How to configure SCSP / DCS to monitor the "syslog-ng" service in RHEL 6.x for events
Article ID: 161224
Updated On:
Products
Issue/Introduction
Scenario # 1:
You want to configure the SCSP / DCS Agent to monitor the "syslog-ng" service in a RHEL 6.x machine
Scenario # 2:
You hav configureed the SCSP / DCS Agent to monitor the "syslog" or "rsyslog" service in a RHEL 6.x machine, but when you start to use the "syslog-ng" instead, the events stop appearing in the SCSP / DCS Management Console
Cause
The "syslog-ng" daemon is running in its default 'foreground' process mode instead of a 'background' process mode. This makes it appear as if there are two instances of the "syslog-ng" daemon running (which the SCSP / DCS Agent is not able to successfully monitor).
The ”--no-caps --process-mode=background” switch needs to be added to the $SYSLOGNG_OPTIONS in the “/etc/init.d/syslog-ng” startup script in order to force the “syslog-ng” daemon to start in a ‘background’ process mode.
Resolution
1. Install the SCSP / DCS Agent on the RHEL 6.x machine (if it is not already installed)
2. Apply the desired IPS policy (e.g. “Unix_Baseline_Detection” policy) to the SCSP / DCS Agent on the RHEL 6.x machine
3. Open the following file on the RHEL 6.x machine using an editing software (e.g. “vi” / “nano”)
/etc/init.d/syslog-ng
4. Add the text shown in red to the string of code shown below (the code on your “/etc/init.d/syslog-ng” file might be slightly different from what is shown below, but it should still be in the “start()” section as this is the aspect of the script that starts the “syslog-ng” service).
start()
{
verify_config
echo -n $"Starting syslog-ng: "
if [ -e $SYSLOGNG_COMPAT_PID ]; then
failure "PID file for existing syslog daemon exists"
fi
daemon syslog-ng $SYSLOGNG_OPTIONS”--no-caps --process-mode=background”
ln -sf $SYSLOGNG_PID $SYSLOGNG_COMPAT_PID
RETVAL=$?
Echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog-ng
return $RETVAL
}
5. Save the “/etc/init.d/syslog-ng” file and close it
6. Run the following command to ensure the modified “/etc/init.d/syslog-ng” file is able to restart the “syslog-ng” service successfully
/etc/init.d/syslog-ng restart
7. Open the "syslog-ng.conf" file from the following location
/etc/syslog-ng/syslog-ng.conf
8. Note down the "source" information (in the following example, this would be "s_sys")
source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
9. Open the following file on the RHEL 6.x machine using an editing software (e.g. “vi” / “nano”)
/opt/Symantec/scspagent/IDS/system/LocalAgent.ini (SCSP Agent)
/opt/Symantec/sdcsspagent/IDS/system/LocalAgent.ini (DCS Agent)
10. Make the following changes to the "[Syslog Collector]" section (replacing the "Syslog NG Source" information with the information from "step 8" above)
[Syslog Collector]
#Derive Virtual Agents=0
Syslog Daemon=SYSLOGNG
Syslog NG Source=s_sys
#Syslog NG Filter=scsp_filter
11. Save the “LocalAgent.ini” file and close it
12. Run the following command to ensure that the “syslog-ng” service is running (it should be running)
service syslog-ng status
13. Run the following command to restart the “sisidsagent” service
service sisidsagent restart
14. Open the following file
/etc/syslog-ng/syslog-ng.conf
15. Confirm the following strings of text have been added to the bottom of the file (the “(s_sys)” text should reflect the “Syslog NG Source” data from “step 10” above)
When using an SCSP Agent...
# The following is required for Symantec Host IDS - Do not edit or remove
destination scsp_dest { pipe("/opt/Symantec/scspagent/IDS/system/ids_syslog.pipe" group(sisips) perm(0600)); };
filter scsp_filter { level(debug..emerg) and not ( facility(mail) and level(debug..warn) ); };
log { source(s_sys); filter(scsp_filter); destination(scsp_dest); };
When using an DCS Agent...
# The following is required for Symantec Host IDS - Do not edit or remove
destination sdcss_dest { pipe("/var/log/ids_syslog.pipe" group(sisips) perm(0600)); };
filter sdcss_filter { level(debug..emerg) and not ( facility(mail) and level(debug..warn) ); };
log { source(s_sys); filter(sdcss_filter); destination(sdcss_dest); };
16. Restart the RHEL 6.x machine if possible and then proceed to “step 17”… (if this is not feasible, proceed to “step 17” below now)
17. Run the following command to restart the “syslog-ng” service
/etc/init.d/syslog-ng restart
18. Run the following commands on the RHEL 6.x machine in order
chkconfig rsyslog off
service rsyslog stop
chkconfig syslog-ng on
service syslog-ng start
19. Run the following commands on the RHEL 6.x machine in order to confirm the above commands have executed successfully
chkconfig --list rsyslog
service rsyslog status
chkconfig --list syslog-ng
service syslog-ng status
20. Perform an action on the RHEL 6.x machine that the “syslog-ng” service is set to log in to the “/var/log/messages” file. Generally the easiest way to do this is to restart a key service such as the “saslauthd” service.
21. Confirm if the information appears in the “/var/log/messages” file and the SCSP / DCS Management Console
*NOTE: As with most IDS policies, the events that appear in the “/var/log/messages” file must match the string values / etc / specified in the IDS policy that is applied to the RHEL 6.x machine in order for the event to appear in the SCSP / DCS Management Console.
Applies To
Symantec Critical System Protection 5.2.8.x
Symantec Critical System Protection 5.2.9.x
Symantec Data Center Security 6.0.x
Red Hat Enterprise Linux 6.x
Feedback
