Log Samples from Solaris 8/9

Solaris doesn’t include the source server name in their Syslog message. So you can’t forward Solaris Syslog message directly to Ossec.

The Problem: The problem exists in the way, the Syslog messages are formatted from Solaris 8/9. As an example, we take the following sample Syslog message:

Aug  2 11:49:23 su: [ID 366847 auth.info] 'su root' succeeded for root on /dev/console

This message is missing the source, which has to be before the Syslogtag, as it is defined in RFC3164. So correctly, the Syslog would have to look like this:

Aug  2 11:49:23 mymaschine su: [ID 366847 auth.info] 'su root' succeeded for root on /dev/console

In order to format the Syslog message to be compliant with RFC3164, you need to set-up Syslog-ng and forward the Syslog message to it. Make sure you change the syslog receiving port of ossec or syslog-ng.

SU:

Dec 12 00:00:00 machinename su: [ID 366847 auth.info] 'su oracle' succeeded for root on /dev/???

Dec 12 00:23:28 machinename su: [ID 366847 auth.info] 'su oracle' failed for root on /dev/???

SENDMAIL:

Dec 12 00:00:02 machinename sendmail[20512]: [ID 801593 mail.info] kBC502520512: from=root, size=301, class=0, nrcpts=1, msgid=<200612120500.kBC502520512@name.domain.com>, relay=root@localhost

Dec 12 00:00:03 machinename sendmail[20514]: [ID 801593 mail.info] kBC502520512: to=root, ctladdr=root (0/1), delay=00:00:01, xdelay=00:00:01, mailer=local, pri=120301, relay=local, dsn=2.0.0, stat=Sent

SSHD:

Dec 12 00:10:55 machinename sshd[21698]: [ID 800047 auth.info] User blablabla not allowed because account is locked

Dec 12 00:10:55 machinename sshd[21698]: [ID 800047 auth.info] Failed none for invalid user blablabla from 192.168.0.1 port 40410 ssh2

Dec 12 00:10:55 machinename sshd[21698]: [ID 800047 auth.info] Failed password for invalid user blablabla from 192.168.0.1 port 40410 ssh2

Dec 12 09:33:48 machinename sshd[18195]: [ID 800047 auth.info] Failed keyboard-interactive for blablabla from 192.168.0.1 port 1530 ssh2

Dec 12 09:33:50 machinename sshd[18195]: [ID 800047 auth.info] Accepted password for blablabla from 192.168.0.1 port 1530 ssh2

Dec 12 23:59:54 machinename sshd[24191]: [ID 800047 auth.info] User blablabla not allowed because account is locked

Dec 12 09:33:25 machinename sshd[18094]: [ID 800047 auth.info] User blablabla password has expired (root forced)

Dec 12 01:30:04 machinename sshd[11819]: [ID 800047 auth.info] Accepted publickey for blablabla from 192.168.0.1 port 4527 ssh2

Dec 12 01:30:04 machinename sshd[11821]: [ID 800047 auth.info] subsystem request for sftp

Dec 12 01:30:06 machinename sshd[15907]: [ID 800047 auth.info] Postponed publickey for blablabla from 192.168.0.1 port 4528 ssh2

Dec 12 08:00:03 machinename sshd[3399]: [ID 800047 auth.info] Authentication tried for root with correct key but not from a permitted host (host=hostname, ip=10.11.10.8).

FTP:

Dec 12 01:09:29 machinename inetd[301]: [ID 317013 daemon.notice] ftp[8378] from 192.168.0.1 25143

Dec 12 01:22:23 machinename inetd[301]: [ID 317013 daemon.notice] ftp[10504] from 192.168.0.1 6719

IN.FTPD:

Dec 12 01:09:29 machinename in.ftpd[8378]: [ID 373804 daemon.info] connection from name.domain.com at Tue Dec 12 01:09:29 2006

Dec 12 01:22:24 machinename in.ftpd[10504]: [ID 373804 daemon.info] connection from name.domain.com at Tue Dec 12 01:22:24 2006

NAMED-XFER:

Dec 12 02:23:45 machinename named-xfer[9924]: [ID 140103 daemon.info] send AXFR query 0 to 192.168.0.1

Dec 12 03:13:10 machinename named-xfer[368]: [ID 140103 daemon.info] send AXFR query 0 to 192.168.0.1

NAMED:

Dec 12 03:13:10 machinename named[311]: [ID 295310 local2.warning] default: warning: owner name "name.domain.com" IN (secondary) is invalid - proceeding anyway

LIMDAEMON:

Dec 12 07:27:49 machinename limdaemon: [ID 701944 user.notice] login by blablabla (pid=24835,cost=1)

Dec 12 07:27:52 machinename limdaemon: [ID 709948 user.notice] logout by blablabla (pid=24835)

PROFTPD:

Dec 12 07:40:32 machinename proftpd[16601]: [ID 567783 daemon.info] qcdevasq (name.domain.com[192.168.0.1]) - FTP session opened.

Dec 12 07:40:32 machinename proftpd[16601]: [ID 567783 auth.notice] qcdevasq (name.domain.com[192.168.0.1]) - USER blablabla: Login successful.

Dec 12 07:40:32 machinename proftpd[16601]: [ID 567783 daemon.info] qcdevasq (name.domain.com[192.168.0.1]) - FTP session closed.

Dec 12 09:33:46 machinename proftpd[20958]: [ID 567783 daemon.info] qcmtlasi (name.domain.com[192.168.0.1]) - FTP session closed.

FTPD:

Dec 12 07:41:11 machinename ftpd[10209]: [ID 210975 daemon.info] ANONYMOUS FTP LOGIN FROM name.domain.com [192.168.0.1], blablabla

LOGIN:

Dec 12 08:43:50 machinename login: [ID 507249 auth.notice] Login failure on /dev/pts/7 from name.domain.com, blablabla

BSM:

Some information about BSM:

http://seclab.cs.ucdavis.edu/projects/misuse/prototypes/bsm.html http://abelew.web.wesleyan.edu/bsmaudit1.html

Nov 21 15:12:56 unknown audit: [ID 905220 audit.notice] system booted text booting kernel
Nov 21 15:16:22 unknown audit: [ID 984917 audit.notice] login - telnet failed session 2740580090 by root as root:root from 1.254.168.192
Nov 21 15:16:34 unknown audit: [ID 120101 audit.notice] login - telnet failed session 1843523234 by -1 as -1:-1 from 1.254.168.192
Nov 21 15:37:24 unknown audit: [ID 338777 audit.notice] login - telnet failed session 3312149268 by root as root:root from 1.254.168.192
Nov 21 15:43:26 unknown audit: [ID 905220 audit.notice] system booted text booting kernel
Nov 21 15:44:11 unknown audit: [ID 216919 audit.notice] login - local ok session 627 by root as root:root from pc1305a.etri.re.kr text
Nov 21 15:45:14 unknown audit: [ID 866727 audit.notice] su ok session 3668504681 by kanthi as root:other from 1.254.168.192 text success for user root
Nov 21 15:49:34 unknown audit: [ID 702844 audit.notice] su ok session 2714481116 by kanthi as root:other from 1.254.168.192 text success for user root
Nov 21 15:50:35 unknown audit: [ID 816908 audit.notice] ftp access failed session 858 by root as root:root from 1.254.168.192 text excluded user
Nov 21 15:50:37 unknown audit: [ID 887505 audit.notice] ftp access failed session 858 by root as root:root from 1.254.168.192 text misc failure
Nov 21 16:04:32 unknown audit: [ID 905220 audit.notice] system booted text booting kernel