LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-29-2006, 12:21 AM   #1
m15a4
Member
 
Registered: Sep 2003
Distribution: SuSE 10
Posts: 55

Rep: Reputation: 15
Question syslog-ng setup (for sshd and auth)


I recently went from SuSE 9.x to 10.0

Gone is syslog and syslog-ng is now here. I used to have a few very basic logs setup

Example ;

/etc/syslog.conf
#
# Auth Logging
#
auth.* -var/log/secure

I have No idea where or how to setup this basic thing in syslog-ng.

I'd also, like to have SSHD connections(and attempts) logged and successfull SSH logins Emailed to root (or another email address.

Sounds like two simple setup items, but I've googled till my head began to spin and no luck.

Any tips folks?!

Many thanks in advance!
 
Old 01-29-2006, 05:08 PM   #2
m15a4
Member
 
Registered: Sep 2003
Distribution: SuSE 10
Posts: 55

Original Poster
Rep: Reputation: 15
Anyone? ....
 
Old 01-29-2006, 08:09 PM   #3
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Here's an example syslog-ng.conf that does what you want.
Quote:
options {
# print stats line every 12 hours (default: 10 min)
stats(43200); };

# source
source s_src {
unix-stream("/dev/log");
internal();
file("/proc/kmsg" log_prefix("kernel: ")); };

# auth,authpriv.* -/var/log/secure
filter f_secure { facility(auth, authpriv); };
destination d_secure { file("/var/log/secure" fsync(no)); };
log { source(s_src); filter(f_secure); destination(d_secure); };

# log sshd successes and failures
filter f_ssh { program(^sshd$); };
destination d_ssh { file("/var/log/ssh.fail" fsync(no)); };
log { source(s_src); filter(f_ssh); destination(d_ssh); };

# send email for every failed ssh attempt
filter f_failed { program(^sshd$) and not match("Accepted"); };
destination d_failed { program("/tmp/mail.sh"); };
log { source(s_src); filter(f_failed); destination(d_failed); };
/tmp/mail.sh is the following shell script:
Code:
#!/bin/bash

while read line
do echo $line | mail -s "Failed ssh attempt" root
done
One thing to keep in mind is that, if your ssh port is open to the world, you're going to have a lot of failed ssh attempts, and hence more email than you bargained for. For alternatives to the script above, see this thread.

Last edited by Berhanie; 01-29-2006 at 08:11 PM.
 
Old 01-30-2006, 03:05 AM   #4
m15a4
Member
 
Registered: Sep 2003
Distribution: SuSE 10
Posts: 55

Original Poster
Rep: Reputation: 15
Thumbs up

Quote:
Originally Posted by Berhanie
Here's an example syslog-ng.conf that does what you want....

One thing to keep in mind is that, if your ssh port is open to the world, you're going to have a lot of failed ssh attempts, and hence more email than you bargained for.
Yes, I understand the amount of email that would be generated if tracking the failed attempts. It was the "successfull" ssh logins I wanted the emails on.
From original post
Quote:
and successfull SSH logins Emailed to
In the log setup you offered;
Code:
# send email for every failed ssh attempt
filter f_failed { program(^sshd$) and not match("Accepted"); };
destination d_failed { program("/tmp/mail.sh"); };
log { source(s_src); filter(f_failed); destination(d_failed); };
is the change required simply swapping out "failed" and putting "success" in its place?



Thank you for the reply and help!
 
Old 01-30-2006, 10:31 AM   #5
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Oops. I read your post too fast. Just delete the word "not" to send email on successful connections (successful ssh connections contain the string "Accepted"). Afterward, you may wish to examine your logs to make some adjustments, such as possibly making provisions for you to be notified of successful sftp connections.

The f_failed, f_ssh, etc are simply identifiers and do not carry any semantics.

Last edited by Berhanie; 01-30-2006 at 10:54 AM.
 
Old 01-30-2006, 04:34 PM   #6
m15a4
Member
 
Registered: Sep 2003
Distribution: SuSE 10
Posts: 55

Original Poster
Rep: Reputation: 15
Unhappy

Hmmm it doesn't seem to be working.

