| View previous topic :: View next topic |
| Author |
Message |
petterg
Guru
Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway
|
 Posted: Sat Dec 25, 2004 1:53 am Post subject: [SOLVED] syslog_ng - run script on passwordfailure |
 |
|
On http://www.gentoo.org/doc/en/gentoo-security.xml I read, for metalog:
| Quote: |
If you want to be notified by email whenever a password failure occurs use one of the following scripts.
[...]
Then uncomment the command line under "Password failures" in /etc/metalog/metalog.conf like:
| Code: |
command = "/usr/local/sbin/mail_pwd_failures.sh"
|
|
I would like to do the same using syslog_ng. At the same site I read:
| Quote: | | Syslog-ng provides some of the same features as syslog and metalog with a small difference. It can filter messages based on level and content (like metalog), provide remote logging like syslog, handle logs from syslogd (even streams from Solaris), write to a TTY, execute programs, and it can act as a logging server. Basically it is the best of both loggers combined with advanced configuration. |
So I'm wondering how to do this using syslog_ng. Does anyone know?
Last edited by petterg on Thu Dec 30, 2004 2:07 pm; edited 1 time in total |
|
| Back to top |
|
 |
mbjr
Guru
Joined: 17 Jan 2004
Posts: 531
Location: Budapest/Hungary
|
|
| Back to top |
|
|
petterg
Guru
Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway
|
| Posted: Sun Dec 26, 2004 5:17 pm Post subject: |
|
|
| Are you sure you posted the link you were planing to post? |
|
| Back to top |
|
|
mbjr
Guru
Joined: 17 Jan 2004
Posts: 531
Location: Budapest/Hungary
|
| Posted: Tue Dec 28, 2004 10:42 am Post subject: |
|
|
I am  I just didn't have the time to search over the full mailing list, but I'm sure you're not alone with the problem.
Syslog-ng is highly configurable as well as Matalog
_________________
mb |
|
| Back to top |
|
|
petterg
Guru
Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway
|
| Posted: Tue Dec 28, 2004 2:06 pm Post subject: |
|
|
| I might be blind and/or dumb, but I can't see any search functionality there |
|
| Back to top |
|
|
hensan
l33t
Joined: 26 Jun 2003
Posts: 868
Location: Sweden
|
| Posted: Tue Dec 28, 2004 2:37 pm Post subject: |
|
|
In syslog-ng, sending stuff to a program is done with the 'program' destination:
| Code: | | destination d_auth { program("/path/to/script"); }; |
Combine that with a filter:
| Code: | | filter f_auth { facility(auth,authpriv) and level(notice); }; |
and a log statement:
| Code: | | log { source(src); filter(f_auth); destination(d_auth); }; |
I haven't done any advanced syslogging in a while, but when I last looked into this, syslog-ng worked by launching the script/program when syslog-ng was started and then sent the logs to its stdin. So you'll have to make the script a loop that sends what it gets on stdin. |
|
| Back to top |
|
|
mbjr
Guru
Joined: 17 Jan 2004
Posts: 531
Location: Budapest/Hungary
|
| Posted: Tue Dec 28, 2004 6:23 pm Post subject: |
|
|
Well, this ment to be a full archive download, so basically:
[/quote]
_________________
mb |
|
| Back to top |
|
|
mbjr
Guru
Joined: 17 Jan 2004
Posts: 531
Location: Budapest/Hungary
|
| Posted: Tue Dec 28, 2004 6:23 pm Post subject: |
|
|
Well, this ment to be a full archive download, so basically:
_________________
mb |
|
| Back to top |
|
|
petterg
Guru
Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway
|
| Posted: Wed Dec 29, 2004 2:09 pm Post subject: |
|
|
I'm able to filter out everything from facilities / programs, and trigger scripts, but I can't figure out how to filter out what has to do with failed logins. Like imap logins and smtp-auth does not show up in the auth or authpriv facility. Everything from sshd comes in the auth facility at info level, no matter if it's a failed login or debug information.
Seems like I have to pass all logs from all services that deals with logins to a script, and do some reg-expr in the script to figure out if it should handle or ignore. |
|
| Back to top |
|
|
hensan
l33t
Joined: 26 Jun 2003
Posts: 868
Location: Sweden
|
| Posted: Wed Dec 29, 2004 2:32 pm Post subject: |
|
|
| Use the program filter to catch the messages that don't use the auth facility, and the match filter to catch only messages that contain the word failed. |
|
| Back to top |
|
|
petterg
Guru
Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway
|
| Posted: Thu Dec 30, 2004 12:52 am Post subject: |
|
|
In fact that is the problem - match() apares to not make any difference on the filter.
How would the config of a filter for this look?
filters out the facilities auth and authpriv,
the programs imap and imap-ssl,
and matches the strings "Failed password" or "illegal user" |
|
| Back to top |
|
|
hensan
l33t
Joined: 26 Jun 2003
Posts: 868
Location: Sweden
|
| Posted: Thu Dec 30, 2004 12:15 pm Post subject: |
|
|
Something like:
| Code: | filter f_auth {
facility(auth, authpriv) or
program("imap") or
program("imap-ssl") and
match("(Failed password|illegal user)");
}; |
|
|
| Back to top |
|
|
petterg
Guru
Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway
|
| Posted: Thu Dec 30, 2004 2:07 pm Post subject: |
|
|
FUNKAR! :)
Thanx a lot. |
|
| Back to top |
|
|
|
Networking & Security
