YES!!
Finally 'tis working as expected.
Thank you Risto and John for the much needed help.
Works!
-
Module (load="omprog")
$template PerHostLog,"/varlog/remote/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log"
syslog action(type="omprog"
binary="/usr/local/bin/sec.sh"
template="RSYSLOG_TraditionalFileFormat")
if $fromhost-ip startswith '192.168.' then -?PerHostLog
&~
-
cat sec.sh
#!/bin/bash
/usr/bin/sec --conf=/etc/sec/sec.conf --notail --input=-
-/-
-James
On Tue, Jan 28, 2014 at 12:22 PM, Risto Vaarandi
<risto.vaara...@gmail.com>wrote:
> When looking into your rsyslog configuratio, I spotted these statements:
>
> $template
> PerHostLog,"/varlog/remote/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log"
>
> if $fromhost-ip startswith '192.168.' then -?PerHostLog
> &~
>
>
> This seems to send all messages from 192.168.0.0./16 to host-based
> files, and then quit further processing, since the -?PerHostLog
> destination is followed by &~ statement which terminates further
> processing.
> Therefore, if sec-related statements come later in the config file,
> they will never match any messages. If your config file has been
> arranged in this way, try moving sec-related stuff in front of the
> line
> if $fromhost-ip startswith '192.168.' then -?PerHostLog
>
> hth,
> risto
>
>
> 2014-01-28 James Lertora <fastpack...@gmail.com>:
> > Risto,
> >
> > It appears that sec is after all getting input from rsyslog, but it is
> only
> > from the local host not from the sysloging from all of the network
> devices.
> > It appears this is an rsyslog config issue, but before I head over to the
> > rsyslog list, is there something I might change in the rsyslog.conf to
> > include the remote syslog events?
> >
> > Thanks very much again,
> >
> > James.
> >
> >
> >
> >
> >
> > On Tue, Jan 28, 2014 at 11:11 AM, Risto Vaarandi <risto.vaara...@seb.ee>
> > wrote:
> >>
> >> On 01/28/2014 06:02 PM, Risto Vaarandi wrote:
> >> > On 01/28/2014 05:51 PM, James Lertora wrote:
> >> >> John,
> >> >>
> >> >> rsyslog is starting sec. If I use service to stop rsyslog, sec will
> >> >> stop. If I use service to start rsyslog, sec starts up too.
> >> >>
> >> >> [root@host]# ps -ef | grep rsyslog
> >> >> root 4209 1 0 10:45 ? 00:00:00 /sbin/rsyslogd -i
> >> >> /var/run/syslogd.pid
> >> >> -
> >> >> and
> >> >> -
> >> >> [root@host]# ps -ef | grep sec
> >> >> root 4214 4209 0 10:45 ? 00:00:00 /bin/bash
> >> >> /usr/local/bin/sec.sh
> >> >> root 4216 4214 0 10:45 ? 00:00:00 /usr/bin/perl -w
> >> >> /usr/bin/sec --conf=/etc/sec/sec.conf --notail --input=-
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> I am not sure how to check with the "kill -USR1" or where to check
> the
> >> >> dump file.
> >> >
> >> > Assuming that the sec process ID is 4216 as in the above process list,
> >> > just send this process the USR1 signal:
> >> >
> >> > kill -USR1 4216
> >> >
> >> > This will produce /tmp/sec.dump dump file which contains a lot of info
> >> > about sec internals, including the lines which have been read from
> >> > inputs.
> >>
> >> ...also, if you wish to recreate the dump file, remove the existing file
> >> before reissuing USR1, since existing dump file is not overwritten.
> >>
> >> >
> >> > If you are not seeing any input delivered to sec, make sure there are
> no
> >> > ~ destinations used in rsyslog conf file. For example, the following
> >> > statements
> >> >
> >> > *.* ~
> >> > *.* /var/log/all.log
> >> >
> >> > will not write anything to /var/log/all.log, since *.* ~ discards all
> >> > messages without considering any further statements.
> >>
> >> For troubleshooting purposes I'd also recommend to enable logging from
> >> sec by using the --log command line option:
> >>
> >> /usr/bin/perl -w /usr/bin/sec --conf=/etc/sec/sec.conf --notail
> >> --input=- --log=/var/log/sec.log
> >>
> >> Having a look into /var/log/sec.log would help to discover potential
> >> syntax or logical errors in rule definitions.
> >>
> >> kind regards,
> >> risto
> >>
> >> >
> >> > regards,
> >> > risto
> >> >
> >> >>
> >> >> Thanks.
