Use syslog-ng on RHEL3 to report authentication activity to a Snare server
The default syslogd under RHEL3 does not report a date and timestamp when used to log user authentication activity to an external source (Snare, remote syslogd, etc). Syslog-ng can run side by side or as a replacement to RedHat’s syslogd facility. These instructions were written while I was working on a workstation that was reporting to a Snare micro-server on a Windows machine.
As root (or sudo), install the package: (Note: This is probably available from DAG)
rpm -ivh syslog-ng-1.6.9-1.el3.i386.rpm
Make it run on boot:
chkconfig syslog-ng on
Edit the file: /etc/syslog-ng/syslog-ng.conf
Change the destination d_auth line – replace the IP with the IP (or name) of the Snare micro-server (or other external logging source):
destination d_auth { udp(“192.168.1.10” port(514) localport(999)); };
Start the service:
service syslog-ng start
There is 1 additional parameter you might need to change if you don’t see syslog auth messages getting through.
/etc/syslog-ng/syslog-ng.conf:
Change:
filter f_filter3 { facility(authpriv); };
To read:
filter f_filter3 { facility(authpriv) or facility(auth); };
Save, exit, restart syslog-ng.