{"id":8,"date":"2010-01-06T16:41:13","date_gmt":"2010-01-06T13:41:13","guid":{"rendered":"http:\/\/rexxer.kharkov.ru\/?p=8"},"modified":"2010-01-06T16:41:13","modified_gmt":"2010-01-06T13:41:13","slug":"easyids-rsyslog","status":"publish","type":"post","link":"https:\/\/dety.net.ua\/?p=8","title":{"rendered":"EasyIDS + Rsyslog"},"content":{"rendered":"<p>\u0421\u043b\u0435\u0434\u0443\u044f \u043f\u043e\u0433\u043e\u0432\u043e\u0440\u043a\u0435 \u00ab\u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d &#8211; \u0437\u043d\u0430\u0447\u0438\u0442 \u0432\u043e\u043e\u0440\u0443\u0436\u0435\u043d\u00bb, \u0440\u0435\u0448\u0438\u043b \u043f\u043e\u0441\u0442\u0430\u0432\u0438\u0442\u044c IDS \u0438 Rsyslog \u0432 \u043f\u0440\u0435\u0434\u0435\u043b\u0430\u0445 \u0432\u0432\u0435\u0440\u0435\u043d\u043d\u043e\u0439 \u043c\u043d\u0435 \u0441\u0435\u0442\u0438.<\/p>\n<p>\u0421\u043d\u0430\u0447\u0430\u043b\u0430, \u0431\u044b\u043b \u043e\u043f\u0440\u043e\u0431\u043e\u0432\u0430\u043d OSSIM (<a href=\"http:\/\/www.alienvault.com\/products.php?section=OpenSourceSIM\">http:\/\/www.alienvault.com\/products.php?section=OpenSourceSIM<\/a>). \u041e\u0434\u043d\u0430\u043a\u043e, \u043c\u043d\u0435 \u043e\u043d \u043f\u043e\u043a\u0430\u0437\u0430\u043b\u0441\u044f \u0441\u043b\u0438\u0448\u043a\u043e\u043c \u043c\u0443\u0434\u0440\u0435\u043d\u044b\u043c \u0438 \u0442\u0443\u0433\u043e\u0432\u0430\u0442\u044b\u043c \u0432 \u043d\u0430\u0441\u0442\u0440\u043e\u0443\u043a\u0435, \u043d\u0435\u0441\u043c\u043e\u0442\u0440\u044f \u043d\u0430 \u043d\u0430\u043b\u0438\u0447\u0438\u0435 \u043e\u0431\u0448\u0438\u0440\u043d\u043e\u0433\u043e \u0432\u0435\u0431-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430. \u041f\u043e\u0441\u043b\u0435 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043f\u043e\u0438\u0441\u043a\u043e\u0432, \u044f \u043e\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u043b\u0441\u044f \u043d\u0430 EasyIDS (<a href=\"http:\/\/www.skynet-solutions.net\/easyids\/\">http:\/\/www.skynet-solutions.net\/easyids\/<\/a>). \u042d\u0442\u043e Snort + NTOP + Arpwatch + &#8230; \u0432 \u043e\u0434\u043d\u043e\u043c \u0444\u043b\u0430\u043a\u043e\u043d\u0435 \u043d\u0430 \u0431\u0430\u0437\u0435 CentOS 5.2. \u0412\u044b\u0433\u043b\u044f\u0434\u0438\u0442 \u043f\u043e\u043f\u0440\u043e\u0449\u0435, \u0447\u0435\u043c OSSIM, \u043d\u043e \u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u0440\u043e\u0441\u0442\u0430 \u0432 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435, \u043a\u0430\u043a \u043f\u043e \u043c\u043d\u0435. \u0418\u0442\u0430\u043a, \u043d\u0430\u0447\u043d\u0435\u043c &#8230;<\/p>\n<p>\u0414\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430, \u044f \u043f\u0440\u043e\u0432\u0435\u043b \u043f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0440\u0430\u0431\u043e\u0442\u044b:<\/p>\n<p>1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u0418\u043c\u0435\u0435\u043c DHCP-\u0441\u0435\u0440\u0432\u0435\u0440. \u042f \u0437\u0430\u0440\u0435\u0437\u0435\u0440\u0432\u0438\u0440\u043e\u0432\u0430\u043b IP \u0434\u043b\u044f IDS. (\u0420\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0435)<\/p>\n<p>2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u0420\u0430\u0437\u0432\u0435\u0440\u043d\u0435\u043c \u0441\u0438\u0441\u0442\u0435\u043c\u0443 \u043d\u0430 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0432 \u0441\u0440\u0435\u0434\u0435 VMWare ESXi 4. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0431\u044b\u043b\u0430 \u0434\u043e\u043a\u0443\u043f\u043b\u0435\u043d\u0430 \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u0430\u044f \u0441\u0435\u0442\u0435\u0432\u0430\u044f \u043f\u043b\u0430\u0442\u0430 Intel 1000MT (40$) \u0438 \u0441\u043e\u0437\u0434\u0430\u043d \u0435\u0449\u0435 \u043e\u0434\u0438\u043d Virtual Switch \u0432 ESXi, \u043a\u0443\u0434\u0430 \u0438 \u0432\u043e\u0448\u043b\u0430 \u044d\u0442\u0430 \u0441\u0435\u0442\u0435\u0432\u0430\u044f. <strong>\u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435! \u041d\u0443\u0436\u043d\u043e \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u044c \u043d\u0430 \u044d\u0442\u043e\u043c \u0441\u0432\u0438\u0442\u0447\u0435 <\/strong><strong>Promiscuous mode.<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/rexxer.kharkov.ru\/files\/2010\/01\/image001.png\" alt=\"image001\" width=\"524\" height=\"190\" class=\"aligncenter size-full wp-image-20\" \/><\/p>\n<p>3.