Additional configuration steps may be required for the SCSP IDS Agent to work properly with syslog-ng and rsyslog logging daemons

Article:HOWTO54685  |  Created: 2011-06-23  |  Updated: 2011-06-23  |  Article URL http://www.symantec.com/docs/HOWTO54685
Article Type
How To



I. Overview 

 

The SCSP IDS agent supports syslogd, syslog-ng, and rsyslog system logging daemons. The standard UNIX system logging daemon should work without any additional user configuration. However, syslog-ng and rsyslog may have been installed with their configuration and start scripts at non-standard locations. If this is the case then additional configuration steps may be required for the SCSP IDS Agent to work properly with these logging daemons. This document attempts to outline some of the assumptions made by the SCSP IDS Agent regarding the system logging daemon so that SCSP users can adjust their configuration to conform to SCSP's assumptions. 

 

II. System Logging Daemon Selection 

 

SCSP IDS Agent can be explicitly configured to make use of a particular logging system. The LocalAgent.ini "System Collector" section, "Syslog Daemon" key is provided for this purpose. Any changes to this setting will not take effect until the sisidssaemon is restarted.ex LocalAgent.ini:

 

[Syslog Collector]
#Syslog Daemon=DEFAULT 

 

The valid values for the "Syslog Daemon" key are DEFAULT, SYSLOGD, SYSLOGNG, RSYSLOGD. When a value (other than DEFAULT) is specified the SCSP IDS Agent will attempt to configure and make use of that type of system logger. The installed logger must conform to the assumptions outlined in sections III and IV. 

If the SCSP IDS Agent fails to configure and start the system logger specified in the LocalAgent.ini,or if a system logger type isn't explicitly specified then IDS agent will attempt to detect the logging daemon in use by querying the running process list and looking for the process names syslogd, syslog-ng, and rsyslogd (in that order). If the  IDS agent doesn't find one of those processes running it then attempts to start the logging daemons in the following order; syslogd, syslog-ng, and finally rsyslogd. (see IV. System Logging Daemon Start Script). 

 

III. System Logging Daemon Configuration 

 

The SCSP IDS Agent assumes that the system logging daemon configuration file(s) are located at the following paths. 

 

syslogd   - "/etc/syslog.conf"
syslog-ng - "/etc/syslog-ng/syslog-ng.conf"
rsyslogd  - "/etc/rsyslog.conf"

 

If the configuration file(s) are not located at the assumed location then a symlink from the assumed path to the actual path must be created. For example, on RHEL 5.4 syslog-ng installs its configuration at /usr/local/etc/syslog-ng.conf but it could just as well be located anywhere depending upon the build configuration options used when the package was created.

 

example:

ln -s /etc/syslog-ng.conf /usr/local/etc/syslog-ng.conf

 

IV. System Logging Daemon Start Script  

 

The SCSP IDS agent uses the following commands to start the system logging daemons (per OS plarform): 

Linux/Solaris 9


syslogd   - "/etc/init.d/syslog start"
syslog-ng - "/etc/init.d/syslog start"
rsyslogd  - "/etc/init.d/rsyslog start"

 

Solaris 10
syslogd   - "/usr/sbin/svcadm enable svc:/system/system-log"
syslog-ng - "/usr/sbin/svcadm enable svc:/system/system-log"
rsyslogd  - "/usr/sbin/svcadm enable svc:/network/rsyslog"

 

HP-UX
syslogd   - "/sbin/init.d/syslogd start"
syslog-ng - "/sbin/init.d/syslog-ng start"
rsyslogd  -  "/sbin/init.d/rsyslogd start"

 

AIX
syslogd   - "/usr/bin/startsrc -s syslogd"
syslog-ng - "/usr/bin/startsrc -s syslog-ng"
rsyslogd  - "/usr/bin/startsrc -s rsyslogd"

 

Tru-64
syslogd   - "/usr/sbin/syslogd -e"

 

V. Platform Specific Instructions 

 

Steps to install and use SCSP with syslog-ng on Solaris 10:

 

 ---------------------------------------------
| SETTING UP SYSLOG-NG FOR USE WITH SCSP |
 ---------------------------------------------

 

 

Note: SCSP agent requires the configuration file to be located at:

 

/etc/syslog-ng/syslog-ng.conf

 

and the SMF service name to be the same as syslogd:

 

 

svc:/system/system-log

 

 

Therefore, if using an existing config, please symlink it (step 2 below), and if syslog-ng is already setup with different SMF configuration names, please rename to system-log.   