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> On Tue, Jan 28, 2014 at 10:42 AM, John P. Rouillard <
> rou...@cs.umb.edu
> >> >> <mailto:rou...@cs.umb.edu>> wrote:
> >> >>
> >> >>
> >> >> Hi James:
> >> >>
> >> >> In message
> >> >>
> >> >> <cabboveiljfthaenmhs9yojossqbfhh--crbuxsww3ner1_f...@mail.gmail.com
> >> >>
> >> >> <mailto:
> cabboveiljfthaenmhs9yojossqbfhh--crbuxsww3ner1_f...@mail.gmail.com>>
> >> >> ,
> >> >> James Lertora writes:
> >> >> > [...]
> >> >> >If I point sec (/etc/sysconfig/sec) to the current days
> syslogs
> >> >> are at,
> >> >> >then life is good, so I need to use named pipes.
> >> >> >
> >> >> >I am using RHEL 6.5
> >> >> >rsyslogd -v
> >> >> >rsyslogd 7.4.9, compiled with:
> >> >> > FEATURE_REGEXP: Yes
> >> >> > FEATURE_LARGEFILE: No
> >> >> > GSSAPI Kerberos 5 support: Yes
> >> >> > FEATURE_DEBUG (debug build, slow code): No
> >> >> > 32bit Atomic operations supported: Yes
> >> >> > 64bit Atomic operations supported: Yes
> >> >> > Runtime Instrumentation (slow code): No
> >> >> > uuid support: Yes
> >> >> >-
> >> >> >SEC (Simple Event Correlator) 2.7.4
> >> >> >l
> >> >> >I have this in my rsyslog.conf:
> >> >> >Module (load="omprog")
> >> >> >*.* action(type="omprog"
> >> >> > binary="/usr/local/bin/sec.sh"
> >> >> > template="RSYSLOG_TraditionalFileFormat")
> >> >> >-
> >> >> >sec.sh contains:
> >> >> >#!/bin/bash
> >> >> >usr/bin/sec --conf=/etc/sec/sec.conf --notail --input=-
> >> >> >
> >> >> >But I cannot seem to get log messages to actually get handled
> by
> >> >> sec.
> >> >>
> >> >> Just to note, I assume usr/bin/sec is a typo and not what is in
> >> >> your
> >> >> .sh file?
> >> >>
> >> >> Also is sec being started by rsyslog? ps -ef should tell you
> that.
> >> >>
> >> >> Deos sending the running SEC a kill -USR1 and looking ta the
> dump
> >> >> file
> >> >> show that the input stream is open? Are there any events in the
> >> >> event
> >> >> buffer?
> >> >>
> >> >> --
> >> >> -- rouilj
> >> >> John Rouillard
> >> >>
> >> >>
> ===========================================================================
> >> >> My employers don't acknowledge my existence much less my
> opinions.
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> ------------------------------------------------------------------------------
> >> >> WatchGuard Dimension instantly turns raw network data into actionable
> >> >> security intelligence. It gives you real-time visual feedback on key
> >> >> security issues and trends. Skip the complicated setup - simply
> import
> >> >> a virtual appliance and go from zero to informed in seconds.
> >> >>
> >> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> >> >>
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> Simple-evcorr-users mailing list
> >> >> Simple-evcorr-users@lists.sourceforge.net
> >> >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >> >>
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > WatchGuard Dimension instantly turns raw network data into actionable
> >> > security intelligence. It gives you real-time visual feedback on key
> >> > security issues and trends. Skip the complicated setup - simply
> import
> >> > a virtual appliance and go from zero to informed in seconds.
> >> >
> >> >
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> >> > _______________________________________________
> >> > Simple-evcorr-users mailing list
> >> > Simple-evcorr-users@lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >> >
> >> >
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> WatchGuard Dimension instantly turns raw network data into actionable
> >> security intelligence. It gives you real-time visual feedback on key
> >> security issues and trends. Skip the complicated setup - simply import
> >> a virtual appliance and go from zero to informed in seconds.
> >>
> >>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> Simple-evcorr-users mailing list
> >> Simple-evcorr-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > WatchGuard Dimension instantly turns raw network data into actionable
> > security intelligence. It gives you real-time visual feedback on key
> > security issues and trends. Skip the complicated setup - simply import
> > a virtual appliance and go from zero to informed in seconds.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > Simple-evcorr-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
>
------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends. Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