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u041d\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u043e\u043c \u0441\u0432\u0438\u0442\u0447\u0435 AT-8000S \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u043b \u00abPort Mirroring\u00bb. Source port &#8211; \u043f\u043e\u0440\u0442 \u043c\u043e\u0435\u0433\u043e \u0438\u043d\u0435\u0442-\u0448\u043b\u044e\u0437\u0430 \u0441\u043c\u043e\u0442\u0440\u044f\u0449\u0438\u0439 \u0432\u043e \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u044e\u044e \u0441\u0435\u0442\u044c, Destination Port &#8211; \u043f\u043e\u0440\u0442, \u043a\u0443\u0434\u0430 \u0441\u043c\u043e\u0442\u0440\u0438\u0442 \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u0430\u044f \u0441\u0435\u0442\u0435\u0432\u0430\u044f \u043f\u043b\u0430\u0442\u0430 ESXi. \u041f\u0440\u0438 \u044d\u0442\u043e\u043c Destination Port \u00ab\u0438\u0437\u043e\u043b\u0438\u0440\u0443\u0435\u0442\u0441\u044f\u00bb.<\/p>\n<p>\u041f\u0435\u0440\u0435\u0445\u043e\u0434\u0438\u043c \u043d\u0435\u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u043a \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0435.<\/p>\n<p>\u0417\u0430\u043b\u0438\u0432\u0430\u0435\u043c \u0441\u043a\u0430\u0447\u0430\u043d\u043d\u044b\u0439 \u043e\u0431\u0440\u0430\u0437 \u00abEasyIDS-0.4.iso\u00bb \u0432 \u0445\u0440\u0430\u043d\u0438\u043b\u0438\u0449\u0435 ESXi. \u0421\u043e\u0437\u0434\u0430\u0435\u043c \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u0443\u044e \u043c\u0430\u0448\u0438\u043d\u0443: \u044f \u0432\u044b\u0431\u0440\u0430\u043b \u0448\u0430\u0431\u043b\u043e\u043d Debian 5 32-bit, 8Gb HDD, 512Mb Memory, \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0438\u043b \u043e\u0441\u043d\u043e\u0432\u043d\u0443\u044e \u0441\u0435\u0442\u0435\u0432\u0443\u044e \u0438 \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u0443\u044e, CD c \u0437\u0430\u043c\u0430\u043f\u043b\u0435\u043d\u043d\u044b\u043c ISO.<\/p>\n<p>\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u0431\u0435\u0437 \u043f\u0440\u043e\u0431\u043b\u0435\u043c &#8211; \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c \u0432\u0441\u0435 \u0437\u0430\u043f\u0440\u043e\u0448\u0435\u043d\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435, \u0437\u0430\u043f\u043e\u043c\u0438\u043d\u0430\u0435\u043c \u0440\u0443\u0442\u043e\u0432\u044b\u0439 \u043f\u0430\u0440\u043e\u043b\u044c \u0438 \u0434\u043b\u044f mysql. \u0421\u0438\u0441\u0442\u0435\u043c\u0430 \u0441\u0430\u043c\u0430 \u043f\u043e\u043b\u0443\u0447\u0438\u0442 \u0430\u0434\u0440\u0435\u0441 \u043f\u043e DHCP \u043d\u0430 \u043f\u0435\u0440\u0432\u044b\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 eth0, \u0432\u0442\u043e\u0440\u043e\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 eth1 \u0431\u0443\u0434\u0435\u0442 \u00ab\u0441\u043b\u0443\u0448\u0430\u0442\u044c\u00bb \u0442\u043e \u0447\u0442\u043e \u0438\u0434\u0435\u0442 \u0447\u0435\u0440\u0435\u0437 \u0448\u043b\u044e\u0437 \u0438\u0437 \u043d\u0430\u0448\u0435\u0439 \u0441\u0435\u0442\u0438.<\/p>\n<p>\u0423\u0436\u0435 \u043d\u0430 \u0434\u0430\u043d\u043d\u043e\u043c \u044d\u0442\u0430\u043f\u0435 \u043c\u044b \u043c\u043e\u0436\u0435\u043c \u0437\u0430\u0439\u0442\u0438 \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0447\u043a\u0443 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u043c \u0438 \u043f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442: \u043f\u043e-\u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e Login: admin<\/p>\n<p>Password: password<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/rexxer.kharkov.ru\/files\/2010\/01\/image003-300x124.png\" alt=\"image003\" width=\"300\" height=\"124\" class=\"aligncenter size-medium wp-image-22\" \/><\/p>\n<p>\u0421\u0438\u0441\u0442\u0435\u043c\u0430 \u0443\u0436\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0438 \u0441\u043e\u0431\u0438\u0440\u0430\u0435\u0442 \u0434\u0430\u043d\u043d\u044b\u0435.<\/p>\n<p>\u0427\u0442\u043e\u0431\u044b \u043d\u0435 \u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u0432\u0441\u0435 \u0432\u0440\u0435\u043c\u044f \u043b\u043e\u0433\u0438, \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u043c \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u0435 \u043f\u043e e-mail: Settings &#8211; Snort &#8211; Notify Settings.<\/p>\n<p>\u0412\u0441\u0435 \u043a\u043e\u043d\u0444\u0438\u0433\u0438 \u043c\u043e\u0436\u043d\u043e \u043e\u0442\u0440\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0447\u0435\u0440\u0435\u0437 \u0432\u0435\u0431, \u043b\u0438\u0431\u043e \u043f\u0440\u044f\u043c\u043e \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 &#8211; \u0432\u0441\u0435 \u043f\u0440\u043e\u0441\u0442\u043e \u0438 \u043f\u043e\u043d\u044f\u0442\u043d\u043e.