ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to configure SCSP / DCS to monitor the "syslog-ng" service in RHEL 6.x for events

book

Article ID: 161224

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

Scenario # 1:

You want to configure the SCSP / DCS Agent to monitor the "syslog-ng" service in a RHEL 6.x machine

Scenario # 2:

You hav configureed the SCSP / DCS Agent to monitor the "syslog" or "rsyslog" service in a RHEL 6.x machine, but when you start to use the "syslog-ng" instead, the events stop appearing in the SCSP / DCS Management Console

 

Cause


The "syslog-ng" daemon is running in its default 'foreground' process mode instead of a 'background' process mode. This makes it appear as if there are two instances of the "syslog-ng" daemon running (which the SCSP / DCS Agent is not able to successfully monitor).

 

The ”--no-caps --process-mode=background” switch needs to be added to the $SYSLOGNG_OPTIONS in the “/etc/init.d/syslog-ng” startup script in order to force the “syslog-ng” daemon to start in a ‘background’ process mode.

 

Resolution


1. Install the SCSP / DCS Agent on the RHEL 6.x machine (if it is not already installed)

2. Apply the desired IPS policy (e.g. “Unix_Baseline_Detection” policy) to the SCSP / DCS Agent on the RHEL 6.x machine

3. Open the following file on the RHEL 6.x machine using an editing software (e.g. “vi” / “nano”)

/etc/init.d/syslog-ng

4. Add the text shown in red to the string of code shown below (the code on your “/etc/init.d/syslog-ng” file might be slightly different from what is shown below, but it should still be in the “start()” section as this is the aspect of the script that starts the “syslog-ng” service).

start()

{
            verify_config
            echo -n $"Starting syslog-ng: "
            if [ -e $SYSLOGNG_COMPAT_PID ]; then
                        failure "PID file for existing syslog daemon exists"

            fi
            daemon syslog-ng $SYSLOGNG_OPTIONS
”--no-caps --process-mode=background”

            ln -sf $SYSLOGNG_PID $SYSLOGNG_COMPAT_PID
            RETVAL=$?
            Echo
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog-ng
            return $RETVAL
}

5. Save the “/etc/init.d/syslog-ng” file and close it

6. Run the following command to ensure the modified “/etc/init.d/syslog-ng” file is able to restart the “syslog-ng” service successfully

/etc/init.d/syslog-ng restart

7. Open the "syslog-ng.conf" file from the following location

/etc/syslog-ng/syslog-ng.conf

8. Note down the "source" information (in the following example, this would be "s_sys")

source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));

9. Open the following file on the RHEL 6.x machine using an editing software (e.g. “vi” / “nano”)

/opt/Symantec/scspagent/IDS/system/LocalAgent.ini (SCSP Agent)
/opt/Symantec/sdcsspagent/IDS/system/LocalAgent.ini (DCS Agent)

10. Make the following changes to the "[Syslog Collector]" section (replacing the "Syslog NG Source" information with the information from "step 8" above)

[Syslog Collector]
#Derive Virtual Agents=0
Syslog Daemon=
SYSLOGNG

Syslog NG Source=s_sys
#Syslog NG Filter=scsp_filter

11. Save the “LocalAgent.ini” file and close it

12. Run the following command to ensure that the “syslog-ng” service is running (it should be running)

service syslog-ng status

13. Run the following command to restart the “sisidsagent” service

service sisidsagent restart

14. Open the following file

/etc/syslog-ng/syslog-ng.conf

15. Confirm the following strings of text have been added to the bottom of the file (the “(s_sys)” text should reflect the “Syslog NG Source” data from “step 10” above)

When using an SCSP Agent...

# The following is required for Symantec Host IDS - Do not edit or remove
destination scsp_dest { pipe("/opt/Symantec/scspagent/IDS/system/ids_syslog.pipe" group(sisips) perm(0600)); };
filter scsp_filter { level(debug..emerg) and not ( facility(mail) and level(debug..warn) ); };
log { source(
s_sys
); filter(scsp_filter); destination(scsp_dest); };

When using an DCS Agent...

# The following is required for Symantec Host IDS - Do not edit or remove

destination sdcss_dest { pipe("/var/log/ids_syslog.pipe" group(sisips) perm(0600)); };

filter sdcss_filter { level(debug..emerg) and not ( facility(mail) and level(debug..warn) ); };

log { source(s_sys); filter(sdcss_filter); destination(sdcss_dest); };

 

16. Restart the RHEL 6.x machine if possible and then proceed to “step 17”… (if this is not feasible, proceed to “step 17” below now)

17. Run the following command to restart the “syslog-ng” service

/etc/init.d/syslog-ng restart

18. Run the following commands on the RHEL 6.x machine in order

chkconfig rsyslog off

service rsyslog stop

chkconfig syslog-ng on

service syslog-ng start

19. Run the following commands on the RHEL 6.x machine in order to confirm the above commands have executed successfully

chkconfig --list rsyslog

service rsyslog status

chkconfig --list syslog-ng

service syslog-ng status

20. Perform an action on the RHEL 6.x machine that the “syslog-ng” service is set to log in to the “/var/log/messages” file. Generally the easiest way to do this is to restart a key service such as the “saslauthd” service.

21. Confirm if the information appears in the “/var/log/messages” file and the SCSP / DCS Management Console

 

*NOTE: As with most IDS policies, the events that appear in the “/var/log/messages” file must match the string values / etc / specified in the IDS policy that is applied to the RHEL 6.x machine in order for the event to appear in the SCSP / DCS Management Console.


Applies To

Symantec Critical System Protection 5.2.8.x

Symantec Critical System Protection 5.2.9.x

Symantec Data Center Security 6.0.x

Red Hat Enterprise Linux 6.x