Forum Discussion
Chris_FP
Cirrus
CirrusDifferent syslog level between WebGUI and SSH login
We need to send syslog to Qradar for Security Event logging. One of the biggest things they need to know about are logon's the the F5's, either via the WebGUI or via SSH. However to reduce the amount of "noise" we send Qradar we applied the following filter:-
tmsh modify sys syslog include "destination remote_server {tcp(\"siem1pre.service.test.group\" port (514));};filter f_alllogs {level (notice..emerg);};log {source(local);filter(f_alllogs);destination(remote_server);};destination remote_server2 {tcp(\"10.127.222.10\" port (514));};log {source(local);filter(f_alllogs);destination(remote_server2);};"
Unfortunately there appears to be a difference in the “level” of the Syslog msg between a WebGUI logon and an SSH logon as the filtering we have in place filters out the SSH logon msg (I have seen this in a TCPDUMP). Could somebody have a look at the filtering command we are using and suggest a modification so that we don’t filter out those particular [SSH] msgs.
Regards.
10 Replies
Chris_FPNobody able to help :(
nitass_89166Noctilucent
what about this?
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { include " destination d_loghost { udp(\"172.28.24.1\" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_loghost); }; " } syslog [root@centos1 ~] nc -l -u 514 <86>Aug 6 05:48:22 ve11a info sshd(pam_audit)[8667]: user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.46 attempts=1 start="Wed Aug 6 05:48:22 2014". <134>Aug 6 05:48:22 ve11a info sshd(pam_audit)[8667]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.46 attempts=1 start="Wed Aug 6 05:48:22 2014". <85>Aug 6 05:48:33 ve11a notice httpd[3763]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.207.46 attempts=1 start="Wed Aug 6 05:48:33 2014".- Chris_FPHi Nitass, That looks good. Anyway to "combine" my filter and that filter as we don't want the qradar boxes to receive "INFO" from any other processes (just authpriv as it appears they are INFO level for SSH but NOTICE level for WebGUI...) Your expertise here is greatly appreciated. Chris
- nitass
Employee
what about this?
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { include " destination d_loghost { udp(\"172.28.24.1\" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_loghost); }; " } syslog [root@centos1 ~] nc -l -u 514 <86>Aug 6 05:48:22 ve11a info sshd(pam_audit)[8667]: user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.46 attempts=1 start="Wed Aug 6 05:48:22 2014". <134>Aug 6 05:48:22 ve11a info sshd(pam_audit)[8667]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.46 attempts=1 start="Wed Aug 6 05:48:22 2014". <85>Aug 6 05:48:33 ve11a notice httpd[3763]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.207.46 attempts=1 start="Wed Aug 6 05:48:33 2014".- Chris_FPHi Nitass, That looks good. Anyway to "combine" my filter and that filter as we don't want the qradar boxes to receive "INFO" from any other processes (just authpriv as it appears they are INFO level for SSH but NOTICE level for WebGUI...) Your expertise here is greatly appreciated. Chris
- Chris_FP
Hi Nitass,
Are you able to provde a combined filter :)
Cheers
Chris
- nitass_89166
what about this?
// config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { include " destination remote_server { udp(\"172.28.24.1\" port (514)); }; filter f_customlogs { level (notice..emerg) or program(sshd) or (facility(auth,authpriv) and (program(httpd) or program(tamd))) or match(pam_audit) ; }; log { source(s_syslog_pipe); filter(f_customlogs); destination(remote_server); }; " } // syslog server <86>Aug 16 21:17:57 ve11a info sshd(pam_audit)[28741]: user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.70 attempts=1 start="Sat Aug 16 21:17:57 2014". <134>Aug 16 21:17:57 ve11a info sshd(pam_audit)[28741]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.70 attempts=1 start="Sat Aug 16 21:17:57 2014". <85>Aug 16 21:18:10 ve11a notice httpd[27282]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.207.70 attempts=1 start="Sat Aug 16 21:18:10 2014". <133>Aug 16 21:18:10 ve11a notice httpd[27282]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.207.70 attempts=1 start="Sat Aug 16 21:18:10 2014".- Chris_FPFantastic Nitass, that worked like a charm. Thank you very much for your help. Chris
- nitass
what about this?
// config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { include " destination remote_server { udp(\"172.28.24.1\" port (514)); }; filter f_customlogs { level (notice..emerg) or program(sshd) or (facility(auth,authpriv) and (program(httpd) or program(tamd))) or match(pam_audit) ; }; log { source(s_syslog_pipe); filter(f_customlogs); destination(remote_server); }; " } // syslog server <86>Aug 16 21:17:57 ve11a info sshd(pam_audit)[28741]: user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.70 attempts=1 start="Sat Aug 16 21:17:57 2014". <134>Aug 16 21:17:57 ve11a info sshd(pam_audit)[28741]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.207.70 attempts=1 start="Sat Aug 16 21:17:57 2014". <85>Aug 16 21:18:10 ve11a notice httpd[27282]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.207.70 attempts=1 start="Sat Aug 16 21:18:10 2014". <133>Aug 16 21:18:10 ve11a notice httpd[27282]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.207.70 attempts=1 start="Sat Aug 16 21:18:10 2014".- Chris_FPFantastic Nitass, that worked like a charm. Thank you very much for your help. Chris
