Video Screencast Help

engine_A.log and IDS (Intrusion Detection System)

Created: 15 Aug 2011 • Updated: 27 Jan 2012 | 4 comments
Seann Herdejurgen's picture
1 Agree
0 Disagree
+1 1 Vote
Login to vote
Status: Reviewed

We have an Intrusion Detection System (IDS) in our environment where we have a central syslog server that collects system logs and forwards them to an IDS system.  We need a way to send all VCS logs (engine_A.log, IP_A.log, etc) to the centralized IDS server for security analysis.  As far as I know, there is no way to tie the VCS logs to syslog, so we need some other way to tie VCS logs to the IDS server.

Comments 4 CommentsJump to latest comment

TonyGriffiths's picture

Hi

Some of the info in the VCS engine logs is redirected to syslog (I think it came in 4.0). Are you after all the VCS log info or just specfic areas ?

0
Login to vote
Seann Herdejurgen's picture

The security group wants anything and everything.

0
Login to vote
fmthard's picture

Seann,

You've got a lot of options here. 

The simplest is likely to run a cron that would scrape the /var/VRTSvcs/log/*_A.log files, case and format the results, then use logger (assuming you want to go through syslog)  to post whatever you find. Upside: simple. Downside: can be defeated if the intruder has root (assumption if we are talking IDS).

Not so simple, probably too complex to work, just brainstorming: look at the agents, and wherever the halog command is called, also send a message to logger.

Want it all, want it all now: set up an SNMP trap server that will feed info to IDS. Set up VCS notifier resource to use SNMP for Info level messages (will now get Info and higher urgency). I'm not sure if this will also work for individual agents and their logging/log files, but it would be pretty quick to test.

Hope one or a combination of these help.

C

0
Login to vote
dveeden's picture

This is easily possible with the text file input monitor module for rsyslog.

http://www.rsyslog.com/doc/imfile.html

It however should be better if VCS would support syslog directly.

0
Login to vote