SSLH (great tool see 'ssl/ssh multiplexer'
(http://www.rutschle.net/tech/sslh.shtml)) is used in my environment to
enable port sharing between ssh, https and OpenVPN.
I've configured the SYSLOG Collector to parse SSLH events so that:
sslh: connection from 192.168.78.1:57850 forwarded to
SSH:192.168.78.252:22 with source 192.168.78.252:50286
become an event with :
then when ssh accept the connection we have :
sshd: Accepted publickey for oruff from 192.168.78.252 port
become an event with :
The goal is to correlate those 2 events and to build a custom
correlated event with :
e.sip=192.168.78.1 [from event 1]
e.spint=57850 [from event 1]
e.dip=192.168.78.252 [from event 2]
e.dpint=22 [from event 2]
so that one can track who logged to where ... as if there were no proxy
in the middle.
The rule used is :
((((e.EventName = "sslh: connexion forward") and (e.CustomerVar1 >
and e.CustomerVar21 match regex ("\d+\.\d+\.\d+\.\d+"))
and (e.TargetServicePortName = "ssh2")))
(((e.EventName = "sshd: User authenticated") and (e.CustomerVar1 >
and e.CustomerVar21 match regex ("\d+\.\d+\.\d+\.\d+")))
and does fire correctly.
m_gandolfi, I've done my some stesting and almost succeeded.
I get my correlated event Object with :
this.corrEvtObj = scriptEnv.getCorrelatedEvent();
I update it with a bunch of :
this.corrEvtObj.set<attribute name>(<the value I want);
and then ... I add :
If I "directly" use the solution indicated by m_gandolfi, I get a bunch
of error in das_core log about violated contraints on both event and
correlated event tables.
I found "dirty work around" :
Remove all correlate events from my object :
var iter = this.evtColl.iterator();
var evt = iter.next();
and then I can do :
var channel = "correlation_binary_event_update";
var publisher = ComponentServices.instance().getEventPublisher();
var evtList = new ArrayList(1);
With this solution, das_core is "happy" ... but I'm not :
In the Historical Event Query ... I have 2 correlated events now ...
the original one & my customized one, both pointing to the same original
So ... how can I fix this issue ?
- Like "delete" (or remove) the first event (created by the correlation
engine) & add my new event ?
- Or get sentinel to "update" the existing event rather that "insert"
oruff's Profile: http://forums.novell.com/member.php?userid=22331
View this thread: http://forums.novell.com/showthread.php?t=440087