LogAnalysis
[logs] How to send an email using pipe method ? Sep 30 2007 09:55PM
Florent Gilain (florent gilain direct-energie com) (2 replies)
Hello all,

I have a little problem to setup my config file ; here are informations i
can give you about my setup, I try to monitor failed PROFTPD login attempts
:

/etc/logsurrfer/logsurfer.conf :

'^([a-zA-Z]{3} [0-9]{2}) ([0-9]{2}:[0-9]{2}:[0-9]{2}) (.*)
proftpd\[([0-9]+)\]: (.*) \(([0-9.]+)\[[0-9.]+\]\).*USER (.*) \(Login
failed\): (.*)$' - - - 0

exec "/bin/echo \"Session de PID $5 depuis l IP $7 - Login
utilise $8 le $2 a $3 - Details : $9\" | /bin/mail -s \"\[$4\] Alerte de
securite PROFTPD\" me (at) mycompany (dot) com [email concealed]"

tail /var/log/secure :

Sep 30 23:43:58 mx1 proftpd[13081]: mx1.de.lan
(192.168.123.4[192.168.123.4]) - USER fgilain (Login failed): Incorrect
password.

cat /etc/logsurfer/logsurfer.log

warning: logsurfer started as root

Session de PID 13081 depuis l IP 192.168.123.4 - Login utilise fgilain le
Sep 30 a 23:43:58 - Details : Incorrect password.

PS : i run Logusfer like that :

[root@supervision root]# ps -edf | grep logsurf

root 25717 1 0 23:43 pts/0 00:00:00 /usr/local/bin/logsurfer -l
1855 -c /etc/logsurfer/logsurfer.conf -d /etc/logsurfer/logsurfer.dump -f -p
/etc/logsurfer/logsurfer.pid /var/log/secure

But i never receive the email..did i missed something?

Thanks a lot

Florent

<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="metricconverter"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:21.0cm 842.0pt;
margin:8.8pt 70.9pt 40.55pt 70.9pt;}
div.Section1
{page:Section1;}
-->
</style>

</head>

<body lang=FR link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hello all,<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>I have a little problem
to setup my config file ; here are informations i can give you about my
setup, I try to monitor failed PROFTPD login attempts  :<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p><
/span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>/etc/logsurrfer/lo
gsurfer.conf
:<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p><
/span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>'^([a-zA-Z]{3} [0-9]{2})
([0-9]{2}:[0-9]{2}:[0-9]{2}) (.*) proftpd\[([0-9]+)\]: (.*)
\(([0-9.]+)\[[0-9.]+\]\).*USER (.*) \(Login failed\): (.*)$' - - - 0<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>      
;      exec
"/bin/echo \"Session de PID $5 depuis l IP $7 - Login utilise $8 le
$2 a $3 - Details : $9\" | /bin/mail -s \"\[$4\] Alerte de securite
PROFTPD\" me (at) mycompany (dot) com [email concealed]"<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>tail /var/log/secure :<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>Sep 30 23:43:58 mx1
proftpd[13081]: mx1.de.lan (192.168.123.4[192.168.123.4]) - USER fgilain (Login
failed): Incorrect password.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p><
/span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>cat /etc/logsurfer/logsurfer.log<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>warning: logsurfer started as root<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Session de PID 13081 depuis l IP
192.168.123.4 - Login utilise fgilain le Sep <st1:metricconverter
ProductID="30 a" w:st="on">30 a</st1:metricconverter> 23:43:58 - Details :
Incorrect password.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>PS : i run Logusfer
like that :<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>[root@supervision root]#
ps -edf | grep logsurf<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>root    
25717     1  0 23:43 pts/0    00:00:00
/usr/local/bin/logsurfer -l 1855 -c /etc/logsurfer/logsurfer.conf -d
/etc/logsurfer/logsurfer.dump -f -p /etc/logsurfer/logsurfer.pid
/var/log/secure<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>But i never receive the
email….did i missed something?<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p><
/span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'>Thanks a lot<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span lang=EN-US
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p><
/span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Florent<o:p></o:p></span></font></p
>

</div>

</body>

</html>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] How to send an email using pipe method ? Oct 01 2007 03:52AM
Kerry Thompson (kerry crypt gen nz)
Re: [logs] How to send an email using pipe method ? Oct 01 2007 02:00AM
Daniel Cid (dcid ossec net)


 

Privacy Statement
Copyright 2010, SecurityFocus