Hello,
I have a problem. I would like to get all logins logged from this
system, and have it all set up in ossec, and it's working for all my
systems except this one. The issue is that when the message is sent to
my syslog server to be parsed by ossec something gets mucked up. The
original log is shown below. It's from a 10.5.2 mac computer
(/var/log/secure.log) and it's being sent to my syslog server. The
syslog server sees it as edc1 edc1, where on the original log it's
correct with no double. I figure that because there is a double ossec
isn't parsing it correctly, and that's why I'm not getting a notice when
someone logs into the system.
Thanks, Jonny
Original:
Sep 15 01:55:21 edc1 sshd[64736]: Accepted publickey for **** from
**.**.**.* port ***** ssh2
Received by syslog:
Sep 15 01:55:21 edc1 edc1 sshd[64736]: Accepted publickey for **** from
**.**.**.* port ***** ssh2
/etc/syslog.conf on sending server (original)
local3.info /var/log/ccauth_proxy.log
*.* @syslog.*****.com
*.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit
/dev/console
*.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit
/var/log/system.log
# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this
line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit
/dev/tty.serial
# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
auth.info;authpriv.*;remoteauth.crit /var/log/secure.log
lpr.info /var/log/lpr.log
mail.* /var/log/mail.log
ftp.* /var/log/ftp.log
install.* /var/log/install.log
install.* @127.0.0.1:32376
local0.* /var/log/appfirewall.log
local1.* /var/log/ipfw.log
*.emerg *
