Archives

All posts for the month June, 2006

Use syslog-ng on RHEL3 to report authentication activity to a Snare server

Posted by Jason O'Connell on June 8, 2006
Posted in: Uncategorized. Leave a Comment

Use syslog-ng on RHEL3 to report authentication activity to a Snare server

The default syslogd under RHEL3 does not report a date and timestamp when used to log user authentication activity to an external source (Snare, remote syslogd, etc). Syslog-ng can run side by side or as a replacement to RedHat’s syslogd facility. These instructions were written while I was working on a workstation that was reporting to a Snare micro-server on a Windows machine.

As root (or sudo), install the package: (Note: This is probably available from DAG)

rpm -ivh syslog-ng-1.6.9-1.el3.i386.rpm

Make it run on boot:
chkconfig syslog-ng on

Edit the file: /etc/syslog-ng/syslog-ng.conf

Change the destination d_auth line – replace the IP with the IP (or name) of the Snare micro-server (or other external logging source):
destination d_auth { udp(“192.168.1.10” port(514) localport(999)); };

Start the service:
service syslog-ng start

There is 1 additional parameter you might need to change if you don’t see syslog auth messages getting through.

/etc/syslog-ng/syslog-ng.conf:

Change:
filter f_filter3 { facility(authpriv); };

To read:

filter f_filter3 { facility(authpriv) or facility(auth); };

Save, exit, restart syslog-ng.