 

Also, it is important to start the syslong-ng daemon in 'background' process mode (not the default forground mode) which makes it appear that two instances are running -- this causes a problem with SCSP agent and it will not be able to monitor if two instances are running.  Therefore add the --process-mode=background to the syslog-ng startup script. 

 

After downloading and installing all syslog-ng packages (and dependencies) from sunfreeware.com

 

 1. Create the directory /etc/syslog-ng

 

     # cd /etc
     # mkdir /etc/syslog-ng
     # chmod 755 /etc/syslog-ng
     # chown root:sys /etc/syslog-ng

 

 

  2. If using the default configuration file provided by the SMCsyslng package, follow steps in (a), otherwise if using an existing configuration, follow steps in (b).

 

    (a). Copy configuration file into /etc/syslog-ng

       # cp /usr/local/doc/syslogng/doc/examples/syslog-ng.conf.solaris /etc/syslog-ng/syslog-ng.conf
       # chmod 644 /etc/syslog-ng/syslog-ng.conf && chown root:sys /etc/syslog-ng/syslog-ng.conf

    (b). Symlink to the existing configuration file (i.e. /etc/syslog-ng.conf).

       # ln -s /etc/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf

 

 3. Check the correctness of the configuration

 

      # /usr/local/sbin/syslog-ng -v -s -f /etc/syslog-ng/syslog-ng.conf

      IMPORTANT NOTE: If you get the following error from syslog-ng  "Conversion from character set '646' to 'UTF-8' is not supported"

 Create/add the following line to /usr/local/lib/charset.alias 646 ISO-8859-1

 

 4. Disable syslogd and remove from the database the original syslogd SMF service manifest

 

     # svcadm disable svc:/system/system-log
     # svccfg
      svc:> delete system-log*
      svc:> quit 

   

 5. Save a copy of the original syslogd SMF manifest and method files

 

     # cp /lib/svc/method/system-log /lib/svc/method/system-log.orig
     # cp /var/svc/manifest/system/system-log.xml  /var/svc/manifest/system/system-log.xml.orig

 

 6. Copy/Modify the Syslog-ng service manifest and method files to the following locations:

 

     /var/svc/manifest/system/system-log.xml
     /lib/svc/method/system-log

Note: If using the manifest and method files provided with the SMCsyslng package, the service name, method filename, and daemon options need to be changed as they do not work out-of-the-box.  Below are diffs of the changes needed:

# diff /usr/local/doc/syslogng/contrib/solaris-packaging/syslog-ng.example.xml /var/svc/manifest/system/system-log.xml   7c7
<     name='system/syslog-ng'
---
>     name='system/system-log'
68c68
<       exec='/lib/svc/method/syslog-ng %m'
---
>       exec='/lib/svc/method/system-log %m'
78c78
<       exec='/lib/svc/method/syslog-ng %m'
---
>       exec='/lib/svc/method/system-log %m'
88c88
<       exec='/lib/svc/method/syslog-ng %m'
---
>       exec='/lib/svc/method/system-log %m'
# diff /usr/local/doc/syslogng/contrib/solaris-packaging/syslog-ng.method /lib/svc/method/system-log
12c12
< SYSLOGNG_PREFIX=/opt/syslog-ng
---
> SYSLOGNG_PREFIX=/usr/local
14,15c14,15
< CONFFILE=$SYSLOGNG_PREFIX/etc/syslog-ng.conf
< PIDFILE=$SYSLOGNG_PREFIX/var/run/syslog-ng.pid
---
> CONFFILE=/etc/syslog-ng/syslog-ng.conf
> PIDFILE=/var/run/syslog-ng.pid
18c18
< OPTIONS=
---
> OPTIONS="-f $CONFFILE -p $PIDFILE --process-mode=background"
27c27
<         ${SYSLOGNG.EN_US} --syntax-only
---
>         ${SYSLOGNG.EN_US} -f $CONFFILE --syntax-only

 


 7. Validate and Import the Syslog-ng SMF manifest, and enable the service:

 

