ufw log?
380 views
Skip to first unread message
Shane Castle
Jun 26, 2015, 8:10:06 AM6/26/15
to securit...@googlegroups.com
Doug, in researching one of the questions today I realized that
logrotate.d has an entry for ufw (/var/log/ufw.log) but its action is
set to reload rsyslog, which of course has been replaced by syslog-ng,
and syslog-ng does not have any definition for ufw. This means that no
logs are being recorded on behalf of ufw.
So anyway - do we care? Not sure if it lends itself easily to SO-only
mods. It might be a bug that should be reported to Ubuntu?
--
Mit besten Grüßen
Shane Castle
logrotate.d has an entry for ufw (/var/log/ufw.log) but its action is
set to reload rsyslog, which of course has been replaced by syslog-ng,
and syslog-ng does not have any definition for ufw. This means that no
logs are being recorded on behalf of ufw.
So anyway - do we care? Not sure if it lends itself easily to SO-only
mods. It might be a bug that should be reported to Ubuntu?
--
Mit besten Grüßen
Shane Castle
Shane Castle
Jun 26, 2015, 3:19:49 PM6/26/15
to securit...@googlegroups.com
A followup - one of the tasks I'm setting for myself in the next week is
to enable ufw logging, run some scans against the management interface,
and see what is recorded. It might wind up being a useful addition to OSSEC.
to enable ufw logging, run some scans against the management interface,
and see what is recorded. It might wind up being a useful addition to OSSEC.
Shane Castle
Jun 27, 2015, 10:49:04 AM6/27/15
to securit...@googlegroups.com
More on ufw logging.
The ufw logging does not work because the ufw logs are staying in dmesg, that is, /proc/kmsg, and are not getting to any syslog components at all. Attached is a diff of /etc/syslog-ng/syslog-ng.conf showing my changes.
Now that I see ufw logs I will see what else I can do with them. I already have locked myself out several times 'cos of the OSSEC active response, using nmap from my host system to the VM.
BTW I added the ufw logrotate as well, correctly I think.
Doug Burks
Jul 7, 2015, 11:30:54 AM7/7/15
to securit...@googlegroups.com
Thanks, Shane!
I've created Issue 770 to look into this:
https://github.com/Security-Onion-Solutions/security-onion/issues/770
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
I've created Issue 770 to look into this:
https://github.com/Security-Onion-Solutions/security-onion/issues/770
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Reply all
Reply to author
Forward
0 new messages