In message <[email protected]>,
Michael Andrus writes:
>I am having trouble getting SEC to process events in a live log file
>generated by syslog-ng, while the same events are processed successfully
>when copied from that log file and echoed directly into a temporary
>input file.
>
>/var/log/secure is the live log file generated via syslog-ng
>
>/tmp/sec is a plain text file which I echo lines of log data into
>to test the SEC rules.
Are you tailing /var/log/secure into /tmp/sec, or are you echoing
lines that look like /var/log/secure into /tmp/sec?
What does a state dump (send kill -USR1 to the sec process) show for
the lines in the buffer?
>I am running SEC 2.5.1 with perl 5.8.5 on CentOS 4 as root with the
>following options:
>
>/usr/bin/sec -conf=/etc/sec/sec.conf -input=/var/log/secure -input=/tmp/sec
>-syslog=user -pid=/var/run/sec.pid -debug=6 -detach
>
>Any ideas why the events would be triggered from /tmp/sec but not
>from /var/log/secure?
Have you tried using od to dump both files (or run cmp -l) to see if
they are indeed identical? I have gotten bit by 8 bit (and
non-printable) chars in a log file that weren't obvious when viewed
with less.
>Here is my SEC configuration, if that helps.
>
># SEC configuration file
>
># CentOS 4 SSH PAM_OPIE Failed authentication
># Warning: This may ban an overzealous user who's having trouble w/ OPIE
># Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication failure for
>admin from x.x.x.x
>type=SingleWithThreshold
>ptype=RegExp
>pattern= (\w+) sshd\[\d+\]: error: PAM: Authentication failure for \w+ from
>(\d+\.\d+\.\d+\.\d+)
>desc=$0
>action=event 0 matched; ...
>window=15
>thresh=3
>
># CentOS 4 SSH PAM_OPIE Invalid user
># Feb 26 13:53:44 darkstar sshd[30185]: Failed keyboard-interactive/pam for
>invalid user lygia from x.x.x.x port 3965 ssh2
>type=SingleWithThreshold
>ptype=RegExp
>pattern= (\w+) sshd\[\d+\]: Failed keyboard-interactive/pam for invalid user
> \w+ from (\d+\.\d+\.\d+\.\d+) port \d+ ssh2
>desc=$0
>action=event 0 matched; ...
>window=15
>thresh=3
One guess would be what \w+ matches in your locale. E.G. a user name of:
hell^Ho
where ^H is backspace I don't think matches. Rather than \w+ maybe
[^\s]+ (i.e. match a sequence on non-space) may change things?
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