     # svccfg
      svc:> validate /var/svc/manifest/system/system-log.xml
      svc:> import /var/svc/manifest/system/system-log.xml
      svc:> quit
     # svcadm -v enable system-log

 

 8. Verify that only one instance of syslog-ng is running and that it matches the PIDFILE (/var/run/syslog-ng.pid).  If syslog-ng is not running check the SMF svc log: /var/svc/log/system-system-log\:default.log

 

          ps -ef |grep syslog-ng

 

 9. Send test message to Syslog-ng using the logger command:

 

       # logger -p daemon.crit syslog-ng test

      Check tail of /var/adm/messages. It should have  a line like:

       Oct 27 15:16:40 local@scsp-sol10 root: [ID 702911 daemon.crit] syslog-ng test

 

 --------------------------------------------------
| SETTING UP SCSP TO WORK WITH SYSLOG-NG ON SOL 10 |
 --------------------------------------------------

 

 

 1. Stop SCSP IDS agent

 

    # /etc/init.d/sisidsagent stop

 

 2. Switch to use syslog-ng in IDS LocalAgent.ini (Don't forget to remove the comment '#' when changing the value):

 

    a) Edit the /opt/Symantec/scspagent/IDS/system/LocalAgent.ini
    b) In the [Syslog Collector] section, switch Syslog Daemon from DEFAULT to SYSLOGNG
    c) IMPORTANT: Make sure the Syslog NG Source is correct for your configuration

 

    The "[Syslog Collector]" section should look something like this:

 

[Syslog Collector]
#Derive Virtual Agents=0
Syslog Daemon=SYSLOGNG
Syslog NG Source=local # name in the config for internal and /dev/log sources (aka 'src' or 's_sys', etc)
#Syslog NG Filter=scsp_filter

 

 3. Start the SCSP IDS agent. 

 

    # /etc/init.d/sisidsagent start

 

 4. Verify the following lines were added to the /etc/syslog-ng/syslog-ng.conf file:

 

# The following is required for Symantec Host IDS - Do not edit or remove
destination scsp_dest { pipe("/opt/Symantec/scspagent/IDS/system/ids_syslog.pipe" group(sisips) perm(0600)); };
filter scsp_filter { level(info..emerg) and not ( facility(mail) and level(debug..warn) ); };
log { source(local); filter(scsp_filter); destination(scsp_dest); };

 

 5. Generate some syslog messages (i.e. Login/Logout) with the appropriate policy applied.  Verify event is generated as expected.

 

Steps to install and use SCSP with syslog-ng on Solaris 8/9:

 

 

 ----------------------------------------
| SETTING UP SYSLOG-NG FOR USE WITH SCSP |
 ----------------------------------------

 

 

Note: SCSP agent requires the configuration file to be located at /etc/syslog-ng/syslog-ng.conf, and the startup script to be  etc/init.d/syslog (for Solaris 8 and 9).  Therefore, if syslog-ng is already setup with different startup or configuration scripts, please make sure there are at least symlinks pointing to the existing startup and configuration files.

Also, it is important to start the syslong-ng daemon in 'background' process mode (not the default forground mode) which makes it appear that two instances are running -- this causes a problem with SCSP agent and it will not be able to monitor if two instances are running.  Therefore add the --process-mode=background to the syslog-ng startup script.

 

After downloading and installing all syslog-ng packages (and dependencies) from sunfreeware.com

 1. Create the directory /etc/syslog-ng

     # cd /etc
     # mkdir /etc/syslog-ng
     # chmod 755 /etc/syslog-ng
     # chown root:sys /etc/syslog-ng

 

 2. If using the default configuration file provided by the SMCsyslng package, follow steps in (a), otherwise if using an existing configuration, follow steps in (b).

    (a). Copy configuration file into /etc/syslog-ng

       # cp /usr/local/doc/syslogng/doc/examples/syslog-ng.conf.solaris /etc/syslog-ng/syslog-ng.conf
       # chmod 644 /etc/syslog-ng/syslog-ng.conf && chown root:sys /etc/syslog-ng/syslog-ng.conf

    (b). Symlink to the existing configuration file (i.e. /etc/syslog-ng.conf).

