Hello Dan,
At this point, I know what changes in the source code I want to make and where in the source code I want to make them. I want to run these changes by you to make sure that: (1) they do what I want done, which is to make the format of those syslog alerts whose source is the OSSEC server's local agent identical to the format of those syslog alerts whose source is the standard OSSEC agents (2) the changes are in the right region of the code and if possible, in the most appropriate region of the code from the point of view of execution efficiency Baseline situation: -------------------------- This is the situation as it is now, before any code changes: [root@ossecserver ~]# /var/ossec/bin/agent_control -i 000 OSSEC HIDS agent_control. Agent information: Agent ID: 000 (local instance) Agent Name: ossecserver IP address: 127.0.0.1 Status: Active/Local Operating system: Linux ossecserver 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 .. Client version: OSSEC HIDS v2.5.1 Last keep alive: Not available Syscheck last started at: Fri May 13 11:19:03 2011 Rootcheck last started at: Fri May 13 03:25:42 2011 [root@ossecserver ~]# I believe that the OSSEC server gets the local agent name from the / etc/hosts file. And that the IP address of the OSSEC server is hardcoded as 127.0.0.1, which is why the format of the alert entries that are exported to a syslog server look like this: ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to the system.; Location: ossecserver->/var/log/ secure; srcip: 72.55.156.23; Apr 12 22:35:40 ossecserver sshd[19838]: Invalid user recruit from 72.55.156.23 Note that the value of the Location field is ossecserver->/var/log/ secure We really want the value of the Location field to be (ossecserver.domain.com) 74.143.171.166->/var/log/secure where 74.143.171.166 is the IP address of ossecserver Source code changes: -------------------------------- This is what I have done: (1) I have created a file called local_agent.conf where the OSSEC server's relative name, its FQDN and its IP address are listed on one line: ossecserver (ossecserver.domain.com) 74.143.171.166 (2) In the file defs.h of the headers directory: I have defined the variable LOCAL_AGENT_FILE as "/etc/local_agent.conf" and alternatively as "local_agent.conf" where local_agent.conf contains the ossec server's relative host name, its FQDN and its IP address, which can be external or internal. In this case, we are picking an external IP address (3) In the file main.c of the addagents directory: I have opened and read the contents of the file local_agent.conf and created a portable OSSEC string called al_data_location_ossec_server with the stored value of "(ossecserver.domain.com) 74.143.171.166" I will be carrying al_data_location_ossec_server into the file alert.c of the os_csyslogd directory to update the data->location field(see below). (4) In the file alert.c of the os_csyslogd directory: I have updated the Location field (al_data->Location) for the OSSEC server from ossecserver->/var/log/secure to (ossecserver.domain.com) 74.143.171.166->/var/log/secure by substituting in the value of al_data_location_ossec_server Requests: ------------- (1) Let me know if you are happy with my changes and their location in the OSSEC source code. If not, let me know generally what you prefer in terms of source code changes and location of those source code changes - I'll take care of thse specifics (2) My boss is concerned that I make the string substitution in the file alert.c of csyslog.c - he is concerned that a check of each syslog alert for the hostname ossecserver for the purpose of implementing the string substitution as a follow up would be CPU and memory intensive. He is wondering whether there is another region of code where this check and this substitution would be less hard on both CPU and memory. If you have a specific answer for his concern, let me know. (3) Will my updating of the data->location struct have any negative effect on OSSEC's functionality - I am not looking into modifying any of the OSSECagent-OSSEC server interactions. All I am looking to do is to update the Location field of the OSSEC syslog alert before the syslog server starts reading it (And parse it and filter it, etc.) Regards, On May 9, 1:56 pm, "dan (ddp)" <[email protected]> wrote: > I don't know the answer to that. I haven't looked at the code far > enough in depth for that. > I'd start by looking in src/os_csyslogd > > > > > > > > On Mon, May 9, 2011 at 12:20 PM, blacklight <[email protected]> wrote: > > Hello Dan, > > > Would you mind pointing to me which subroutine of which module I > > should modify? Your answer does not need to be exact - as long as I > > don't have to wade through the entire code :) > > > I told my boss I wanted to make the change on my own time but my boss > > was gracious about it :) > > > On May 6, 3:55 pm, "dan (ddp)" <[email protected]> wrote: > >> Hi blacklight, > > >> On Fri, May 6, 2011 at 3:48 PM, blacklight <[email protected]> wrote: > >> > Hello Folks, > > >> > The exported syslog entries from our OSSEC agent hosts have the > >> > following format > > >> > ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force > >> > trying to get access to the system.; Location: > >> > (ossecclient.domain.com) 74.143.171.166->/var/log/secure; srcip: > >> > 72.55.156.23; Apr 12 22:35:40 ossecclient sshd[19838]: Invalid user > >> > recruit from 72.55.156.23 > > >> > The format above is the format we want for all hosts including the > >> > OSSEC server hosts. Note that the format above includes > >> > - FQDN of the OSSEC client host embedded in parentheses > >> > - IP address of the OSSEC client host > > >> > In contrast, the syslog entry from our OSSEC server host have the > >> > following format > > >> > ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force > >> > trying to get access to the system.; Location: ossecserver->/var/log/ > >> > secure; srcip: 72.55.156.23; Apr 12 22:35:40 ossecserver sshd[19838]: > >> > Invalid user recruit from 72.55.156.23 > > >> > Note that the name of the OSSEC server host in the Location field is > >> > not FQDN, is not embedded in parentheses and does not include its > >> > interface IP address. We very much want the syslog entry format from > >> > the OSSEC server host to include all three as per the format of all > >> > syslog entries from all OSSEC agent hosts. And note that the FQDN is > > >> > Consistency in the formatting of all syslog entries from OSSEC agents > >> > and servers enables us to parse these entries accurately and > >> > predictably - yes, the parser of our syslog server is awfully limited > >> > in capability, which is why we need the format consistency. > > >> > I am hoping that you can take quick remedial action for this > >> > situation. In the meantime, is there anything I can do configuration- > >> > wise on my own short of changing the source code by myself? > > >> > Regards, > > >> You'll have to modify the source to change this behavior. If you make > >> the changes, forward a patch to the list.