I added;
Code:
# send email for every failed ssh attempt
filter f_failed { program(^sshd$) and match("Accepted"); };
destination d_failed { program("/tmp/mail.sh"); };
log { source(s_src); filter(f_failed); destination(d_failed); };
(deleting 'not' as instructed.)

That was added (as root) to ;
/etc/syslog-ng/syslog-ng.conf.in

I then ran SuSEconfig (as root) which imported it into ;
/etc/syslog-ng/syslog-ng.conf

I then rebooted, su'ed up and back.. connected out and in via ssh and no logs

Niether;
/var/log/secure
or
/var/log/ssh.fail
exist at all....
 
Old 01-30-2006, 07:15 PM   #7
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Works fine on my end. Things you might try:

1. Take a look at the config file and test for grammatical errors (syslog-ng -s -f /etc/syslog-ng/syslog-ng.conf).
2. Check other log files for informative messages (have a look especially at where messages with a facility of 'syslog' go).

Good luck.
 
Old 02-10-2006, 07:18 PM   #8
Shadow6
LQ Newbie
 
Registered: Jan 2006
Location: Australia - Brizvegas
Distribution: SUSE, FC3
Posts: 2

Rep: Reputation: 0
It worked for me too!
If it's still not working for you;

Firstly, I stopped syslog first.
Then I directly edited the .CONF file, not the .IN file.

Then restart it and see if it complains about syntax errors. Check as well, that your names match up. First time for me I realised I had "s_src" as above, where in my file it was meant to be "src".

Cheers,
J
 
Old 02-14-2006, 09:36 PM   #9
m15a4
Member
 
Registered: Sep 2003
Distribution: SuSE 10
Posts: 55

Original Poster
Rep: Reputation: 15
Unhappy

Quote:
Originally Posted by Berhanie
Works fine on my end. Things you might try:

1. Take a look at the config file and test for grammatical errors (syslog-ng -s -f /etc/syslog-ng/syslog-ng.conf).
2. Check other log files for informative messages (have a look especially at where messages with a facility of 'syslog' go).

Good luck.
I ran that syslog-ng command you posted. No feedback at all, it just dropped back to the command line.

Was there something I needed to edit in what you initialy posted? I simply cut/pasted the config info into;
/etc/syslog-ng/syslog-ng.conf.in

Then ran # SuSEconfig
 
Old 02-14-2006, 09:38 PM   #10
m15a4
Member
 
Registered: Sep 2003
Distribution: SuSE 10
Posts: 55

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Shadow6
It worked for me too!
If it's still not working for you;

Firstly, I stopped syslog first.
Then I directly edited the .CONF file, not the .IN file.

Then restart it and see if it complains about syntax errors. Check as well, that your names match up. First time for me I realised I had "s_src" as above, where in my file it was meant to be "src".

Cheers,
J
hmmm when I ran the # SuSEconfig command, I double checked
/etc/syslog-ng/syslog-ng.conf

The commands had been copied over from the /etc/syslog-ng/syslog-ng.conf.in file.

I'm not sure what you mean with the s_src line. Forgive the newbie, but I'm still stuck
 
Old 02-15-2006, 10:18 AM   #11
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Please post your syslog-ng.conf
 
Old 02-16-2006, 02:08 PM   #12
m15a4
Member
 
Registered: Sep 2003
Distribution: SuSE 10
Posts: 55

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Berhanie
Please post your syslog-ng.conf
#
# /etc/syslog-ng/syslog-ng.conf
#
# Automatically generated by SuSEconfig on Tue Feb 14 21:30:57 EST 2006.
#
# PLEASE DO NOT EDIT THIS FILE!
#
# you can modify /etc/syslog-ng/syslog-ng.conf.in instead
#
#
#
# File format description can be found in syslog-ng.conf(5)
# and /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#

#
# Global options.
#
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };

#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
#
# include internal syslog-ng messages
# note: the internal() soure is required!
#
internal();

#
# the following line will be replaced by the
# socket list generated by SuSEconfig using
# variables from /etc/sysconfig/syslog:
#
unix-dgram("/dev/log");

