) 843-8311
cell: (919) 360-3001
email: [EMAIL PROTECTED]
On Fri, 15 Jun 2007, G E Scott Knauss wrote:
> Zach,
> I'm going to assume that you are using syslog-ng to generate the
> path for your log files. If that is the case, you maybe able to get the
> desired results by simply creating a new output channel for syslog that
> logs all messages to a single file, and just have ossec monitor that
> single file. Ossec will differentiate between the different hosts by the
> log entry. If you have space issues with keeping this file, just don't
> keep it. It only needs to be there for ossec to read it as the messages
> come in. Setup your logrotate to rotate it by size and keep 0.
>
> Daniel et al,
> Does anyone see any problems with this idea?
>
> Scott
>
>
>
>
> On Thu, 2007-06-14 at 20:38 -0300, Daniel Cid wrote:
>
>> Hi Zach,
>>
>> What you are trying to do is not going to work. On ossec we support
>> "globbed" files
>> (with the *, ?, etc) and the strftime format, but not both at the same
>> time. The issue
>> is that it is a bit tricky to make both work at the same time, since
>> one requires the
>> whole file name and the other regular expressions... We may try to
>> address it in the
>> future, but currently it is not supported.
>>
>> I would recommend adding each file separately (not ideal, I know):
>>
>> <localfile>
>> <log_format>syslog</log_format>
>> <location>/space/logs/2007/ft-backbone-11/unity/%Y%m%d</location>
>> </localfile>
>> ..
>>
>> You can also look at "add_localfile.sh" on the contrib directory to
>> help you automate
>> it.
>>
>> Hope it helps.
>>
>> --
>> Daniel B. Cid
>> dcid ( at ) ossec.net
>>
>>
>>
>>
>>
>>
>> On 6/14/07, Zach Patrick <[EMAIL PROTECTED]> wrote:
>>> Hi again,
>>>
>>> I'm trying to open group of files for ossec to scan on an agent located in:
>>>
>>> /space/logs/2007/<serverGroup>/<server>/%Y%m%d
>>>
>>> where serverGroup is the subnet that the servers belong to. I am trying to
>>> point ossec to those files, but it says it is unable to open them.
>>>
>>> My localfile block:
>>>
>>> <localfile>
>>> <log_format>syslog</log_format>
>>> <location>/space/logs/2007/*/*/%Y%m%d</location>
>>> </localfile>
>>>
>>> It works when I have the location set as /space/logs/2007/*/*/* but won't
>>> work when I try to only look at today's log file. Anyone know why this is?
>>>
>>> Here's the error in /var/ossec/logs/ossec.log
>>>
>>> 2007/06/14 14:07:53 ossec-logcollector(1952): Monitoring variable log file:
>>> '/space/logs/2007/*/*/20070614'.
>>> 2007/06/14 14:07:53 ossec-logcollector(1103): Unable to open file
>>> '/space/logs/2007/*/*/20070614'.
>>> 2007/06/14 14:07:53 ossec-logcollector(1950): Analyzing file:
>>> '/space/logs/2007/*/*/20070614'.
>>>
>>> When the location is set to .../*/*/* the ossec.log reports:
>>>
>>> 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
>>> '/var/log/squid/access.log'.
>>> 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
>>> '/space/logs/2007/ft-backbone-41/ft-proxy/20070613'.
>>> 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
>>> '/space/logs/2007/ft-backbone-41/ft-proxy/20070614'.
>>> 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
>>> '/space/logs/2007/ft-backbone-41/rsync/20070613'.
>>> 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
>>> '/space/logs/2007/ft-backbone-41/rsync/20070614'.
>>> 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
>>> '/space/logs/2007/ft-backbone-41/unity/20070613'.
>>> 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
>>> '/space/logs/2007/ft-backbone-41/unity/20070614'.
>>> 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
>>> '/space/logs/2007/l3-backbone-11/l3-proxy/20070613'.
>>> 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
>>> '/space/logs/2007/l3-backbone-11/l3-proxy/20070614'.
>>>
>>>
>>>
>>> Thanks!!
>>>
>
> G E Scott Knauss
> [EMAIL PROTECTED] or
> [EMAIL PROTECTED]
> ECRNOC Naples, IT
> [EMAIL PROTECTED]
> Lead Network Engineer
>
> DSN:
> 314-626-4854
> Comm:
> 39-081-568-4854
> Cell:
> 39-333-224-9323
>
