[prev in list] [next in list] [prev in thread] [next in thread]
List: osiris
Subject: Re: [osiris] Setting up syslog
From: "Anthony J. Biacco" <thelittleprince () asteroid-b612 ! org>
Date: 2007-11-05 16:49:13
Message-ID: 007a01c81fcb$d48901f0$02a7a8c0 () DecentrixInc ! local
[Download RAW message or body]
Change "Directory c:\winnt" to "Directory c:\windows" then repush the config
-Tony
--
Anthony J. Biacco
Senior Systems and Network Administrator
303-981-4955
-----Original Message-----
From: osiris-bounces+thelittleprince=asteroid-b612.org@lists.shmoo.com
[mailto:osiris-bounces+thelittleprince=asteroid-b612.org@lists.shmoo.com] On Behalf Of Gary Doran
Sent: Monday, November 05, 2007 9:23 AM
To: 'Osiris Users'
Subject: Re: [osiris] Setting up syslog
Thanks for the information. Based on scan config, I would think that this
is set already.
compare time: Sun Nov 04 20:00:31 2007
host: IPS-CFS
scan config: default.windowsserver2003 (63f6bd00)
log file: no log file generated, see system log.
base database: 7
compare database: 8
Maybe I need to change the default configuration of
default.windowsserver2003 ?
# Default Configuration for Windows 2003 Advanced Server
Recursive no
FollowLinks no
IncludeAll
Hash md5
<System>
Include mod_users
Include mod_groups
Include mod_kmods
</System>
<Directory c:\winnt>
Recursive yes
NoEntry temp
NoEntry system32\cache
NoEntry system32\dllcache
Include suffix("exe")
Include suffix("dll")
Include suffix("com")
Include suffix("conf")
Include suffix("sys")
Include suffix("pif")
Include suffix("inf")
Include suffix("dev")
Include suffix("ocr")
Include suffix("ocx")
ExcludeAll
</Directory>
<Directory C:\Program Files>
Recursive yes
Include suffix("exe")
Include suffix("dll")
Include suffix("com")
Include suffix("conf")
Include suffix("ini")
Include suffix("sys")
Include suffix("pif")
Include suffix("inf")
Include suffix("pnf")
ExcludeAll
</Directory>
# EOF
-----Original Message-----
From: osiris-bounces+gdoran=integritypaymentsystems.com@lists.shmoo.com
[mailto:osiris-bounces+gdoran=integritypaymentsystems.com@lists.shmoo.com]
On Behalf Of Anthony J. Biacco
Sent: Friday, November 02, 2007 9:48 PM
To: 'Osiris Users'
Subject: Re: [osiris] Setting up syslog
On the management computer. Edit the config file manually (usually in
c:\windows\osiris\configs) or directly through the mgmt. interface. Then do
a 'host <hostname>' and 'push-config' from the mgmt. interface, for every
<hostname> that runs that particular config you changed.
-Tony
----------------------------------------
Anthony J. Biacco
Senior Systems and Network Administrator
303-981-4955
> -----Original Message-----
> From:
> osiris-bounces+thelittleprince=asteroid-b612.org@lists.shmoo.c
> om
> [mailto:osiris-bounces+thelittleprince=asteroid-b612.org@lists
> .shmoo.com] On Behalf Of Gary Doran
> Sent: Friday, November 02, 2007 4:35 PM
> To: 'Osiris Users'
> Subject: Re: [osiris] Setting up syslog
>
> I'm assuming this needs to be done on the agent computer, not
> the management
> computer?
>
>
> -----Original Message-----
> From:
> osiris-bounces+gdoran=integritypaymentsystems.com@lists.shmoo.com
> [mailto:osiris-bounces+gdoran=integritypaymentsystems.com@list
> s.shmoo.com]
> On Behalf Of Anthony J. Biacco
> Sent: Friday, November 02, 2007 5:22 PM
> To: 'Osiris Users'
> Subject: Re: [osiris] Setting up syslog
>
>
> C:\winnt should exist on Windows NT 4.0, but not on Windows
> Server 2003
> (which is in c:\windows). Make sure you're picking the
> correct profile for your OS.