<\/p>\n<p>\u041d\u0435 \u0431\u0443\u0434\u0443 \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0442\u044c \u0432\u0441\u0435 \u043f\u0443\u043d\u043a\u0442\u044b \u043c\u0435\u043d\u044e J, \u043e\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u044e\u0441\u044c \u043d\u0430 \u043f\u0443\u043d\u043a\u0435 Analysis &#8211; \u043c\u043d\u0435 \u043e\u0447\u0435\u043d\u044c \u043d\u0440\u0430\u0432\u0438\u0442\u0441\u044f \u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u043e\u0442\u0447\u0435\u0442 NTOP:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/rexxer.kharkov.ru\/files\/2010\/01\/image005-300x130.png\" alt=\"image005\" width=\"300\" height=\"130\" class=\"aligncenter size-medium wp-image-23\" \/><\/p>\n<p>\u0412\u0438\u0434\u0438\u043c, \u0447\u0442\u043e 84 \u0445\u043e\u0441\u0442 \u0443\u0441\u0438\u043b\u0435\u043d\u043d\u043e \u043a\u0430\u0447\u0430\u043b, \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0437\u0430 \u043d\u0438\u043c \u0438 48 \u0442\u043e\u0436\u0435 \u0440\u0430\u0437\u0432\u0438\u043b \u043d\u0435\u0431\u044b\u0432\u0430\u043b\u0443\u044e \u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0441\u0442\u044c (\u0441\u043c. Host Contacts), \u0436\u043c\u0430\u043a\u0430\u0435\u043c \u043d\u0430 \u0445\u043e\u0441\u0442 &#8211; \u043f\u043e\u043f\u0430\u0434\u0430\u0435\u043c \u0432 \u043e\u0442\u0447\u0435\u0442 &#8211; \u0441\u043c\u043e\u0442\u0440\u0438\u043c \u043f\u043e \u043a\u0430\u043a\u043e\u043c\u0443 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0443 &#8211; HTTP &#8211; \u0438\u0434\u0443 \u0441\u0442\u0430\u0432\u0438\u0442\u044c \u043a\u043b\u0438\u0437\u043c\u0443. \u041f\u043e \u043a\u043e\u043b\u043e\u043d\u043a\u0435 Host Contacts \u043c\u043e\u0436\u043d\u043e \u0441\u0440\u0430\u0437\u0443 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c \u043a\u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0442\u043e\u0440\u0440\u0435\u043d\u0442\u044b J.<\/p>\n<p>\u041d\u0430 \u043c\u044b\u043b\u043e \u043c\u043d\u0435 \u043f\u0440\u0438\u0445\u043e\u0434\u044f\u0442 \u0442\u0430\u043a\u0438\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440:<\/p>\n<p>easyids detected ICMP Destination Unreachable Communication Administratively Prohibited from 195.66.138.10 to 192.168.2.139 11 times last at 2010-01-06 10:54:21<\/p>\n<p>easyids detected SQL probe response overflow attempt from 69.203.141.40 to 192.168.2.236 2 times last at 2010-01-06 10:51:28<\/p>\n<p>\u041f\u0435\u0440\u0432\u044b\u0439 \u0442\u0438\u043f \u043f\u0440\u0438\u0445\u043e\u0434\u0438\u0442 \u0440\u0435\u0433\u0443\u043b\u044f\u0440\u043d\u043e, \u043d\u0430 \u043d\u0435\u0433\u043e \u043c\u043e\u0436\u043d\u043e \u043d\u0435 \u043e\u0431\u0440\u0430\u0449\u0430\u0442\u044c \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u044f. \u041d\u0430\u0433\u0443\u0433\u043b\u0438\u043b \u0432\u043e\u0442 \u0442\u0430\u043a\u043e\u0435:<br \/>\n<em>In your snort.conf, the default value for your SQL servers is:<br \/>\n    var SQL_SERVERS $HOME_NET<br \/>\n Replace $HOME_NET with the actual IP addrs of any internal SQL servers.<br \/>\n Or comment out the alert for SID 2329 in sql.rules.<br \/>\n Then you won&#8217;t see these false positives any more.<\/em><\/p>\n<p>\u0418\u0434\u0435\u043c \u0434\u0430\u043b\u044c\u0448\u0435 &#8211; \u043f\u0440\u0438\u043b\u0435\u043f\u0438\u043c \u0441\u044e\u0434\u0430 \u0436\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u0443 \u0446\u0435\u043d\u0442\u0440\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0441\u0431\u043e\u0440\u0430 \u043b\u043e\u0433\u043e\u0432 \u0441 Win-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432.<\/p>\n<p>\u041b\u043e\u0433\u0438\u043d\u0438\u043c\u0441\u044f \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443 \u043b\u0438\u0431\u043e \u0447\u0435\u0440\u0435\u0437 \u043a\u043e\u043d\u0441\u043e\u043b\u044c ESXi, \u043b\u0438\u0431\u043e \u0447\u0435\u0440\u0435\u0437 SSH.<\/p>\n<p>\u0411\u0435\u0437 mc \u043d\u0435\u0443\u0434\u043e\u0431\u043d\u043e J &#8211; \u0441\u0442\u0430\u0432\u0438\u043c (\u043d\u0443\u0436\u0435\u043d \u0438\u043d\u0435\u0442):<\/p>\n<p><strong>yum install mc<\/strong><\/p>\n<p>\u041c\u043e\u0436\u043d\u043e \u0436\u0438\u0442\u044c! J<\/p>\n<p>\u0423\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u043c rsyslog \u0432\u043c\u0435\u0441\u0442\u043e \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u043e\u0433\u043e syslog.<\/p>\n<p>\u0414\u0435\u043b\u0430\u043b \u043f\u043e \u044d\u0442\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 <a href=\"http:\/\/openskill.info\/infobox.php?ID=1475\">http:\/\/openskill.info\/infobox.php?ID=1475<\/a>, \u043f\u043e\u0441\u0442\u0430\u0432\u0438\u043b \u0438 \u0441\u043d\u0435\u0441 \u0432\u0432\u0438\u0434\u0443 \u0443\u0441\u0442\u0430\u0440\u0435\u0432\u0448\u0435\u0433\u043e \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0430.<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"712\" valign=\"top\">Ensure all necessary packages are installed:<br \/>\nyum install rsyslog rsyslog-mysql<\/p>\n<p>If you want local mysql server and web interface:<br \/>\nyum install mysql-server<br \/>\nyum install httpd php php-mysyql php-gd<\/p>\n<p>If not running, start mysqld:<br \/>\nservice mysqld status || service mysqld start<\/p>\n<p>Create mysql database for rsyslog (file path changes on other   distros\/releases ):<br \/>\nmysql &lt; \/usr\/share\/doc\/rsyslog-mysql-2.0.0\/createDB.sql<\/p>\n<p>Set mysql permissions (must be the same in \/etc\/rsyslog.conf and   \/path\/top\/phplogcon\/config.php )<br \/>\nmysql&gt; grant all on Syslog.