Sunday, September 16, 2012

OSSIM hands-on 4: Collecting syslog data from a Linux system

This is the fourth of a series of hands-on exercises that are intent to help OSSIM users to configure their system In this post we will cover how to collect syslog data from a Linux system (, using syslog filters, enabling files rotation and activating ssh plugin.

1.- Connect to the source Linux system and configure syslog forwarding to sensor (

a) edit /etc/rsyslog.conf and see $IncludeConfig variable
b) create a new file named /etc/rsyslog.d/alienvault.conf with the following rule:
*.* @
c) restart rsyslogd

2.- Connect to sensor ( and test that we are actually receiving syslog data

a) Run a tcpdump to monitor incoming traffic through syslog port (udp 514)
- generate authentication logs at the source system so new evens are forwarded through syslog
b) See /var/log/syslog file to check if the remote data is also written there.

3.- Configure rsyslog rules manage remote incoming data

a) create a new file named /etc/rsyslog.d/ (that is the source system ip address)
b) add new rules to file:
if ($fromhost == '') and ($rawmsg contains 'ssh') then -/var/log/ossim/ssh.log
if ($fromhost == '') then ~
c) add comments (using #) explaining what are those rules supposed to do
d) restart rsyslogd

4.- Configure ssh plugin to read /var/log/ossim/ssh.log and restart ossim-agent

5.- Check that ssh logs at source Linux box are being parsed and processed by the siem

6.- Configure log file rotation

a) edit /etc/logrotate.d/rsyslog and include new file (/var/log/ossim/ssh.log)
b) force logrotation (logrotate -f /etc/logrotate.d/rsyslog)
c) check that new syslog file has rotated and that ossim-agent process is reading the new file (generate new events if needed)

7.- Rsyslog debugging

a) create file /etc/rsyslog.d/debug.conf with the following content:
*.* /var/log/all.log;RSYSLOG_DebugFormat (this will apply the template RSYSLOG_DebugFormat to incoming messages)
b) restart rsyslog
c) check /var/log/all.log file and see existing properties to identify variables that can be used for filtering
d) disable debugging 
mv /etc/rsyslog.d/debug.conf /etc/rsyslog.d/debug.conf.disabled
restart rsyslog

8.- Add a new filtering rule to write sensor ssh logs into /var/log/ossim/ssh.log too

a) create a file named /etc/rsyslog.d/
b) use necessary properties to create a new rule
c) don't use a discard rule (~) in this case, so rest of local logs can be written to their files.

9.- Collected logs at the SIEM GUI