[syslog-ng] Issue with filtering messages and sending them
Cosmin Neagu
cosmin.neagu01 at gmail.com
Thu Aug 6 15:48:49 CEST 2015
Hello everyone,
I have an issue with syslog-ng (detailed below) and I tend to incline is
related to syslog-ng, an I hope will find some answers here.
I set up a "solution" so that when someone fails to login to a ssh linux
server, I receive an email with info about that. The idea is like this:
Syslog-ng should look for any messages containing info about login
failures, and when it sees those messages, it should pass them to a
little script that emails them.
Syslog-ng relevant config for that:
filter f_ssh {program (sshd) and match("Failed password"
value("MESSAGE")); };
destination d_sshalert { program("/home/cosmin/sshalert.sh"); };
#this is the script that is sendind the emails
destination d_sshfile { file("/home/cosmin/LOGS/sshdfailed.log"); };
log { source(s_src); filter(f_ssh); destination(d_sshfile);};
#log { source(s_src); filter(f_ssh); destination(d_sshalert);
flags(final); };
log { source(s_src); filter(f_ssh); destination(d_sshalert);};
And the script that is sending the emails:
cosmin at srv:~$ cat sshalert.sh
#!/bin/bash
email="someone at gmail.com"
while read event;
do
echo -e "Subject:*** SSH failed attempt on domain.ro ***\nFrom:SSH
Watcher <admin at domain.ro>\nTo:someone at gmail.com\n\n####### WARNING
#######\n\nA failed SSH attempt has been logged:\n${event}\n\n***
Required actions***\n1. Check ip owner and location:\nEx: #curl
ipinfo.io/X.Y.Z.T\n2. Ban the source IP address in
iptables.rules\n***********************\n\nFor any questions contact:
admin at domain.ro\nHave a nice day\n" | /usr/sbin/sendmail -f
admin at domain.ro ${email}
done
Everything is working as expected, I receive mails like this when failed
attempts exists:
####### WARNING #######
A failed SSH attempt has been logged:
*Aug 6 15:49:47 srv sshd[18236]: Failed password for someone from
173.XX.220.XX port 59004 ssh2*
*** Required actions***
1. Check ip owner and location:
Ex: #curl ipinfo.io/X.Y.Z.T
2. Ban the source IP address in iptables.rules
***********************
For any questions contact:admin at domain.ro
Have a nice day
Please not that the log inserted is the right one: Aug 6 15:49:47 srv
sshd[18236]: Failed password for someone from 173.XX.220.XX port 59004 ssh2
My problem is that form time to time (did not manage to discover a time
pattern), I also receive some strange mails like the following:
####### WARNING #######
A failed SSH attempt has been logged:
*Aug 6 16:09:47 srv -- MARK --*
*** Required actions***
1. Check ip owner and location:
Ex: #curl ipinfo.io/X.Y.Z.T
2. Ban the source IP address in iptables.rules
***********************
For any questions contact:admin at domain.ro
Have a nice day
As you can see, the log inserted in the mail is strange: *Aug 6
16:09:47 srv -- MARK --*. I assume that somehow, syslog-ng is the one
that is sending this log to my script which is why I configured another
destination to a local file to test my hypothesis (d_sshfile) but the
message is not inserted in that local file
Now, my question for you is: is there a way to determine if syslog-ng is
the one responsible for sending that strange message and why? Am I doing
something wrong with syslog-ng config (maybe the filter is not right?)
Any help would be appreciated. Thanks
--
Best Regards
Cosmin Neagu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150806/536b8882/attachment.htm
More information about the syslog-ng
mailing list