* to syslog@localhost identified by   &#8216;mypass&#8217;;<br \/>\nmysql&gt; flush privileges ;<\/p>\n<p>vi \/etc\/rsyslog.conf<br \/>\n# Log to Mysql Settings<br \/>\n$ModLoad ommysql<br \/>\n*.*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0   :ommysql:localhost,Syslog,syslog,phplogcon<br \/>\n#Standard Redhat syslog settings<br \/>\n*.info;mail.none;authpriv.none;cron.none\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/var\/log\/messages<br \/>\nauthpriv.*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/var\/log\/secure<br \/>\nmail.*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0-\/var\/log\/maillog<br \/>\ncron.*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/var\/log\/cron<br \/>\n*.emerg\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0   *<br \/>\nuucp,news.crit\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/var\/log\/spooler<br \/>\nlocal7.*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/var\/log\/boot.log<\/p>\n<p>Try rsyslog (disable sysklogd):<br \/>\nservice syslog stop<br \/>\nservice rsyslog start<\/p>\n<p>If you get messages like:<br \/>\nFeb 23 23:43:30 mon rsyslogd:could not load module   &#8216;\/usr\/lib\/rsyslog\/ommysql&#8217;, dlopen: \/usr\/lib\/rsyslog\/ommysql: cannot open   shared object file: No such file or directory<\/p>\n<p>fix fast with:<br \/>\nln -s \/usr\/lib\/rsyslog\/ommysql.so \/usr\/lib\/rsyslog\/ommysql<\/p>\n<p>Enable rsyslog service at boot time (and disable default syslog)<br \/>\nchkconfig syslog off<br \/>\nchkconfig rsyslog on<\/p>\n<p>CENTRAL RSYSLOG<br \/>\nAs with standard syslogd edit \/etc\/sysconfig\/rsyslog with option   -r:<br \/>\nSYSLOGD_OPTIONS=&#8221;-m 0 -r&#8221;<br \/>\nto enable the listening of syslog on the default 514 UDP port.<br \/>\nThis is necessary for a centralized syslog server.<\/p>\n<p>PHPLOGCON<br \/>\nGet latest package from <a href=\"http:\/\/www.phplogcon.org\/\">http:\/\/www.phplogcon.org\/<\/a><br \/>\nUnpack and move relevant files under Apache documents:<br \/>\ntar -zxvf phplogcon-2.5.24.tar.gz<br \/>\ncd phplogcon-2.5.24<br \/>\nmkdir \/var\/www\/html\/syslog<br \/>\ncp -a src\/* \/var\/www\/html\/syslog<\/p>\n<p>cd \/var\/www\/html\/syslog<br \/>\nTo permit web configuration:<br \/>\nchmod 666 config.php<br \/>\nBrowse to web interface: http:\/\/yourserver\/syslog\/ and follow on screen   instructions.<br \/>\nEnable a Mysql source and use the authentication settings defined   before.<br \/>\nNote that the logs table name is SystemEvents<br \/>\nTo restore safe settings (do it after web configuration):<br \/>\nchmod 644 config.php<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u0412 \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f\u0445 CentOS \u0431\u044b\u043b\u0430 \u0432\u0435\u0440\u0441\u0438\u044f 2.0.6, \u0445\u043e\u0442\u044f \u043d\u0430 \u043e\u0444\u0438\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u043c \u0441\u0430\u0439\u0442\u0435 \u0443\u0436\u0435 \u043d\u0430\u043c\u043d\u043e\u0433\u043e \u0441\u0432\u0435\u0436\u0435\u0435 &#8211; \u0441\u043a\u0430\u0447\u0438\u0432\u0430\u0435\u043c \u043f\u043e\u043d\u0440\u0430\u0432\u0438\u0432\u0448\u0438\u0439\u0441\u044f, \u043d\u0430 \u0442\u043e\u0442 \u043c\u043e\u043c\u0435\u043d\u0442 \u0431\u044b\u043b\u0430 \u0432\u0435\u0440\u0441\u0438\u044f 5.5.1: <a href=\"http:\/\/rsyslog.com\/\">http:\/\/rsyslog.com\/<\/a>, \u0442\u0430\u043c \u0436\u0435 \u043a\u0443\u0447\u0430 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0430\u0446\u0438\u0438 \u0438 \u0442.\u043f.<\/p>\n<p>\u0420\u0430\u0441\u043f\u0430\u043a\u043e\u0432\u044b\u0432\u0430\u0435\u043c \u0438 \u043f\u0440\u0438\u0441\u0442\u0443\u043f\u0430\u0435\u043c \u043a \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044e \u0438 \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0446\u0438\u0438. \u0422\u0443\u0442 \u043d\u0435 \u0437\u0430\u0431\u044b\u0432\u0430\u0435\u043c \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u044c \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0443 mysql:<\/p>\n<p><strong> .\/configure &#8211; -enable-mysql &#8211; -enable-rsyslogd &#8211; -enable-mail<\/strong><\/p>\n<p>\u041a\u043e\u043c\u043f\u0438\u043b\u0438\u0440\u0443\u0435\u043c:<\/p>\n<p><strong> make<\/strong><\/p>\n<p>\u0438 &#8230; \u043e\u0431\u043b\u043e\u043c &#8211; \u0432\u044b\u043b\u0435\u0442\u0430\u0435\u043c \u0441 \u043e\u0448\u0438\u0431\u043a\u043e\u0439. \u041f\u043e\u0433\u0443\u0433\u043b\u0438\u0432, \u043d\u0430\u0445\u043e\u0436\u0443 \u0440\u0435\u0448\u0435\u043d\u0438\u0435, \u0432\u0438\u0434\u0438\u043c\u043e \u043d\u0435 \u043f\u043e\u043d\u0440\u0430\u0432\u0438\u043b\u0430\u0441\u044c \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u0440\u0435\u0434\u0430: \u0447\u0442\u043e\u0431\u044b \u043d\u0435 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0433 \u043f\u043e\u043d\u043e\u0432\u043e\u0439 &#8211; \u0438\u0434\u0443 \u0432 \u0441\u043e\u0434\u0430\u043d\u043d\u044b\u0439 Makefile \u0438 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u044e \u0432 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0443\u044e CFLAGS \u043d\u043e\u0432\u044b\u0439 \u0444\u043b\u0430\u0433 &#8220;-march=i686&#8221;.