• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

receiving alert from source

snvsnv

New Life Form
hello, frends,
I have installed USM appliance. The task - set up alerts in the system if an incident occurs on the source. 
For example, entering an incorrect password.
The sources of events are the Linux (SentOS) systems that pass logs on the syslog to the centralized syslog's server. 
The syslog server collects logs from various sources including from Linux systems
I made foolows:
1. On syslog server create the file 
/etc/rsyslog.d/alienvault.conf
------------------------------

2. On ossim server 
2.1. Configured rsyslog the filter to parse the incoming logs from the syslog server 
create the file
/etc/rsyslog.d/zzzzz_syslog.conf
------------------------------
if ($fromhost-ip == '172.20.75.59') then { -/var/log/syslog_collector.log
& stop
}
In the file I set location syslog file in file syslog_collector.log

2.2. Edit syslog plugin
/etc/ossim/agent/plugins/syslog.cfg
----------------------------------
source=log
location=/var/log/syslog_collector.log
Here I change location on file syslog_collector.log

2.3. In ssh console OSSIM
configure sensor - Configure Data Source Plugins - syslog - back - Apply all change

Testing
I input wrong root password then connect to syslog server for ssh console. 
On OSSIM the event displaying in syslog_collector.log but in the web console I don't see alert on the syslog host

Share post:

Answers

  • snv,

    Events received via syslog are attributed to the host identified in the hostname field of the log entry. If your syslog server replaced the header when forwarding, then it will show as the source of the log itself.

    The best course for resolving this is to set up a blind forward of the syslog (syslog is re-sent without modifying the original syslog entry) which will then show as being delivered from the original host and not be rewritten as sourcing from the syslog server itself. The best source for information on how to configure this is the syslog server's documentation as the process for configuration differs from device to device.

    Alternatively, you could write the syslog rule on the original host to send to both the syslog server and the USM Sensor. 
  • I have a similar problem. According to my analysis OSIM sets the destination for the log entries not according to the name inside the log message but to the IP address of the machine sending the log entries. from rsyslog.d:

    $template DYNlog,"/var/log/alienvault/devices/%fromhost-ip%/%fromhost-ip%.log"

    I added some lines with the IP of my syslog server:

    $template DYNlogHost,"/var/log/alienvault/devices/%hostname%/%hostname%.log"
    if $fromhost-ip == '10.xx.xxx.xx' \
    then     ?DYNlogHost

    and configured the syslog to include the IP as hostname. This resulted in the logs being stored in the exact directories and files as if the log message came directly from the original host.
    However not all plugins seem to agree :-(
Sign In or Register to comment.