Skip navigation
Currently Being Moderated

System Logs, Syslogs and Simple Event Correlation

VERSION 1 
Created on: Sep 14, 2009 11:21 AM by Noel Brockett - Last Modified:  Sep 14, 2009 11:21 AM by Noel Brockett

One method of chewing logs on those *nix (and likely windows) systems for consumption by ZenOSS. (Thanks Risto for SEC and Chet for getting me started with net::syslog)

 

I'll try my hand at writing a recipe ...

 

Using Simple Event Correlator (http://kodu.neti.ee/~risto/sec/), one is able to chew event streams searching for events of interest using event timeframes, multiple events steams,  event contexts, etc. SEC is quite powerful and a great tool for your toolbox. However, the problem for me has been how to inject the results into the ZenOSS world. After consulting various SEC docs and the Net::Syslog docs, I was able to merge the capabilities.

 

 

Here's how. 1) I had the admin install the SEC perl script using the SEC RPM on the server of choice and 2) give me rights to the SEC config files. 3) Then I had the admin install Net::Syslog perl module using CPAN. I'll leave the details of the above to you. And now the secret sauce. 4) Once done, I added the following as my new rule file (sanitized with xxx throughout):

 

 

type=Single
ptype=regExp
pattern=(SEC_STARTUP|SEC_RESTART)
context=SEC_INTERNAL_EVENT
desc=Compile logging routine
action=spawn /usr/bin/tail -f /opt/xxx/logs/xxx.log ;/
eval %syslog ( sub { require Net::Syslog; my $syslog = new Net::Syslog(SyslogHost => '10.xxx.xxx.xxx',Facility => 'syslog',Priority => 'warning');$syslog->Net::Syslog::send("@_"); } );

# catch this event
#WARN  2008-04-30 13:02:15,652 xxx - xxx xxx xxx disabled after unsuccesful login attempts from IP address x.x.x.x
type=singlewiththreshold
ptype=regexp
pattern=WARN .*,.* xxx - xxx xxx .* disabled after unsuccesful login attempts from IP address .*
desc=Multiple user accounts disabled
action=call %o %syslog Multiple user accounts disabled
thresh=3
window=3600

# add new rules here
In a nutshell, the first rule upon SEC startup loads the new event stream (though this can be done in the configs), loads net::syslog and creates my syslog subroutine which point syslog events to my zen server. The second rule searches for more than 3 events within the 60 minute timeframe, if triggered, it shoots a new syslog event to my zen server. Once on the zen server you can map the event and react as needed (spam the admin that a script kiddie is attacking in this case).
The import detail here is the first rule, defining the sending of results to your zen server - very simple but all that's needed to get SEC integrated into the ZenOSS world. After that the rest is up to you.
Please consider contributing SEC rules for future consumption.

Brian Nafziger

 

~~~~~

make sure that SEC runs with internal events (-intevents) in the configs.

 

enabled by default on my rpm install

 

# normal startup

 

# -detach -conf=/etc/sec/*.sec -input=/var/log/messages

 

# -log=/var/log/sec -intevents -pid=/var/run/sec.pid

 

~~~~~

a nice, albeit overwhelming, rule to forward all remaining WARN events to zen

 

# catch all

 

#

 

#type=Single

 

#ptype=regExp

 

#pattern=(WARN)

 

#desc=Forward to syslog

 

#action=call %o %syslog $0

Comments (0)