<\/p>\n<p>\u0418\u043b\u0438 \u043f\u043e\u043d\u043e\u0432\u043e\u0439:<\/p>\n<p><strong> .<\/strong><strong>\/configure CFLAGS=&#8221;-march=i686<\/strong><strong>&#8220;<\/strong><strong> <\/strong><strong>&#8211; -enable-mysql &#8211; -enable-rsyslogd &#8211; -enable-mail<\/strong><strong><\/strong><\/p>\n<p>\u0412\u0441\u0435 \u043f\u0440\u043e\u0445\u043e\u0434\u0438\u0442 \u043d\u0430 \u0443\u0440\u0430. \u0423\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u043c:<\/p>\n<p><strong> make install<\/strong><\/p>\n<p>\u0421\u043e\u0437\u0434\u0430\u0435\u043c \u0431\u0430\u0437\u0443 \u0432 mysql \u0435\u0441\u043b\u0438 \u043e\u043d\u0430 \u043d\u0435 \u0441\u043e\u0437\u0434\u0430\u043d\u0430 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u043e\u043c (\u0444\u0430\u0439\u043b\u0438\u043a \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u0432 \u043f\u0430\u043f\u043a\u0435 \u0434\u0438\u0441\u0442\u0440\u0438\u0431\u0443\u0442\u0438\u0432\u0430 \/plugins\/ommysql\/createDB.sql):<\/p>\n<p><strong>mysql \u00a0-uroot -p&#8221;password&#8221; &lt; createDB.sql <\/strong><\/p>\n<p><em>\u0421\u043e\u0437\u0434\u0430\u0435\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0434\u043b\u044f \u0431\u0430\u0437\u044b:<\/em><em><\/em><\/p>\n<p><strong>adduser syslog<\/strong><\/p>\n<p><em>\u0414\u0430\u0435\u043c \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u044f \u043d\u0430 \u0431\u0430\u0437\u0443 \u0434\u043b\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u043f\u0440\u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u043c \u0432 \/<\/em><em>etc<\/em><em>\/<\/em><em>rsyslog<\/em><em>.<\/em><em>conf<\/em><em> \u0438 \/<\/em><em>pa<\/em><em>th\/top\/phplogcon\/config.php.<\/em><em><\/em><\/p>\n<p><strong>mysql&gt; grant all on Syslog.* to syslog@localhost identified by &#8216;mypass&#8217;; <\/strong><strong><\/strong><\/p>\n<p><strong>mysql&gt; flush privileges ; <\/strong><\/p>\n<p><em>\u0410\u043a\u0442\u0438\u0432\u0438\u0440\u0443\u0435\u043c <\/em><em>rsyslog<\/em><em> <\/em><em>\u0432 \u0430\u0432\u0442\u043e\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0435 (\u0438 \u0434\u0435\u0430\u043a\u0442\u0438\u0432\u0438\u0440\u0443\u0435\u043c <\/em><em>syslog<\/em><em>)<\/em><em><\/em><\/p>\n<p><strong>chkconfig syslog off<\/strong><\/p>\n<p><strong>chkconfig rsyslog on<\/strong><strong><\/strong><\/p>\n<p><strong>\u0415\u0441\u043b\u0438 \u0442\u0430\u043a\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0438\u0441\u0430 \u043d\u0435 \u043e\u043a\u0430\u0437\u0430\u043b\u043e\u0441\u044c &#8211; \u0441\u043e\u0437\u0434\u0430\u0435\u043c <\/strong><strong>rsyslog<\/strong><strong>.<\/strong><strong>sh<\/strong><strong> <\/strong><strong>\u0438 \u043a\u043b\u0430\u0434\u0435\u043c \u0432 <\/strong><strong>init<\/strong><strong>.<\/strong><strong>d<\/strong><strong>:<\/strong><strong><\/strong><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"712\" valign=\"top\">#!\/bin\/bash<\/p>\n<p>#   Source function library.<\/p>\n<p>.   \/etc\/init.d\/functions<\/p>\n<p>RETVAL=0<\/p>\n<p>start()   {<\/p>\n<p>[ -x \/usr\/local\/sbin\/rsyslogd ] ||   exit 5<\/p>\n<p>[ -x \/usr\/local\/sbin\/rklogd ] || exit   5<\/p>\n<p># Source config<\/p>\n<p>if [ -f \/etc\/sysconfig\/rsyslog ] ;   then<\/p>\n<p>. \/etc\/sysconfig\/rsyslog<\/p>\n<p>else<\/p>\n<p>SYSLOGD_OPTIONS=&#8221;-m   0&#8243;<\/p>\n<p>KLOGD_OPTIONS=&#8221;-2&#8243;<\/p>\n<p>fi<\/p>\n<p>umask 077<\/p>\n<p>echo -n $&#8221;Starting system logger   (rsyslog): &#8221;<\/p>\n<p>daemon \/usr\/local\/sbin\/rsyslogd   $SYSLOGD_OPTIONS<\/p>\n<p>RETVAL=$?<\/p>\n<p>echo<\/p>\n<p>echo -n $&#8221;Starting kernel logger   (rklogd): &#8221;<\/p>\n<p>daemon \/usr\/local\/sbin\/rklogd   $KLOGD_OPTIONS<\/p>\n<p>echo<\/p>\n<p>[ $RETVAL -eq 0 ] &amp;&amp; touch   \/var\/lock\/subsys\/rsyslog<\/p>\n<p>return $RETVAL<\/p>\n<p>}<\/p>\n<p>stop()   {<\/p>\n<p>echo -n $&#8221;Shutting down kernel   logger (rklogd): &#8221;<\/p>\n<p>killproc rklogd<\/p>\n<p>echo<\/p>\n<p>echo -n $&#8221;Shutting down system   logger (rsyslog): &#8221;<\/p>\n<p>killproc rsyslogd<\/p>\n<p>RETVAL=$?<\/p>\n<p>echo<\/p>\n<p>[ $RETVAL -eq 0 ] &amp;&amp; rm -f   \/var\/lock\/subsys\/rsyslog<\/p>\n<p>return $RETVAL<\/p>\n<p>}<\/p>\n<p>rhstatus()   {<\/p>\n<p>status rsyslogd<\/p>\n<p>status rklogd<\/p>\n<p>}<\/p>\n<p>restart()   {<\/p>\n<p>stop<\/p>\n<p>start<\/p>\n<p>}<\/p>\n<p>case   &#8220;$1&#8243; in<\/p>\n<p>start)<\/p>\n<p>start<\/p>\n<p>;;<\/p>\n<p>stop)<\/p>\n<p>stop<\/p>\n<p>;;<\/p>\n<p>status)<\/p>\n<p>rhstatus<\/p>\n<p>;;<\/p>\n<p>restart|reload)<\/p>\n<p>restart<\/p>\n<p>;;<\/p>\n<p>condrestart)<\/p>\n<p>[ -f \/var\/lock\/subsys\/rsyslog ]   &amp;&amp; restart || :<\/p>\n<p>;;<\/p>\n<p>*)<\/p>\n<p>echo $&#8221;Usage: $0   {start|stop|status|restart|condrestart}&#8221;<\/p>\n<p>exit 2<\/p>\n<p>esac<\/p>\n<p>exit $?<\/p>\n<p><strong> <\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong> <\/strong><\/p>\n<p><strong>\u0414\u0430\u0435\u043c \u043a\u043e\u043c\u0430\u043d\u0434\u0443:<\/strong><strong><\/strong><\/p>\n<p><strong>chkconfig -add rsyslog<\/strong><\/p>\n<p><strong>\u041f\u0440\u0430\u0432\u0438\u043c \u043a\u043e\u043d\u0444\u0438\u0433 <\/strong><strong>\/etc\/rsyslog.conf<\/strong><strong><\/strong><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" align=\"center\">\n<tbody>\n<tr>\n<td width=\"712\" valign=\"top\">$ModLoad ommysql.so<\/p>\n<p>*.*\u00a0\u00a0\u00a0 :ommysql:localhost,Syslog,syslog,Password<\/p>\n<p>$ModLoad imudp.so<\/p>\n<p>$ModLoad imtcp.so<\/p>\n<p>$UDPServerRun 514<\/p>\n<p>$InputTCPServerRun 514<\/p>\n<p>$AllowedSender UDP,   127.0.0.1, 192.168.2.0\/24, 192.168.1.0\/24<\/p>\n<p>$AllowedSender TCP,   127.0.0.1, 192.168.2.0\/24, 192.168.1.0\/24<\/p>\n<p>$EscapeControlCharactersOnReceive   off<\/p>\n<p>$ModLoad ommail.so<\/p>\n<p>$ActionMailSMTPServer   192.168.1.217<\/p>\n<p>$ActionMailFrom   test@mydomain.com<\/p>\n<p>$ActionMailTo   admin@mydomain.com<\/p>\n<p>$template   mailSubject,&#8221;EventLog Message&#8221;<\/p>\n<p>$template   mailBody,&#8221;RSYSLOG Alertrn&#8217;%msg%'&#8221;<\/p>\n<p>$ActionMailSubject   mailSubject<\/p>\n<p>if   $syslogseverity-text==&#8217;alert&#8217;<\/p>\n<p>or   $syslogseverity-text==&#8217;err&#8217;<\/p>\n<p>then :ommail:;mailBody<\/p>\n<p># Log all kernel messages   to the console.<\/p>\n<p># Logging much else   clutters up the screen.<\/p>\n<p>#kern.*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0   \/dev\/console<\/p>\n<p># Log anything (except   mail) of level info or higher.<\/p>\n<p># Don&#8217;t log private   authentication messages!<\/p>\n<p>*.info;mail.none;authpriv.none;cron.none\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/log\/messages<\/p>\n<p># The authpriv file has   restricted access.<\/p>\n<p>authpriv.*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/var\/log\/secure<\/p>\n<p># Log all the mail   messages in one place.<\/p>\n<p>mail.*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0   -\/var\/log\/maillog<\/p>\n<p># Log cron stuff<\/p>\n<p>cron.*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0   \/var\/log\/cron<\/p>\n<p># Everybody gets emergency   messages<\/p>\n<p>*.emerg\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0   *<\/p>\n<p># Save news errors of   level crit and higher in a special file.<\/p>\n<p>uucp,news.crit\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0   \/var\/log\/spooler<\/p>\n<p># Save boot messages also   to boot.log<\/p>\n<p>local7.*\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/var\/log\/boot.log<\/p>\n<p><strong> <\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong> <\/strong><\/p>\n<p>\n<strong>\u041a\u0440\u0430\u0442\u043a\u043e\u0435 \u043f\u043e\u044f\u0441\u043d\u0435\u043d\u0438\u0435: \u0437\u0430\u0433\u0440\u0443\u0436\u0430\u044e\u0442\u0441\u044f \u043c\u043e\u0434\u0443\u043b\u0438 \u0434\u043b\u044f <\/strong><strong>mysql<\/strong><strong>, <\/strong><strong>udp<\/strong><strong>, <\/strong><strong>tcp<\/strong><strong>, <\/strong><strong>mail<\/strong><strong>, \u0432\u0441\u0435 \u0441\u043e\u0431\u044b\u0442\u0438\u044f \u043f\u0438\u0448\u0443\u0442\u0441\u044f \u0432 \u0431\u0430\u0437\u0443 <\/strong><strong>mysql<\/strong><strong> \u0438 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b. \u0414\u043b\u044f \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f \u0441 \u043f\u043e\u043c\u0435\u0442\u043a\u043e\u0439 <\/strong><strong>ALERT<\/strong><strong> <\/strong><strong>\u0438 <\/strong><strong>ERR<\/strong><strong> \u0433\u0435\u043d\u0435\u0440\u044f\u0442\u0441\u044f \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f \u0438 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u043f\u043e <\/strong><strong>e<\/strong><strong>&#8211;<\/strong><strong>mail<\/strong><strong>.<\/strong><strong><\/strong>\n<\/p>\n<p><strong>\u0412 \/<\/strong><strong>etc<\/strong><strong>\/<\/strong><strong>sysconfig<\/strong><strong>\/<\/strong><strong>rsyslog<\/strong><strong> <\/strong><strong>\u043f\u0440\u0430\u0432\u0438\u043c \u0441\u0442\u0440\u043e\u043a\u0443 \u043a \u0432\u0438\u0434\u0443:<\/strong><strong><\/strong><\/p>\n<p>SYSLOGD_OPTIONS=&#8221;-c4&#8243;<strong> <\/strong><strong><\/strong><\/p>\n<p><strong>\u0427\u0442\u043e\u0431\u044b \u043d\u0435 \u043d\u0430\u0441\u0442\u0443\u043f\u0430\u0442\u044c \u043d\u0430 \u0433\u0440\u0430\u0431\u043b\u0438, \u043a\u0430\u043a \u044f <\/strong><strong>J<\/strong><strong>, \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u043f\u043e-\u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0441\u0442\u0440\u043e\u0433\u0438\u0439 \u0444\u0430\u0439\u0440\u0432\u043e\u043b\u043b. \u041f\u043e\u044d\u0442\u043e\u043c\u0443 \u0438\u0434\u0435\u043c \u0432 \/<\/strong><strong>etc<\/strong><strong>\/<\/strong><strong>sysconfig<\/strong><strong>\/<\/strong><strong>iptables<\/strong><strong> <\/strong><strong>\u0438 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u043f\u0435\u0440\u0435\u0434 \u0432\u0441\u0435\u043e\u0431\u0449\u0438\u043c \u0434\u0440\u043e\u043f\u043e\u043c, \u0442.\u0435. \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u0435\u043c 514 \u043f\u043e\u0440\u0442 <\/strong><strong>udp<\/strong><strong> <\/strong><strong>\u0438 <\/strong><strong>tcp<\/strong><strong>:<\/strong><strong><\/strong><\/p>\n<p>-A RH-Firewall-1-INPUT -m state &#8211;state NEW -m udp -p udp &#8211;dport 514 -j ACCEPT<\/p>\n<p>-A RH-Firewall-1-INPUT -m state &#8211;state NEW -m tcp -p tcp &#8211;dport 514 -j ACCEPT<\/p>\n<p><strong> \u0421\u0442\u0430\u0432\u0438\u043c <\/strong><strong>PHPLogCon<\/strong><strong> \u0434\u043b\u044f \u0432\u0438\u0437\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438<\/strong><strong>.<\/strong><strong><\/strong><\/p>\n<p><strong> <\/strong><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"712\" valign=\"top\">PHPLOGCON<br \/>\nGet latest package from <a href=\"http:\/\/www.phplogcon.org\/\">http:\/\/www.phplogcon.org\/<\/a><br \/>\nUnpack and move relevant files under Apache   documents:<br \/>\ntar -zxvf phplogcon-2.5.24.tar.gz<br \/>\ncd phplogcon-2.5.24<br \/>\nmkdir \/var\/www\/html\/syslog<br \/>\ncp -a src\/* \/var\/www\/html\/syslog<\/p>\n<p>cd \/var\/www\/html\/syslog<br \/>\nTo permit web configuration:<br \/>\nchmod 666 config.php<br \/>\nBrowse to web interface: http:\/\/yourserver\/syslog\/ and follow on screen   instructions.<br \/>\nEnable a Mysql source and use the authentication settings defined   before.<br \/>\nNote that the logs table name is SystemEvents<br \/>\nTo restore safe settings (do it after web configuration):<br \/>\nchmod 644 config.php<strong><\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong> <\/strong><\/p>\n<p><strong> \u041f\u0440\u0438 \u043f\u0435\u0440\u0432\u043e\u043c \u0432\u0445\u043e\u0434\u0435 \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0447\u043a\u0443 \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u043e\u0439\u0442\u0438 \u043f\u043e \u0448\u0430\u0433\u0430\u043c \u0434\u043b\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043a\u043e\u043d\u0444\u0438\u0433-\u0444\u0430\u0439\u043b\u0430. \u041d\u0435 \u0437\u0430\u0431\u0443\u0434\u044c\u0442\u0435 \u0432\u044b\u0431\u0440\u0430\u0442\u044c \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a \u0441\u043e\u0431\u044b\u0442\u0438\u0439 &#8211; \u0431\u0430\u0437\u0430 \u0434\u0430\u043d\u043d\u044b\u0445.<\/strong><strong><\/strong><\/p>\n<p><strong> <\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/rexxer.kharkov.ru\/files\/2010\/01\/image007-300x104.png\" alt=\"image007\" width=\"300\" height=\"104\" class=\"aligncenter size-medium wp-image-24\" \/><\/strong><\/p>\n<p><strong> <\/strong><\/p>\n<p><strong> \u0421 \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u043e\u0439 \u0447\u0430\u0441\u0442\u044c\u044e \u0432\u0441\u0435 &#8211; \u043f\u0435\u0440\u0435\u0439\u0434\u0435\u043c \u043a \u043a\u043b\u0438\u0435\u043d\u0442\u0441\u043a\u043e\u0439.<\/strong><strong><\/strong><\/p>\n<p><strong>\u041a\u043b\u0438\u0435\u043d\u0442\u0430\u043c\u0438 \u0443 \u043d\u0430\u0441 \u0432\u044b\u0441\u0442\u0443\u043f\u0430\u044e\u0442 <\/strong><strong>Windows<\/strong><strong> 2003 <\/strong><strong>Server<\/strong><strong> \u0438 <\/strong><strong>Windows<\/strong><strong> 2008 <\/strong><strong>Server<\/strong><strong>. \u041d\u0430 2003\u043c \u044f \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u043b <\/strong><strong>el<\/strong><strong>2<\/strong><strong>sl<\/strong><strong>, \u043d\u0430 2008 <\/strong><strong>Snare<\/strong><strong>, \u0445\u043e\u0442\u044f, \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0442\u044c\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e <\/strong><strong>Snare<\/strong><strong>(<\/strong><strong><a href=\"http:\/\/www.intersectalliance.com\/projects\/SnareWindows\/\">http:\/\/www.intersectalliance.com\/projects\/SnareWindows\/<\/a><\/strong><strong>).