> Which should be default.windowsserver2003 for windows 2003.
>
> -Tony
> --
> Anthony J. Biacco
> Senior Systems and Network Administrator
> 303-981-4955
>
> -----Original Message-----
> From: osiris-bounces+thelittleprince=asteroid-b612.org@lists.shmoo.com
> [mailto:osiris-bounces+thelittleprince=asteroid-b612.org@lists
> .shmoo.com] On
> Behalf Of Gary Doran
> Sent: Friday, November 02, 2007 4:03 PM
> To: 'Osiris Users'
> Subject: Re: [osiris] Setting up syslog
>
> I double checked on the event logs, logging does seem to be showing up
> there. I have been changing the syslog facilty trying to get
> syslog to
> work. Just seemed to me like syslog was there to be used.
> Don't have any
> unix servers here, kinda a waste to put one on just for this.
> The event
> logs seem to be a bit of a mess to look though. Everything
> shows up as a
> Event 0 in Osiris that Windows doesn't know how to process.
>
> Since you are running NT 2003, maybe you can tell me what a 503, error
> conducting stat on c:\winnt, then 503, error opening c:\winnt
> should be
> telling me? I would think the OS is the first thing Osiris should be
> monitoring.
>
> -----Original Message-----
> From:
> osiris-bounces+gdoran=integritypaymentsystems.com@lists.shmoo.com
> [mailto:osiris-bounces+gdoran=integritypaymentsystems.com@list
> s.shmoo.com]
> On Behalf Of Anthony J. Biacco
> Sent: Friday, November 02, 2007 2:06 PM
> To: 'Osiris Users'
> Subject: Re: [osiris] Setting up syslog
>
>
> Then you got somethin' else goin on' that I can't' really
> advise on, because
> I get them all in the windows event log and my mhost
> config is the same as yours.
> My mgmt console is on windows server 2003 (using the windows exe).
>
> Looking through the code though, it looks like if you're on
> windows, it uses
> the event log, if you're on anything else, it writes to
> syslog. You'd have to change the source and recompile to get
> it to force to
> use syslog I think. Plus, you'd have to be able to
> support the syslog() call, which unless you have an
> unix-emulator, it's' not
> gonna do.
>
> Maybe run the mgmt console on a unix server then configure syslogd to
> forward all its syslog messages to the box with GFI on it? I'm
> just throwing stuff out here.
> Maybe you don't have any unix servers to work with.
>
>
> >From osirismd/logging.c:
> #ifdef WIN32
> lpszStrings[0] = buffer;
>
> if( event_source != NULL)
> {
> ReportEvent( event_source, /* handle of
> event source */
> EVENTLOG_INFORMATION_TYPE, /* event type */
> 0, /* event category */
> 0, /* event ID */
> NULL, /* current user's SID */
> 1, /* strings in lpszStrings */
> 0, /* no bytes of raw data */
> lpszStrings, /* array of error strings */
> NULL); /* no raw data */
> }
> #else
> syslog( ( syslog_facility | LOG_INFO ), "%s", buffer );
> #endif
>
>
> -Tony
> --
> Anthony J. Biacco
> Senior Systems and Network Administrator
> 303-981-4955
>
> -----Original Message-----
> From: osiris-bounces+thelittleprince=asteroid-b612.org@lists.shmoo.com
> [mailto:osiris-bounces+thelittleprince=asteroid-b612.org@lists
> .shmoo.com] On
> Behalf Of Gary Doran
> Sent: Friday, November 02, 2007 12:56 PM
> To: 'Osiris Users'
> Subject: Re: [osiris] Setting up syslog
>
> Don't get any messages from Osiris in Windows Event log.
> Just get the email
> notifications.