#
# uncomment to process log messages from network:
#
#udp(ip("0.0.0.0") port(514));
};


#
# Filter definitions
#
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };

filter f_console { level(warn) and facility(kern) and not filter(f_iptables)
or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };

filter f_mailinfo { level(info) and facility(mail); };
filter f_mailwarn { level(warn) and facility(mail); };
filter f_mailerr { level(err, crit) and facility(mail); };
filter f_mail { facility(mail); };

filter f_cron { facility(cron); };

filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };

filter f_messages { not facility(news, mail) and not filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert { level(alert); };


#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console { file("/dev/tty10" group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };


#
# News-messages in separate files:
#
destination newscrit { file("/var/log/news/news.crit"); };
log { source(src); filter(f_newscrit); destination(newscrit); };

destination newserr { file("/var/log/news/news.err"); };
log { source(src); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"); };
log { source(src); filter(f_newsnotice); destination(newserr); };

#
# and optionally also all in one file:
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };


#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

destination mailerr { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr); destination(mailerr); };

#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };


#
# Cron-messages in one file:
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };


#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };


#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };


#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };


#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };

#
# Enable this, if you want to keep all messages in one file:
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };

# ADDED per forum post...
options {
# print stats line every 12 hours (default: 10 min)
stats(43200); };

# source
source s_src {
unix-stream("/dev/log");
internal();
file("/proc/kmsg" log_prefix("kernel: ")); };

# auth,authpriv.* -/var/log/secure
filter f_secure { facility(auth, authpriv); };
destination d_secure { file("/var/log/secure" fsync(no)); };
log { source(s_src); filter(f_secure); destination(d_secure); };

# log sshd successes and failures
filter f_ssh { program(^sshd$); };
destination d_ssh { file("/var/log/ssh.fail" fsync(no)); };
log { source(s_src); filter(f_ssh); destination(d_ssh); };

# send email for every failed ssh attempt
filter f_failed { program(^sshd$) and match("Accepted"); };
destination d_failed { program("/tmp/mail.sh"); };
log { source(s_src); filter(f_failed); destination(d_failed); };

---end
filter f_failed { program(^sshd$) and not match("Accepted"); };

Was how post initialy went, but I deleted 'not' as stated in followup.

Last edited by m15a4; 02-16-2006 at 02:13 PM.
 
Old 02-17-2006, 02:53 AM   #13
Shadow6
LQ Newbie
 
Registered: Jan 2006
Location: Australia - Brizvegas
Distribution: SUSE, FC3
Posts: 2

Rep: Reputation: 0
I'm not sure whether this would cuase the problem, but it is erroneous either way.

You have two "source" definitions.

If you look at the top of your file, you will see the "source src" definition.
Then after your "ADDED PER FORUM POST..." comment, you have another source definition "source s_src".

I would recommend removing this definition (the s_src), and leaving the one already defined at the top.

Then you will need to update your lines (after the "added per foru..." comment), to reflect the proper one.

So...

# auth,authpriv.* -/var/log/secure
filter f_secure { facility(auth, authpriv); };
destination d_secure { file("/var/log/secure" fsync(no)); };
log { source(src); filter(f_secure); destination(d_secure); };

^^^ Changed to "src"

# log sshd successes and failures
filter f_ssh { program(^sshd$); };
destination d_ssh { file("/var/log/ssh.fail" fsync(no)); };
log { source(src); filter(f_ssh); destination(d_ssh); };

^^^ Change

# send email for every failed ssh attempt
filter f_failed { program(^sshd$) and match("Accepted"); };
destination d_failed { program("/tmp/mail.sh"); };
log { source(src); filter(f_failed); destination(d_failed); };

^^^ Change

Try that and see how it goes.

Also you might want to read up on the three main derectives. You've been using them.

Filter. Destination. Log.

They're pretty easy to use, but it's good to understand. Often we just chuck things in, wanting it to work 'Now!'. Instead we waste more time.

Cheers
J
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setup in sshd swmok Linux - Networking 1 12-31-2004 01:12 AM
How to setup a syslog server anandhg02 Linux - General 7 12-28-2004 01:30 AM
Syslog setup jolu2000 Linux - General 0 06-03-2004 07:02 PM
sshd and syslog fredcll Linux - Networking 0 05-18-2004 01:17 PM
strange sshd syslog message dunkyb Linux - General 1 12-30-2002 09:49 AM


All times are GMT -5. The time now is 04:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration