Red Hat derivative OS: syslog & syslog-ng logging to /var/log/secure are mixing local time zone & UTC
Georgios Magklaras
georgios at biotek.uio.no
Wed Mar 16 21:09:11 UTC 2011
On 03/16/2011 05:46 PM, Jose R R wrote:
> Good day-
>
> I have not encountered this issue under GNU/Linux Debian instances
> that I mostly manage. However, managing an Red Hat derivative
> instance, I noticed that syslog has been mixing the local time zone of
> the server with the UTC when crackers attempt penetration. This causes
> fail2ban to not block the attacking intruders on the initial few
> counts since it "thinks" there is an 7 hour difference between
> attacks.
>
> I have gone to the extent of installing syslog-ng with no change in
> the logging (as I am reading the extensive documentation). However I
> had to ask if any of you might shed some light on the issue.
>
> Mar 16 07:04:59 [myHostIP] sshd[4498]: User root from 190.41.147.107
> not allowed []
> Mar 16 14:04:59 [myHostIP] sshd[4499]: input_userauth_request: invalid user root
> Mar 16 14:05:00 [myHostIP] sshd[4499]: Received disconnect from
> 190.41.147.107: 11: Bye Bye
> Mar 16 07:07:24 [myHostIP] sshd[4517]: Did not receive identification
> string from 143.248.156.63
> Mar 16 07:13:08 [myHostIP] sshd[4519]: Did not receive identification
> string from 216.7.131.210
> Mar 16 07:17:46 [myHostIP] sshd[4521]: Did not receive identification
> string from 210.70.140.17
> Mar 16 08:31:17 [myHostIP] sshd[4550]: User root from
> mmpcr05.kaist.ac.kr not allowed []
> Mar 16 15:31:17 [myHostIP] sshd[4551]: input_userauth_request: invalid user root
>
>
> Thanks in advance for any input.
>
>
Syslogd should have an option for /etc/syslog.conf called
keep_timestamp(no)
if you really want to use the syslog server's timestamp (to get your
local time and thus eliminate time difference issues), instead of the
one in the message, make sure you include this in your config file and
that should fix it.
BTW, I can't help but mention that LUARM (http://luarm.sourceforge.net/)
does not suffer from these problems. Timing is a very important issue in
log correlation. Syslog(-ng) are just log aggregators and as you see the
default settings are not always the best for response tools.
GM
--
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair
http://folk.uio.no/georgios
Tel: +47 22840535
More information about the redhat-list
mailing list