setroubleshooter/sealert on central loghost?

setroubleshooter/sealert on central loghost?

[Jan-Frode Myklebust]

We run a centralized syslog server, and separate all syslogged avc
into a separate log file. Is it possible to have setroubleshooter/sealert
use this log file ?

Also it would be nice if one could get the correct "Host Name" in
the setroubleshhot browser and alerts. Guess that also will have
to be added to the avc-log lines is some format.. I tried faking it
with:

type=AVC msg=audit(1185725759.359:2945): avc:  denied  { search } for
pid=2077 hostname="my.hostname.com" comm="snmpd" name="fs" dev=proc
ino=4026531869 scontext=system_u:system_r:snmpd_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir

But the troubleshooter doesn't pick up the hostname. Any ideas ?


 -jf

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setroubleshooter/sealert on central loghost?

[Steve G]

>We run a centralized syslog server, and separate all syslogged avc
>into a separate log file. Is it possible to have setroubleshooter/sealert
>use this log file ?

setroubleshoot can be told to use a particular file for an analysis. It normally
does analysis using the realtime audit stream. So I suspect you'd have to
manually run the analysis.

That said, we are working on centrally logging the audit events and reworking
setroubleshoot to work off that new datastream including the host names so that
you can do analysis correctly per machine.

-Steve


       
____________________________________________________________________________________
Choose the right car based on your needs.  Check out Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setroubleshooter/sealert on central loghost?

[Daniel J Walsh]

Jan-Frode Myklebust wrote:
> We run a centralized syslog server, and separate all syslogged avc
> into a separate log file. Is it possible to have setroubleshooter/sealert
> use this log file ?
>
> Also it would be nice if one could get the correct "Host Name" in
> the setroubleshhot browser and alerts. Guess that also will have
> to be added to the avc-log lines is some format.. I tried faking it
> with:
>
> type=AVC msg=audit(1185725759.359:2945): avc:  denied  { search } for
> pid=2077 hostname="my.hostname.com" comm="snmpd" name="fs" dev=proc
> ino=4026531869 scontext=system_u:system_r:snmpd_t:s0
> tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
>
> But the troubleshooter doesn't pick up the hostname. Any ideas ?
>
>
>  -jf
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>   
If you keep the logs separate you can use sealert on the log files.

sealert -a logfile



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setroubleshooter/sealert on central loghost?

[Jan-Frode Myklebust]

On 2007-08-02, Daniel J Walsh <dwalsh@redhat.com> wrote:

> If you keep the logs separate you can use sealert on the log files.
>
> sealert -a logfile

This kind of works if I add a "type=AVC" to the syslogged lines, 
but sealert doesn't show the hostname of the host that sent the
AVC. Any ideas for how to get the "Host Name" field in the sealert
browser to show the hostname ? What's the format sealert expects it
on ? 

If I can find the format, I can probably have syslog-ng insert
it into the log entries.


  -jf


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: setroubleshooter/sealert on central loghost?

[Steve G]

>but sealert doesn't show the hostname of the host that sent the
>AVC. Any ideas for how to get the "Host Name" field in the sealert
>browser to show the hostname ? 

Like I was saying, we are just starting to write the code that does this kind of
thing, so nothing anywhere expects it.

>What's the format sealert expects it on ?

The syntax for the field is likely to be node=computer. But its exact placement
and who adds it (auditd vs audispd) is not settled.

-Steve


       
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
http://smallbusiness.yahoo.com/webhosting 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.