Re: Red Hat derivative OS: syslog & syslog-ng logging to /var/log/secure are mixing local time zone & UTC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/16/2011 05:46 PM, Jose R R wrote:

Good day-

I have not encountered this issue under GNU/Linux Debian instances
that I mostly manage. However, managing an Red Hat derivative
instance, I noticed that syslog has been mixing the local time zone of
the server with the UTC when crackers attempt penetration. This causes
fail2ban to not block the attacking intruders on the initial few
counts since it "thinks" there is an 7 hour difference between
attacks.

I have gone to the extent of installing syslog-ng with no change in
the logging (as I am reading the extensive documentation). However I
had to ask if any of you might shed some light on the issue.

Mar 16 07:04:59 [myHostIP] sshd[4498]: User root from 190.41.147.107
not allowed []
Mar 16 14:04:59 [myHostIP] sshd[4499]: input_userauth_request: invalid user root
Mar 16 14:05:00 [myHostIP] sshd[4499]: Received disconnect from
190.41.147.107: 11: Bye Bye
Mar 16 07:07:24 [myHostIP] sshd[4517]: Did not receive identification
string from 143.248.156.63
Mar 16 07:13:08 [myHostIP] sshd[4519]: Did not receive identification
string from 216.7.131.210
Mar 16 07:17:46 [myHostIP] sshd[4521]: Did not receive identification
string from 210.70.140.17
Mar 16 08:31:17 [myHostIP] sshd[4550]: User root from
mmpcr05.kaist.ac.kr not allowed []
Mar 16 15:31:17 [myHostIP] sshd[4551]: input_userauth_request: invalid user root


Thanks in advance for any input.
Syslogd should have an option for /etc/syslog.conf called keep_timestamp(no)
if you really want to use the syslog server's timestamp (to get your local time and thus eliminate time difference issues), instead of the one in the message, make sure you include this in your config file and that should fix it.
BTW, I can't help but mention that LUARM (http://luarm.sourceforge.net/) does not suffer from these problems. Timing is a very important issue in log correlation. Syslog(-ng) are just log aggregators and as you see the default settings are not always the best for response tools. 

GM


--
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux