[osiris] Setting up syslog

Anthony J. Biacco thelittleprince at asteroid-b612.org
Fri Nov 2 18:22:28 EDT 2007 

C:\winnt should exist on Windows NT 4.0, but not on Windows Server 2003 (which is in c:\windows). Make sure you're picking the
correct profile for your OS.
Which should be default.windowsserver2003 for windows 2003. 

-Tony
-- 
Anthony J. Biacco
Senior Systems and Network Administrator
303-981-4955

-----Original Message-----
From: osiris-bounces+thelittleprince=asteroid-b612.org at lists.shmoo.com
[mailto:osiris-bounces+thelittleprince=asteroid-b612.org at lists.shmoo.com] On Behalf Of Gary Doran
Sent: Friday, November 02, 2007 4:03 PM
To: 'Osiris Users'
Subject: Re: [osiris] Setting up syslog

I double checked on the event logs, logging does seem to be showing up
there.  I have been changing the syslog facilty trying to get syslog to
work.  Just seemed to me like syslog was there to be used.  Don't have any
unix servers here, kinda a waste to put one on just for this.  The event
logs seem to be a bit of a mess to look though.  Everything shows up as a
Event 0 in Osiris that Windows doesn't know how to process.

Since you are running NT 2003, maybe you can tell me what a 503, error
conducting stat on c:\winnt, then 503, error opening c:\winnt should be
telling me?  I would think the OS is the first thing Osiris should be
monitoring. 

-----Original Message-----
From: osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com
[mailto:osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com]
On Behalf Of Anthony J. Biacco
Sent: Friday, November 02, 2007 2:06 PM
To: 'Osiris Users'
Subject: Re: [osiris] Setting up syslog


Then you got somethin' else goin on' that I can't' really advise on, because
I get them all in the windows event log and my mhost
config is the same as yours. 
My mgmt console is on windows server 2003 (using the windows exe).

Looking through the code though, it looks like if you're on windows, it uses
the event log, if you're on anything else, it writes to
syslog. You'd have to change the source and recompile to get it to force to
use syslog I think. Plus, you'd have to be able to
support the syslog() call, which unless you have an unix-emulator, it's' not
gonna do.

Maybe run the mgmt console on a unix server then configure syslogd to
forward all its syslog messages to the box with GFI on it? I'm
just throwing stuff out here.
Maybe you don't have any unix servers to work with.


>From osirismd/logging.c:
#ifdef WIN32
        lpszStrings[0] = buffer;

        if( event_source != NULL)
        {
            ReportEvent( event_source, 	   /* handle of event source */
                        EVENTLOG_INFORMATION_TYPE,  /* event type */
                    0,                    /* event category */
                    0,                    /* event ID */
                    NULL,                 /* current user's SID */
                    1,                    /* strings in lpszStrings */
                    0,                    /* no bytes of raw data */
                    lpszStrings,          /* array of error strings */
                    NULL);                /* no raw data */
        }
#else
        syslog( ( syslog_facility | LOG_INFO ), "%s", buffer );
#endif


-Tony
-- 
Anthony J. Biacco
Senior Systems and Network Administrator
303-981-4955

-----Original Message-----
From: osiris-bounces+thelittleprince=asteroid-b612.org at lists.shmoo.com
[mailto:osiris-bounces+thelittleprince=asteroid-b612.org at lists.shmoo.com] On
Behalf Of Gary Doran
Sent: Friday, November 02, 2007 12:56 PM
To: 'Osiris Users'
Subject: Re: [osiris] Setting up syslog

Don't get any messages from Osiris in Windows Event log.  Just get the email
notifications.

-----Original Message-----
From: osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com
[mailto:osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com]
On Behalf Of Anthony J. Biacco
Sent: Friday, November 02, 2007 1:50 PM
To: 'Osiris Users'
Subject: Re: [osiris] Setting up syslog


Are you getting the other messages in the windows event log? e.g. The scan
notifications? Are you just not getting the comparison
logs?

-Tony
-- 
Anthony J. Biacco
Senior Systems and Network Administrator
303-981-4955

-----Original Message-----
From: osiris-bounces+thelittleprince=asteroid-b612.org at lists.shmoo.com
[mailto:osiris-bounces+thelittleprince=asteroid-b612.org at lists.shmoo.com] On
Behalf Of Gary Doran
Sent: Friday, November 02, 2007 12:11 PM
To: 'Osiris Users'
Subject: Re: [osiris] Setting up syslog

Then what is the syslog facility config for?  syslog facility: this is the
facility that the management console will use for all logs. Logs include
everything from the status of the management daemon, to communication with
agents, and scan comparison logs. 

 I am running Windows email, Osiris on Windows server, monitoring a Windows
server. 

