grsecurity forums

I'm using linux 2.4.21 + grsecurity + gradm v1.9.10.

The kernel component of grsec appears to be properly capturing the raw learn data into the syslog (via metalog):

Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:771:263503:/var/run/proftpd:16
Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:771:152782:/var/run/proftpd/proftpd.s
coreboard:21
Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:771:152782:/var/run/proftpd/proftpd.s
coreboard:4
Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:0:0::7
Jun 17 18:00:27 [kernel] grsec: LEARN:771:152738:0:0::21
Jun 17 18:00:28 [kernel] grsec: LEARN:771:152738:0:0::21
Jun 17 18:00:29 [kernel] grsec: LEARN:771:152738:0:0::21
Jun 17 18:00:29 [kernel] grsec: LEARN:771:263439:771:263432:/etc/passwd:16
Jun 17 18:00:29 [kernel] grsec: LEARN:771:263439:771:263432:/etc/passwd:17
Jun 17 18:00:29 [kernel] grsec: LEARN:771:263439:771:270688:/etc/group:16
Jun 17 18:00:29 [kernel] grsec: LEARN:771:263439:771:270688:/etc/group:17

But when I try to parse the syslog with:

gradm -L /var/log/everything/current -O stdout

I get nothing except the initial skeletal learn acls, with no new rules added.

Am I doing something wrong?

James

dancebee wrote:The kernel component of grsec appears to be properly capturing the raw learn data into the syslog (via metalog):

Jun 17 18:00:27 [kernel] grsec: LEARN:771:263439:771:263503:/var/run/proftpd:16
...

Am I doing something wrong?

Most likely, log format is not recognised, you should not be using metalog. I have run into similar problem using syslog-ng (a more flexible, network-logging capable syslog replacement) and gradm doesn't seem to be able to read its logging format either.

So either change logger or get ready for some heavy sed'ing

--Jan

afaik the 2.0 series do work with metalog and syslog-ng. At least with metalog since i've tried that myself. Not sure if 1.9.x is supposed to work with it.

2.0 does not use syslog for the learning logs, so it is unaffected by what syslog daemon you use.

-Brad