problem learning from syslog

Submit your RBAC policies or suggest policy improvements

problem learning from syslog

Postby dancebee » Tue Jun 17, 2003 8:19 pm

I'm using linux 2.4.21 + grsecurity + gradm v1.9.10.

The kernel component of grsec appears to be properly capturing the raw learn data into the syslog (via metalog):

Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:771:263503:/var/run/proftpd:16
Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:771:152782:/var/run/proftpd/proftpd.s
coreboard:21
Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:771:152782:/var/run/proftpd/proftpd.s
coreboard:4
Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:0:0::7
Jun 17 18:00:27 [kernel] grsec: LEARN:771:152738:0:0::21
Jun 17 18:00:28 [kernel] grsec: LEARN:771:152738:0:0::21
Jun 17 18:00:29 [kernel] grsec: LEARN:771:152738:0:0::21
Jun 17 18:00:29 [kernel] grsec: LEARN:771:263439:771:263432:/etc/passwd:16
Jun 17 18:00:29 [kernel] grsec: LEARN:771:263439:771:263432:/etc/passwd:17
Jun 17 18:00:29 [kernel] grsec: LEARN:771:263439:771:270688:/etc/group:16
Jun 17 18:00:29 [kernel] grsec: LEARN:771:263439:771:270688:/etc/group:17

But when I try to parse the syslog with:

gradm -L /var/log/everything/current -O stdout

I get nothing except the initial skeletal learn acls, with no new rules added.

Am I doing something wrong?

James
dancebee
 
Posts: 3
Joined: Tue Jun 17, 2003 8:10 pm

Re: problem learning from syslog

Postby qua » Mon Sep 08, 2003 9:11 am

dancebee wrote:The kernel component of grsec appears to be properly capturing the raw learn data into the syslog (via metalog):

Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:771:263503:/var/run/proftpd:16
...

Am I doing something wrong?


Most likely, log format is not recognised, you should not be using metalog. I have run into similar problem using syslog-ng (a more flexible, network-logging capable syslog replacement) and gradm doesn't seem to be able to read its logging format either.

So either change logger or get ready for some heavy sed'ing :D

--Jan
qua
 
Posts: 1
Joined: Mon Sep 08, 2003 9:06 am

Postby Sleight of Mind » Mon Sep 08, 2003 5:21 pm

afaik the 2.0 series do work with metalog and syslog-ng. At least with metalog since i've tried that myself. Not sure if 1.9.x is supposed to work with it.
Sleight of Mind
 
Posts: 92
Joined: Tue Apr 08, 2003 10:41 am

Postby spender » Sat Sep 13, 2003 11:23 am

2.0 does not use syslog for the learning logs, so it is unaffected by what syslog daemon you use.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development

cron