[ management config (localhost) ]

syslog_facility = DAEMON
control_port = 2266
http_port = 2267
http_host = 
notify_email = 
notify_smtp_host = 127.0.0.1
notify_smtp_port = 25
hosts_directory = 
allow = 127.0.0.1

Is this correct (y/n)? y
 >>> management host configuration has been saved.
osiris-4.0.5-release:
-----Original Message-----
From: osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com
[mailto:osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com]
On Behalf Of Anthony J. Biacco
Sent: Friday, November 02, 2007 12:42 PM
To: 'Osiris Users'
Subject: Re: [osiris] Setting up syslog

 
I'm not aware of osiris being able to send the changelogs to
syslog/event_log. I've only seen the notification-of-scanning messages
in such places.
Off the top of my head, I would say if you really needed it, you could send
the changelogs to an email address that's an alias. Then
point the alias to a script which pipes the email message into syslog (very
easy if you use a unix email server and have the
'logger' util installed)
The script could be as simple as:

#!/bin/sh
while read MYLINE
do
	echo $MYLINE | /usr/bin/logger
done

-Tony
-- 
Anthony J. Biacco
Senior Systems and Network Administrator
303-981-4955

-----Original Message-----
From: osiris-bounces+thelittleprince=asteroid-b612.org at lists.shmoo.com
[mailto:osiris-bounces+thelittleprince=asteroid-b612.org at lists.shmoo.com] On
Behalf Of Gary Doran
Sent: Friday, November 02, 2007 10:20 AM
To: 'Osiris Users'
Subject: Re: [osiris] Setting up syslog

I could use that, but nothing is being sent to the Windows Event log.  Does
Brian not respond back to questions anymore, sent email but the email
bounced?

-----Original Message-----
From: osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com
[mailto:osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com]
On Behalf Of Hari Sekhon
Sent: Friday, November 02, 2007 11:03 AM
To: Osiris Users
Subject: Re: [osiris] Setting up syslog

I'm not sure about your implementation, but mine is running on linux so 
my syslog is done by my standard logging.

I have not seen anything in the Osiris handbook about doing what you 
want (but then the logging section is fairly small).

Try ntsyslog.

-h

Hari Sekhon



Gary Doran wrote:
> Then am I missing something?  I thought that Osiris is supposed to be able
> to send change logs via syslog to a syslog server.  Email notification is
> working fine but I need to be able to send changes to syslog server (along
> with other things) to comply with PCI requirements.
>
> -----Original Message-----
> From: osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com
> [mailto:osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com]
> On Behalf Of Hari Sekhon
> Sent: Friday, November 02, 2007 10:41 AM
> To: Osiris Users
> Subject: Re: [osiris] Setting up syslog
>
> I don't think so, try to get a windows event log -> syslog implementation.
>
> I've tried snare but found I preferred ntsyslog. More configurable and 
> easily deployable.
>
> According to the handbook, the syslog_facility is to decide against 
> which facility the logs should be recorded, so not exactly what you
want...
>
> -h
>
> Hari Sekhon
>
>
>
> Gary Doran wrote:
>   
>> I am running a Windows implementation.  Should the syslog_facility be set
>>     
> to
>   
>> ip address of where I want the syslog to be sent?
>>
>> -----Original Message-----
>> From: osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com
>>
[mailto:osiris-bounces+gdoran=integritypaymentsystems.com at lists.shmoo.com]
>> On Behalf Of Hari Sekhon
>> Sent: Friday, November 02, 2007 10:20 AM
>> To: Osiris Users
>> Subject: Re: [osiris] Setting up syslog
>>
>> This is not the job of Osiris but of your logging implementation.
>>
>> Tell your syslog daemon on the management station to log to the GFI via 
>> syslog, see the man page for your syslog.conf or equiv (I prefer
>>     
> syslog-ng).
>   
>> If you only want osiris stuff sent to GFI, use syslog-ng and filters.
>>
>> -h
>>
>> Hari Sekhon
>>
>>
>>
>> Gary Doran wrote:
>>   
>>     
>>> I need to setup Osiris to send all logging to GFI EventManager via 
>>> syslog. GFI is listening on port 514 which is standard port. It is on 
>>> the same computer as the Osiris Manager. Don't know if that makes any 
>>> difference or not. Is there a way I can force a syslog message from 
>>> Osiris to test things out?
>>>
>>> Gary
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> osiris mailing list
>>> osiris at lists.shmoo.com
>>> https://lists.shmoo.com/mailman/listinfo/osiris
>>>     
>>>       
>> _______________________________________________
>> osiris mailing list
>> osiris at lists.shmoo.com
>> https://lists.shmoo.com/mailman/listinfo/osiris
>>
>> _______________________________________________
>> osiris mailing list
>> osiris at lists.shmoo.com
>> https://lists.shmoo.com/mailman/listinfo/osiris
>>
>>   
>>     
> _______________________________________________
> osiris mailing list
> osiris at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
> _______________________________________________
> osiris mailing list
> osiris at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>
>   
_______________________________________________
osiris mailing list
osiris at lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris

_______________________________________________
osiris mailing list
osiris at lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris


_______________________________________________
osiris mailing list
osiris at lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris

_______________________________________________
osiris mailing list
osiris at lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris


_______________________________________________
osiris mailing list
osiris at lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris

_______________________________________________
osiris mailing list
osiris at lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris


_______________________________________________
osiris mailing list
osiris at lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris

_______________________________________________
osiris mailing list
osiris at lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris

More information about the osiris mailing list