       # ln -s /etc/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf

 

 3. Check the correctness of the configuration

       # /usr/local/sbin/syslog-ng -v -s -f /etc/syslog-ng/syslog-ng.conf

 

 4. Copy startup script into /etc/init.d and modify it:

    # cp /etc/init.d/syslog /etc/init.d/syslog.orig
    # cp /usr/local/doc/syslogng/contrib/init.d.solaris /etc/init.d/syslog
    # chmod 744 /etc/init.d/syslog && chown root:sys /etc/init.d/syslog

 

Note: If using the above startup script from the SMCsyslng package, a couple changes are necessary to get it to work with SCSP.  Here is a diff of the changes I made to get it working correctly:

< OPTIONS="-f /etc/syslog-ng/syslog-ng.conf"
---
> PID_FILE=/var/run/syslog-ng.pid
> CONF_FILE=/etc/syslog-ng/syslog-ng.conf
> OPTIONS="-f $CONF_FILE -p $PID_FILE --process-mode=background"
16c18
<               if [ -f /etc/syslog-ng/syslog-ng.conf -a -f /usr/local/sbin/syslog-ng ]; then
---
>               if [ -f $CONF_FILE -a -f $DAEMON ]; then
28c30
<                       $DAEMON $OPTIONS -p /etc/syslog-ng/syslog-ng.pid
---
>                       $DAEMON $OPTIONS
33,35c35,37
<               if [ -f /etc/syslog-ng/syslog-ng.pid ]; then
<                       syspid=`/usr/bin/cat /etc/syslog-ng/syslog-ng.pid`
<                       [ "$syspid" -gt 0 ] && kill -15 $syspid && rm /etc/syslog-ng/syslog-ng.pid
---
>               if [ -f $PID_FILE ]; then
>                       syspid=`/usr/bin/cat $PID_FILE`
>                       [ "$syspid" -gt 0 ] && kill -15 $syspid && rm -f $PID_FILE

 


 5. Shut down the orig syslogd

 

     # /etc/init.d/syslog.orig stop

 

 6. Start syslogd-ng

 

     # /etc/init.d/syslog start    

   

    Verify that only one instance of syslog-ng is running and that it matches the PID in the /etc/syslog-ng/syslog-ng.pid

     # ps -ef |grep syslog-ng

 

 7. Send test message using logger

 

     # logger -p daemon.crit syslog-ng test

 

     Check tail of /var/adm/messages. It should have  a line like:

       Oct 28 12:08:30 local@scsp-sol9 root: [ID 702911 daemon.crit] syslog-ng test

 

---------------------------------------------------
| SETTING UP SCSP TO WORK WITH SYSLOG-NG ON SOL 8/9 |
 ---------------------------------------------------

 

 

 1. Stop SCSP IDS agent

 

    # /etc/init.d/sisidsagent stop

 

 2. Switch to use syslog-ng in IDS LocalAgent.ini (Don't forget to remove the comment '#' when changing the value):

    a) Edit the /opt/Symantec/scspagent/IDS/system/LocalAgent.ini
    b) In the [Syslog Collector] section, switch Syslog Daemon from DEFAULT to SYSLOGNG
    c) IMPORTANT: Make sure the Syslog NG Source is correct for your configuration

    The "[Syslog Collector]" section should look something like this:

[Syslog Collector]
#Derive Virtual Agents=0
Syslog Daemon=SYSLOGNG
Syslog NG Source=local # name in the config for internal and /dev/log sources (aka 'src' or 's_sys', etc)
#Syslog NG Filter=scsp_filter
 

 

3. Start the SCSP IDS agent. 

 

    # /etc/init.d/sisidsagent start

 

 4. Verify the following lines were added to the /etc/syslog-ng/syslog-ng.conf file:

# The following is required for Symantec Host IDS - Do not edit or remove
destination scsp_dest { pipe("/opt/Symantec/scspagent/IDS/system/ids_syslog.pipe" group(sisips) perm(0600)); };
filter scsp_filter { level(info..emerg) and not ( facility(mail) and level(debug..warn) ); };
log { source(local); filter(scsp_filter); destination(scsp_dest); };

 5. Generate some syslog messages (i.e. Login/Logout) with the appropriate policy applied.  Verify event is generated as expected.

 



Article URL http://www.symantec.com/docs/HOWTO54685


Terms of use for this information are found in Legal Notices