Attachment #18085 for bug #29278





<p>
<uri link="http://metalog.sourceforge.net">Metalog</uri> by Frank Dennis is not able to log to a remote server, but it does have advantages when it comes to performance and logging flexibility.
It can log by program name, urgency, program name,by facility (like syslogd) and comes with regular expression matching and it can launch external scripts when specific patterns are found. It is very good for taking action when needed.

<p>
It can log by program name or by facility (like syslogd) and comes with regular expression matching and execution of commands. Very good for taking action when needed.
</p> 

<pre caption="/etc/metalog/metalog.conf">
maxsize  = 1000000
maxtime  = 86400
maxfiles = 7
minimum  = 7

Kernel messages :

  facility = "kern"
  logdir   = "/var/log/kernel"

Auth messages :
  facility = "auth"
  logdir   = "/var/log/auth"

Critical :
  facility = "critical"
  command  = "/usr/local/sbin/pwdfail.sh"  

Crond :

  program  = "crond"
  logdir   = "/var/log/crond"
  
Password failures :

  regex    = "(password|login|authentication)\s+(fail|invalid)"
  regex    = "(failed|invalid)\s+(password|login|authentication)"
  regex    = "ILLEGAL ROOT LOGIN"
  logdir   = "/var/log/pwdfail"
  command  = "/usr/local/sbin/pwdfail.sh"

SSH Server :

  program  = "sshd"
  logdir   = "/var/log/sshd"

Mail :

  facility = "ftp-mail-news"
  logdir   = "/var/log/mail"

Snort:
  program   = "snort"
  command  = "/usr/local/sbin/pwdfail.sh"

Everything important :

  facility = "*"
  logdir   = "/var/log/everything"

Everything very important :

  facility = "*"
  logdir   = "/var/log/critical"

</pre>

<p>
The standard configuration is basically enough. If you want to be notified by email whenever a password failure occurs use one of the following scripts.
</p>

<p>
For postfix:
</p>

<pre caption = "/usr/local/sbin/mail_pwd_failures.sh for postfix">
#! /bin/sh
echo "$3" | mail -s "Warning (program : $2)" root
</pre>

<p>
For qmail:
</p>

<pre caption = "/user/local/sbin/mail_pwd_failures.sh for qmail">
#!/bin/sh
echo "To: root
Subject:Failure (Warning: $2) 

</pre>

<p>
Remember to make the script executable by issuing <c>chmod +x /usr/local/sbin/mail_pwd_failures.sh</c>
</p>

<p>
Then uncomment the command line under Password failures in metalog.conf like:
</p>

<pre caption="/etc/metalog/metalog.conf">
command  = "/usr/local/sbin/mail_pwd_failures.sh"
</pre>

</body>
</section>

<section>

<title>Syslog-ng</title>

Return to bug 29278

Lines 560-647 Link Here

(-)gentoo-security-1.16.xml (-68 / +15 lines)
560		560
561	<p>	561	<p>
562	<uri link="http://metalog.sourceforge.net">Metalog</uri> by Frank Dennis is not able to log to a remote server, but it does have advantages when it comes to performance and logging flexibility.	562	<uri link="http://metalog.sourceforge.net">Metalog</uri> by Frank Dennis is not able to log to a remote server, but it does have advantages when it comes to performance and logging flexibility.
563	</p>	563	It can log by program name, urgency, program name,by facility (like syslogd) and comes with regular expression matching and it can launch external scripts when specific patterns are found. It is very good for taking action when needed.
564
565	<p>
566	It can log by program name or by facility (like syslogd) and comes with regular expression matching and execution of commands. Very good for taking action when needed.
567	</p>	564	</p>
568		565
569	<pre caption="/etc/metalog/metalog.conf">
570	maxsize = 1000000
571	maxtime = 86400
572	maxfiles = 7
573	minimum = 7
574
575	Kernel messages :
576
577	facility = "kern"
578	logdir = "/var/log/kernel"
579
580	Auth messages :
581	facility = "auth"
582	logdir = "/var/log/auth"
583
584	Critical :
585	facility = "critical"
586	command = "/usr/local/sbin/pwdfail.sh"
587
588	Crond :
589
590	program = "crond"
591	logdir = "/var/log/crond"
592
593	Password failures :
594
595	regex = "(password\|login\|authentication)\s+(fail\|invalid)"
596	regex = "(failed\|invalid)\s+(password\|login\|authentication)"
597	regex = "ILLEGAL ROOT LOGIN"
598	logdir = "/var/log/pwdfail"
599	command = "/usr/local/sbin/pwdfail.sh"
600
601	SSH Server :
602
603	program = "sshd"
604	logdir = "/var/log/sshd"
605
606	Mail :
607
608	facility = "ftp-mail-news"
609	logdir = "/var/log/mail"
610
611	Snort:
612	program = "snort"
613	command = "/usr/local/sbin/pwdfail.sh"
614
615	Everything important :
616
617	facility = "*"
618	logdir = "/var/log/everything"
619
620	Everything very important :
621
622	facility = "*"
623	logdir = "/var/log/critical"
624
625	</pre>
626
627	<p>	566	<p>
628	This is basically a standard configuration with a few modifications, like a minimum logging level at 7, which means that everything will be logged.	567	The standard configuration is basically enough. If you want to be notified by email whenever a password failure occurs use one of the following scripts.
629	</p>	568	</p>
630		569
631	<p>	570	<p>
632	pwdfail.sh for postfix.	571	For postfix:
633	</p>	572	</p>
634		573
635	<pre caption = "postfix' pwdfail.sh">	574	<pre caption = "/usr/local/sbin/mail_pwd_failures.sh for postfix">
636	#! /bin/sh	575	#! /bin/sh
637	echo "$3" \| mail -s "Warning (program : $2)" root	576	echo "$3" \| mail -s "Warning (program : $2)" root
638	</pre>	577	</pre>
639		578
640	<p>	579	<p>
641	pwdfail.sh for qmail.	580	For qmail:
642	</p>	581	</p>
643		582
644	<pre caption = "qmail's pwdfail.sh">	583	<pre caption = "/user/local/sbin/mail_pwd_failures.sh for qmail">
645	#!/bin/sh	584	#!/bin/sh
646	echo "To: root	585	echo "To: root
647	Subject:Failure (Warning: $2)	586	Subject:Failure (Warning: $2)
Lines 650-661 Link Here
650	</pre>	589	</pre>
651		590
652	<p>	591	<p>
653	More information can be found in the <uri link="http://metalog.sourceforge.net">metalog</uri> website.	592	Remember to make the script executable by issuing <c>chmod +x /usr/local/sbin/mail_pwd_failures.sh</c>
654	</p>	593	</p>
655		594
		595	<p>
		596	Then uncomment the command line under Password failures in metalog.conf like:
		597	</p>
		598
		599	<pre caption="/etc/metalog/metalog.conf">
		600	command = "/usr/local/sbin/mail_pwd_failures.sh"
		601	</pre>
656		602
657	</body>	603	</body>
658	</section>	604	</section>
		605
659	<section>	606	<section>
660		607
661	<title>Syslog-ng</title>	608	<title>Syslog-ng</title>