where does the incoming syslog go?

461 views
Skip to first unread message

Shawn

unread,
Nov 5, 2015, 11:05:11 AM11/5/15
to security-onion
Where does the incoming syslog go? Is it saved in a temp directory can I make a copy of it and save it for X number of days? I'm trying to figure out how to archive the syslog if I need to retain it. I would also like to point is sec to the directory to alert on the incoming syslog too.
Message has been deleted

Wes

unread,
Nov 5, 2015, 11:28:54 AM11/5/15
to security-onion
Shawn,
I believe this goes to /var/log/syslog.

Ultimately, it goes to ELSA's local database on the sensor (I think it's syslog_data).

Thanks,
Wes

Shawn

unread,
Nov 5, 2015, 12:01:20 PM11/5/15
to security-onion

Thanks Wes. I have been watching the local syslog file and I only see CRON syslog entries showing all the hourly purge commands being run. I'm starting to believe my idea of using sub-interfaces to collect syslog is not working? How can I make sure syslog-ng/Security Onion is actually listening to the sub interfaces I created and parsing and archiving the incoming syslog.


SO-Server:/var/log# netstat -inv
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 97614 0 0 0 0 0 0 0 BMPORU
eth1 1500 0 19405650 0 0 0 3733616 0 0 0 BMRU
eth1:1 1500 0 - no statistics available - BMRU
eth1:2 1500 0 - no statistics available - BMRU
eth1:3 1500 0 - no statistics available - BMRU
eth1:4 1500 0 - no statistics available - BMRU
eth2 1500 0 2545 0 0 0 0 0 0 0 BMPORU
eth3 1500 0 2545 0 0 0 0 0 0 0 BMPORU
lo 65536 0 185452 0 0 0 185452 0 0 0 LRU

Wes

unread,
Nov 5, 2015, 1:01:51 PM11/5/15
to security-onion
Shawn,

Try having a look here:

http://truica-victor.com/security-onion-elsa/

It states "Syslog-NG writes raw files to /nsm/elsa/data/elsa/tmp/buffers/ and loads them into the index and archive tables"

I'm sorry if I misspoke before, as I am still learning all the time :)

I hope this helps.

Thanks,
Wes

Kevin Branch

unread,
Nov 5, 2015, 2:07:16 PM11/5/15
to securit...@googlegroups.com
Actually as I understand it, syslog-ng feeds all of the incoming syslog records it receives from across the network, directly to ELSA with no intermediate flat text file involved:

destination d_elsa { program("perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf" template(t_db_parsed)); };

If you want to independently archive and inspect all the the raw syslog records coming from your network, you will need to configure SO's syslog-ng to write them all to a text file by adding something like this to /etc/syslog-ng/syslog-ng.conf:

destination d_network_syslog { file("/var/log/network_syslog.log"); };
log { source(s_network); destination(d_syslog_network); };

Then add something like this to /var/ossec/etc/ossec.conf to that this new log source is monitored by OSSEC

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/mail.log</location>
</localfile>

Then restart both:

service syslog-ng restart
service ossec-hids-server restart

You can also get logs from Windows, Mac, and Linux computers back to ELSA and under OSSEC inspection by installing and setting up the OSSEC agent on those devices.  That gives additional HIDS benefits beyond plain syslog collection, but the OSSEC agent does not work for other devices like switches, APs, firewalls, etc.

I hope that helps,
Kevin





--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Kevin Branch

unread,
Nov 5, 2015, 2:11:08 PM11/5/15
to securit...@googlegroups.com
CORRECTIONS:

If you want to independently archive and inspect all the the raw syslog records coming from your network, you will need to configure SO's syslog-ng to write them all to a text file by adding something like this to /etc/syslog-ng/syslog-ng.conf:

destination d_network_syslog { file("/var/log/network_syslog.log"); };
log { source(s_network); destination(d_network_syslog); };

Then add something like this to /var/ossec/etc/ossec.conf to that this new log source is monitored by OSSEC

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/network_syslog.log</location>
</localfile>

Wes

unread,
Nov 5, 2015, 2:11:56 PM11/5/15
to security-onion
Thanks for the clarification, Kevin!
Message has been deleted

Shawn

unread,
Nov 5, 2015, 2:26:07 PM11/5/15
to security-onion
Thanks Im going to try that now. If I want to skip creating the flat file is it still possible to have OSSEC watch all the incoming syslog messages and alert me? I really liked some of the rules I created back when I had ArcSight which emailed me when someone su to root on a server where that shouldn't have been allowed.

You also mentioned the OSSEC agent does not work on other deivces like switches. I thought OSSEC had the ability to SSH into many different types of network devices and provide some additional levels of security that syslog collection alone does not provide?

Thanks again for the response.

Wes

unread,
Nov 5, 2015, 3:17:02 PM11/5/15
to security-onion

>If I want to skip creating the flat file is it still possible to have OSSEC >watch all the incoming syslog messages and alert me? I really liked some of >the rules I created back when I had ArcSight which emailed me when someone su >to root on a server where that shouldn't have been allowed.

You can configure OSSEC to send emails via /var/ossec/etc/ossec.conf.
(See: https://github.com/Security-Onion-Solutions/security-onion/wiki/Email)

> You also mentioned the OSSEC agent does not work on other deivces like >switches. I thought OSSEC had the ability to SSH into many different types of >network devices and provide some additional levels of security that syslog >collection alone does not provide?

I believe you can accomplish this with agentless monitoring.
(http://ossec-docs.readthedocs.org/en/latest/manual/agent/agentless-monitoring.html)

Thanks,
Wes

Kevin Branch

unread,
Nov 5, 2015, 4:33:45 PM11/5/15
to securit...@googlegroups.com
Syslog-NG is your SO system's syslog receiver.  It you make OSSEC your syslog receiver instead, then the log records won't make it into ELSA.  If you don't want to create the flat file, you could use a FIFO:

create a fifo

mkfifo /var/log/ossec_in

add to /etc/syslog-ng/syslog-ng.conf

destination d_ossec_fifo { pipe("/var/log/ossec_in"); };
log { source(s_network); destination(d_ossec_fifo); };

add to /var/ossec/etc/ossec.conf:

<localfile>
   <log_format>syslog</log_format>
   <location>/var/log/ossec_in</location>
</localfile>

Kevin


Daniel

unread,
Nov 6, 2015, 7:33:12 AM11/6/15
to security-onion
Wouldn't it still make into elsa, just the ossec-archived bucket instead of the syslog one?

Kevin Branch

unread,
Nov 6, 2015, 3:07:07 PM11/6/15
to securit...@googlegroups.com
If you make OSSEC your syslog listener, you could configure OSSEC to forward HIDS alerts via syslog to the syslog-ng instance on some alternate port.  This way OSSEC HIDS alerts would make it into ELSA, but not the full syslog stream.  Any syslog records that don't trip an alert, would not end up in ELSA.

On Fri, Nov 6, 2015 at 7:33 AM, Daniel <noghri...@gmail.com> wrote:
Wouldn't it still make into elsa, just the ossec-archived bucket instead of the syslog one?
Reply all
Reply to author
Forward
0 new messages