<\/strong><strong><\/strong><\/p>\n<p><strong>Snare<\/strong><strong> <\/strong><strong>\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u0447\u0435\u0440\u0435\u0437 \u0432\u0435\u0431-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 &#8211; <\/strong><strong>Network<\/strong><strong> <\/strong><strong>Settings<\/strong><strong>: \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c \u0430\u0434\u0440\u0435\u0441 \u043d\u0430\u0448\u0435\u0433\u043e <\/strong><strong>syslog<\/strong><strong>-\u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u0441\u0442\u0430\u0432\u0438\u043c \u0433\u0430\u043b\u043e\u0447\u043a\u0443 <\/strong><strong>SYSLOG<\/strong><strong> <\/strong><strong>HEADERS<\/strong><strong>. \u0414\u0430\u043b\u0435\u0435, \u043f\u043e \u0436\u0435\u043b\u0430\u043d\u0438\u044e, \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c \u043a\u0430\u043a\u0438\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f \u0431\u0443\u0434\u0443\u0442 \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0442\u044c\u0441\u044f \u043d\u0430 \u0441\u0438\u0441\u043b\u043e\u0433 &#8211; \u044f, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432\u044b\u0431\u0440\u0430\u043b <\/strong><strong>warning<\/strong><strong>, <\/strong><strong>error<\/strong><strong>, <\/strong><strong>audit<\/strong><strong> <\/strong><strong>failure<\/strong><strong>. \u042d\u0442\u043e \u0436\u0435 \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c \u0447\u0435\u0440\u0435\u0437 <\/strong><strong>rsyslog<\/strong><strong>.<\/strong><strong>conf<\/strong><strong> <\/strong><strong>&#8211; \u0441\u043c\u043e\u0442\u0440\u0438\u0442\u0435 \u043e\u0444\u0438\u0446.\u0441\u0430\u0439\u0442. \u041d\u0430 \u0441\u0430\u0439\u0442\u0435 http:\/\/www.intersectalliance.com \u0435\u0449\u0435 \u0435\u0441\u0442\u044c \u043c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0441\u0442\u0435\u0439 \u0438 \u0432\u043a\u0443\u0441\u043d\u043e\u0441\u0442\u0435\u0439.<\/strong><strong><\/strong><\/p>\n<p><strong> \u0412\u0441\u0435! \u0423 \u043c\u0435\u043d\u044f \u0432\u0441\u0435 \u0437\u0430\u0440\u0430\u0431\u043e\u0442\u0430\u043b\u043e &#8211; \u043d\u0430\u0432\u043e\u0436\u0443 \u043a\u0440\u0430\u0441\u043e\u0442\u0443 \u0438 \u0434\u043e\u043f\u0438\u043b\u0438\u0432\u0430\u044e \u043d\u0430\u043f\u0438\u043b\u044c\u043d\u0438\u043a\u043e\u043c \u043f\u043e\u0434 \u0441\u0435\u0431\u044f.<\/strong><strong><\/strong><\/p>\n<p><strong> \u041d\u0435 \u043e\u0447\u0435\u043d\u044c \u043a\u0440\u0430\u0441\u0438\u0432\u043e \u0432\u044b\u0433\u043b\u044f\u0434\u044f\u0442 \u0437\u0430\u043f\u0438\u0441\u0438, \u043d\u043e, \u043f\u043e\u0440\u0430\u0431\u043e\u0442\u0430\u0432 \u043d\u0430\u043f\u0438\u043b\u044c\u043d\u0438\u043a\u043e\u043c, \u043c\u043e\u0436\u043d\u043e \u044d\u0442\u043e \u0438\u0441\u043f\u0440\u0430\u0432\u0438\u0442\u044c.<\/strong><strong><\/strong><\/p>\n<p><strong> <\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u0421\u043b\u0435\u0434\u0443\u044f \u043f\u043e\u0433\u043e\u0432\u043e\u0440\u043a\u0435 \u00ab\u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d &#8211; \u0437\u043d\u0430\u0447\u0438\u0442 \u0432\u043e\u043e\u0440\u0443\u0436\u0435\u043d\u00bb, \u0440\u0435\u0448\u0438\u043b \u043f\u043e\u0441\u0442\u0430\u0432\u0438\u0442\u044c IDS \u0438 Rsyslog \u0432 \u043f\u0440\u0435\u0434\u0435\u043b\u0430\u0445 \u0432\u0432\u0435\u0440\u0435\u043d\u043d\u043e\u0439 \u043c\u043d\u0435 \u0441\u0435\u0442\u0438. \u0421\u043d\u0430\u0447\u0430\u043b\u0430, \u0431\u044b\u043b \u043e\u043f\u0440\u043e\u0431\u043e\u0432\u0430\u043d OSSIM (http:\/\/www.alienvault.com\/products.php?section=OpenSourceSIM). \u041e\u0434\u043d\u0430\u043a\u043e, \u043c\u043d\u0435 \u043e\u043d \u043f\u043e\u043a\u0430\u0437\u0430\u043b\u0441\u044f \u0441\u043b\u0438\u0448\u043a\u043e\u043c \u043c\u0443\u0434\u0440\u0435\u043d\u044b\u043c \u0438 \u0442\u0443\u0433\u043e\u0432\u0430\u0442\u044b\u043c \u0432 \u043d\u0430\u0441\u0442\u0440\u043e\u0443\u043a\u0435, \u043d\u0435\u0441\u043c\u043e\u0442\u0440\u044f \u043d\u0430 \u043d\u0430\u043b\u0438\u0447\u0438\u0435 \u043e\u0431\u0448\u0438\u0440\u043d\u043e\u0433\u043e \u0432\u0435\u0431-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430. \u041f\u043e\u0441\u043b\u0435 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043f\u043e\u0438\u0441\u043a\u043e\u0432, \u044f \u043e\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u043b\u0441\u044f \u043d\u0430 EasyIDS (http:\/\/www.skynet-solutions.net\/easyids\/). \u042d\u0442\u043e Snort + NTOP + Arpwatch + &#8230; \u0432 \u043e\u0434\u043d\u043e\u043c \u0444\u043b\u0430\u043a\u043e\u043d\u0435 [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,13],"tags":[],"class_list":["post-8","post","type-post","status-publish","format-standard","hentry","category-linux","category-novosti"],"_links":{"self":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts\/8","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8"}],"version-history":[{"count":0,"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts\/8\/revisions"}],"wp:attachment":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}