>
> -----Original Message-----
> From:
> osiris-bounces+gdoran=integritypaymentsystems.com@lists.shmoo.com
> [mailto:osiris-bounces+gdoran=integritypaymentsystems.com@list
> s.shmoo.com]
> On Behalf Of Anthony J. Biacco
> Sent: Friday, November 02, 2007 1:50 PM
> To: 'Osiris Users'
> Subject: Re: [osiris] Setting up syslog
>
>
> Are you getting the other messages in the windows event log?
> e.g. The scan
> notifications? Are you just not getting the comparison
> logs?
>
> -Tony
> --
> Anthony J. Biacco
> Senior Systems and Network Administrator
> 303-981-4955
>
> -----Original Message-----
> From: osiris-bounces+thelittleprince=asteroid-b612.org@lists.shmoo.com
> [mailto:osiris-bounces+thelittleprince=asteroid-b612.org@lists
> .shmoo.com] On
> Behalf Of Gary Doran
> Sent: Friday, November 02, 2007 12:11 PM
> To: 'Osiris Users'
> Subject: Re: [osiris] Setting up syslog
>
> Then what is the syslog facility config for? syslog
> facility: this is the
> facility that the management console will use for all logs.
> Logs include
> everything from the status of the management daemon, to
> communication with
> agents, and scan comparison logs.
>
> I am running Windows email, Osiris on Windows server,
> monitoring a Windows
> server.
>
> [ management config (localhost) ]
>
> syslog_facility = DAEMON
> control_port = 2266
> http_port = 2267
> http_host =
> notify_email =
> notify_smtp_host = 127.0.0.1
> notify_smtp_port = 25
> hosts_directory =
> allow = 127.0.0.1
>
> Is this correct (y/n)? y
> >>> management host configuration has been saved.
> osiris-4.0.5-release:
> -----Original Message-----
> From:
> osiris-bounces+gdoran=integritypaymentsystems.com@lists.shmoo.com
> [mailto:osiris-bounces+gdoran=integritypaymentsystems.com@list
> s.shmoo.com]
> On Behalf Of Anthony J. Biacco
> Sent: Friday, November 02, 2007 12:42 PM
> To: 'Osiris Users'
> Subject: Re: [osiris] Setting up syslog
>
>
> I'm not aware of osiris being able to send the changelogs to
> syslog/event_log. I've only seen the notification-of-scanning messages
> in such places.
> Off the top of my head, I would say if you really needed it,
> you could send
> the changelogs to an email address that's an alias. Then
> point the alias to a script which pipes the email message
> into syslog (very
> easy if you use a unix email server and have the
> 'logger' util installed)
> The script could be as simple as:
>
> #!/bin/sh
> while read MYLINE
> do
> echo $MYLINE | /usr/bin/logger
> done
>
> -Tony
> --
> Anthony J. Biacco
> Senior Systems and Network Administrator
> 303-981-4955
>
> -----Original Message-----
> From: osiris-bounces+thelittleprince=asteroid-b612.org@lists.shmoo.com
> [mailto:osiris-bounces+thelittleprince=asteroid-b612.org@lists
> .shmoo.com] On
> Behalf Of Gary Doran
> Sent: Friday, November 02, 2007 10:20 AM
> To: 'Osiris Users'
> Subject: Re: [osiris] Setting up syslog
>
> I could use that, but nothing is being sent to the Windows
> Event log. Does
> Brian not respond back to questions anymore, sent email but the email
> bounced?
>
> -----Original Message-----
> From:
> osiris-bounces+gdoran=integritypaymentsystems.com@lists.shmoo.com
> [mailto:osiris-bounces+gdoran=integritypaymentsystems.com@list
> s.shmoo.com]
> On Behalf Of Hari Sekhon
> Sent: Friday, November 02, 2007 11:03 AM
> To: Osiris Users
> Subject: Re: [osiris] Setting up syslog
>
> I'm not sure about your implementation, but mine is running
> on linux so
> my syslog is done by my standard logging.
>
> I have not seen anything in the Osiris handbook about doing what you
> want (but then the logging section is fairly small).
>
> Try ntsyslog.
