Hi,
I am having trouble getting SEC to process events in a live log file generated
by
syslog-ng, while the same events are processed successfully when copied from
that
log file and echoed directly into a temporary input file.
/var/log/secure is the live log file generated via syslog-ng
/tmp/sec is a plain text file which I echo lines of log data into
to test the SEC rules.
I am running SEC 2.5.1 with perl 5.8.5 on CentOS 4 as root with the
following options:
/usr/bin/sec -conf=/etc/sec/sec.conf -input=/var/log/secure -input=/tmp/sec
-syslog=user -pid=/var/run/sec.pid -debug=6 -detach
Any ideas why the events would be triggered from /tmp/sec but not
from /var/log/secure?
Here is my SEC configuration, if that helps.
# SEC configuration file
# CentOS 4 SSH PAM_OPIE Failed authentication
# Warning: This may ban an overzealous user who's having trouble w/ OPIE
# Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication failure for
admin from x.x.x.x
type=SingleWithThreshold
ptype=RegExp
pattern= (\w+) sshd\[\d+\]: error: PAM: Authentication failure for \w+ from
(\d+\.\d+\.\d+\.\d+)
desc=$0
action=event 0 matched; write - SSH brute force attack from $2!; shellcmd
/usr/bin/test "$2" != "`/sbin/ifconfig eth0 | /bin/grep "inet addr"|awk -F" "
'{print $2}'| /bin/egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"`" &&
/usr/local/sbin/apf -d $2 sec.ssh ; shellcmd /bin/echo "$1: SSH BFA from $2" |
/bin/mail -s "$1: SSH BFA from $2" r...@darkstar
window=15
thresh=3
# CentOS 4 SSH PAM_OPIE Invalid user
# Feb 26 13:53:44 darkstar sshd[30185]: Failed keyboard-interactive/pam for
invalid user lygia from x.x.x.x port 3965 ssh2
type=SingleWithThreshold
ptype=RegExp
pattern= (\w+) sshd\[\d+\]: Failed keyboard-interactive/pam for invalid user
\w+ from (\d+\.\d+\.\d+\.\d+) port \d+ ssh2
desc=$0
action=event 0 matched; write - SSH brute force attack from $2!; shellcmd
/usr/bin/test "$2" != "`/sbin/ifconfig eth0 | /bin/grep "inet addr"|awk -F" "
'{print $2}'| /bin/egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"`" &&
/usr/local/sbin/apf -d $2 sec.ssh ; shellcmd /bin/echo "$1: SSH BFA from $2" |
/bin/mail -s "$1: SSH BFA from $2" r...@darkstar
window=15
thresh=3
Thanks!
Michael A.
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
