Continuous, automatic monitoring of our devices (Part 2)

The first part of this blog series was dedicated to the log management software Graylog. We successfully configured the first input via the web interface of Graylog and defined the data transmission of the system log in the MUC.easyplus.
This lay the foundations of this blog post where we demonstrate how to generate alarm messages for certain events captured in the system log.

In the third part we will configure an e-mail notification.

As error scenario we pick an erroneous login as Root, which can be caused by typos, but also by a hacking attack and thus by an unauthorized attempt to access the device.

To configure the alarm, log in as admin on the Graylog homepage and navigate to “Alerts”.

Graylog-Alerts

Event Details

Now click on “Get Started!”. In the first section “Event Details”, general aspects like a title for the alarm, a description and the priority can be configured. The priority is classified to “high” as it is a potential security breach and an unauthorized access on the device in this case.

Graylog-Event Details

Filter & Aggregation

After clicking “Next”, the section “Condition” opens. Without a licence, only “Filter & Aggregation” can be selected under “Condition Type”. The configuration of the alarm follows.

Now the question arises for what and in which time window Graylog is to screen the system log to generate a message.

This requires knowing the system log. For that, log in as admin per SSH, type in incorrect access data for the user Root and inspect the incoming messages in the Tab “Log” of the MUC.easyplus.

Graylog-Meldungen1

The message is as follows:

pam_unix(su:auth): authentication failure; logname=admin uid=1000 euid=0
tty=/dev/pts/0 ruser=admin rhost= user=root

For the first parameter “Search Query” you can type the term to search for. In this case, we opt for a search for “authentication failure”. Very helpful in this regard is the Filter Preview in the right pane of the window. As the preview is void at first, the parameter “Search within the last” is set to 1 hour. Then the filtered messages are displayed.

Graylog-Search1

These are still quite unspecific, as the terms “authentication” and “failure” are also part of unrelated messages. We strive to search for the string “authentication failure”. The search term must be surrounded by quotation marks. As we are interested in login-attempts of the user Root, this first search is combined with the second search. We insert “user=root” and combine both searches with a logical AND: „authentication failure“ && „user=root“.

Graylog-Search2

It was successful. Perfect!

Finally, the time window needs to be defined, to a search once per minute within the last 5 minutes. In the lower area we set that a message is to be generated if the event occurs 5 times.

Graylog-Aggregation

Fields

In this particular case, the section “Event fields” is skipped. This can turn out useful if many alarms can be assigned to an event.

This was the last step to generate and define an alarm. Thus, the log is first filtered for certain conditions and the alarm generated.

In the next step we want to be automatically notified if an alarm was detected. For simplicity this will be an e-mail notification.
In the third part of this blog series, we will shed light on defining the e-mail notification.

Categories:
Categories

Similar Posts

Our new software features

read more

#wesolve – Training routines at solvimus GmbH

read more

Third party cookies & scripts

This site uses cookies. For optimal performance, smooth social media and promotional use, it is recommended that you agree to third party cookies and scripts. This may involve sharing information about your use of the third-party social media, advertising and analytics website.
For more information, see privacy policy and imprint.
Which cookies & scripts and the associated processing of your personal data do you agree with?

You can change your preferences anytime by visiting privacy policy.