SSLH (great tool see 'ssl/ssh multiplexer'
(http://www.rutschle.net/tech/sslh.shtml)) is used in my environment to
enable port sharing between ssh, https and OpenVPN.
I've configured the SYSLOG Collector to parse SSLH events so that:
sslh[11066]: connection from 192.168.78.1:57850 forwarded to
SSH:192.168.78.252:22 with source 192.168.78.252:50286
become an event with :
e.sip=192.168.78.1
e.spint=57850
e.dip=192.168.78.252
e.dpint=22
e.cv01=50286
e.cv21=192.168.78.252
e.cv02=57850
e.cv22=192.168.78.1

then when ssh accept the connection we have :
sshd[27907]: Accepted publickey for oruff from 192.168.78.252 port
50286 ssh2
become an event with :
e.sip=192.168.78.252
e.spint=50286
e.dip=192.168.78.252
e.dpint=22
e.cv01=50286
e.cv21=192.168.78.252

The goal is to correlate those 2 events and to build a custom
correlated event with :
e.sip=192.168.78.1 [from event 1]
e.spint=57850 [from event 1]
e.dip=192.168.78.252 [from event 2]
e.dpint=22 [from event 2]
so that one can track who logged to where ... as if there were no proxy
in the middle.

The rule used is :
sequence(
filter(
((((e.EventName = "sslh: connexion forward") and (e.CustomerVar1 >
0))
and e.CustomerVar21 match regex ("\d+\.\d+\.\d+\.\d+"))
and (e.TargetServicePortName = "ssh2")))
,filter(
(((e.EventName = "sshd: User authenticated") and (e.CustomerVar1 >
0))
and e.CustomerVar21 match regex ("\d+\.\d+\.\d+\.\d+")))
,6
,discriminator(e.CustomerVar1,e.CustomerVar21)
)

and does fire correctly.

Based on the post "Trigger correlations from Javascript Actions" from
m_gandolfi, I've done my some stesting and almost succeeded.

I get my correlated event Object with :
this.corrEvtObj = scriptEnv.getCorrelatedEvent();

I update it with a bunch of :
this.corrEvtObj.set<attribute name>(<the value I want);

and then ... I add :
this.corrEvtObj.setModified(true);
this.corrEvtObj.incrementUpdateCount();

If I "directly" use the solution indicated by m_gandolfi, I get a bunch
of error in das_core log about violated contraints on both event and
correlated event tables.

I found "dirty work around" :
Remove all correlate events from my object :
var iter = this.evtColl.iterator();
while (iter.hasNext()){
var evt = iter.next();
this.corrEvtObj.removeCorrelatedEvent(evt);
}

and then I can do :
this.corrEvtObj.save();
var channel = "correlation_binary_event_update";
var publisher = ComponentServices.instance().getEventPublisher();
var evtList = new ArrayList(1);
evtList.add(this.corrEvtObj);
publisher.sendEvents(channel, evtList);

With this solution, das_core is "happy" ... but I'm not :
In the Historical Event Query ... I have 2 correlated events now ...
the original one & my customized one, both pointing to the same original
event.

So ... how can I fix this issue ?
- Like "delete" (or remove) the first event (created by the correlation
engine) & add my new event ?
- Or get sentinel to "update" the existing event rather that "insert"
it ...


--
oruff
------------------------------------------------------------------------
oruff's Profile: http://forums.novell.com/member.php?userid=22331
View this thread: http://forums.novell.com/showthread.php?t=440087