>
> -h
>
> Hari Sekhon
>
>
>
> Gary Doran wrote:
> > Then am I missing something? I thought that Osiris is
> supposed to be able
> > to send change logs via syslog to a syslog server. Email
> notification is
> > working fine but I need to be able to send changes to
> syslog server (along
> > with other things) to comply with PCI requirements.
> >
> > -----Original Message-----
> > From:
> osiris-bounces+gdoran=integritypaymentsystems.com@lists.shmoo.com
> >
> [mailto:osiris-bounces+gdoran=integritypaymentsystems.com@list
> s.shmoo.com]
> > On Behalf Of Hari Sekhon
> > Sent: Friday, November 02, 2007 10:41 AM
> > To: Osiris Users
> > Subject: Re: [osiris] Setting up syslog
> >
> > I don't think so, try to get a windows event log -> syslog
> implementation.
> >
> > I've tried snare but found I preferred ntsyslog. More
> configurable and
> > easily deployable.
> >
> > According to the handbook, the syslog_facility is to decide against
> > which facility the logs should be recorded, so not exactly what you
> want...
> >
> > -h
> >
> > Hari Sekhon
> >
> >
> >
> > Gary Doran wrote:
> >
> >> I am running a Windows implementation. Should the
> syslog_facility be set
> >>
> > to
> >
> >> ip address of where I want the syslog to be sent?
> >>
> >> -----Original Message-----
> >> From:
> osiris-bounces+gdoran=integritypaymentsystems.com@lists.shmoo.com
> >>
> [mailto:osiris-bounces+gdoran=integritypaymentsystems.com@list
> s.shmoo.com]
> >> On Behalf Of Hari Sekhon
> >> Sent: Friday, November 02, 2007 10:20 AM
> >> To: Osiris Users
> >> Subject: Re: [osiris] Setting up syslog
> >>
> >> This is not the job of Osiris but of your logging implementation.
> >>
> >> Tell your syslog daemon on the management station to log
> to the GFI via
> >> syslog, see the man page for your syslog.conf or equiv (I prefer
> >>
> > syslog-ng).
> >
> >> If you only want osiris stuff sent to GFI, use syslog-ng
> and filters.
> >>
> >> -h
> >>
> >> Hari Sekhon
> >>
> >>
> >>
> >> Gary Doran wrote:
> >>
> >>
> >>> I need to setup Osiris to send all logging to GFI
> EventManager via
> >>> syslog. GFI is listening on port 514 which is standard
> port. It is on
> >>> the same computer as the Osiris Manager. Don't know if
> that makes any
> >>> difference or not. Is there a way I can force a syslog
> message from
> >>> Osiris to test things out?
> >>>
> >>> Gary
> >>>
> >>>
> --------------------------------------------------------------
> ----------
> >>>
> >>> _______________________________________________
> >>> osiris mailing list
> >>> osiris@lists.shmoo.com
> >>> https://lists.shmoo.com/mailman/listinfo/osiris
> >>>
> >>>
> >> _______________________________________________
> >> osiris mailing list
> >> osiris@lists.shmoo.com
> >> https://lists.shmoo.com/mailman/listinfo/osiris
> >>
> >> _______________________________________________
> >> osiris mailing list
> >> osiris@lists.shmoo.com
> >> https://lists.shmoo.com/mailman/listinfo/osiris
> >>
> >>
> >>
> > _______________________________________________
> > osiris mailing list
> > osiris@lists.shmoo.com
> > https://lists.shmoo.com/mailman/listinfo/osiris
> >
> > _______________________________________________
> > osiris mailing list
> > osiris@lists.shmoo.com
> > https://lists.shmoo.com/mailman/listinfo/osiris
> >
> >
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
>
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
>
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
>
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
>
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
> _______________________________________________
> osiris mailing list
> osiris@lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
>
_______________________________________________
osiris mailing list
osiris@lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris
_______________________________________________
osiris mailing list
osiris@lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris
_______________________________________________
osiris mailing list
osiris@lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic