000031960 - Modified Nicwtmp script to prevent duplicate reboot events to occur in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031960
Applies ToRSA Product Set: Security Analytics
RSA Product Service/Type: Core Appliance, Log Collection
Platform: CentOS
IssueSome users have reported receiving unwanted duplicate reboot logs when using the nicwtmp.sh script available on RSA Link and RSA SecurCare Online.
The aim of this script is to push wtmp logs into the Linux syslog system to be forwarded to Security Analytics.
The last command is used to query /var/log/wtmp and extract historical info such as users login and reboot events 
date and time.

This is a modified version of the script available here.



A configuration guide is also available for Red Hat Linux in the Security Analytics User Guide.  See the relevant section on page 8.
ResolutionThe scope of this article is to help users to properly configure and create a new version of the scrpt nicwtmp_new4.sh in order to be able to fix those wrong behaviours.
1) Open your favourite text editor and create a new file named nicwtmp_new4.sh, copy and paste the following text into it:
#! /bin/sh
#### Copyright Notice:
####
#### Copyright (c) 2010 Network Intelligence Corporation
####
#### Warning: This computer program is protected by copyright law and
#### international treaties.  Unauthorized reproduction or distribution
#### of this program, or any portion of it, may result in severe civil
#### and criminal penalties, and will be prosecuted to the maximum
#### extent possible under the law.
####
#### Network Intelligence Automated WTMP log collection script v 1.0
####
#### Use this script to push wtmp logs into the syslog file.
#### This script doe not have any User Configuration
####
### A marker file to store the last set of logs for comparison
markerFile="lastLogs";
tempFile="temp";
### If the marker file does not exist, all the wtmp logs are forwarded
### to syslog
if [ ! -f $markerFile ]; then
        last -i|sed '/reboot/ s/- [0-9][0-9]:[0-9][0-9]/- last/; /reboot/ s/(.*)/(last)/' >$markerFile;
                cat $markerFile|/usr/bin/logger -t WTMP
else
### If the marker file exists, compare it with the new WTMP logs out from
### the "last" command output to check if there are new entries. If yes,
### only the new entries are forwarded to the syslog.
        last -i|sed '/reboot/ s/- [0-9][0-9]:[0-9][0-9]/- last/; /reboot/ s/(.*)/(last)/' >$tempFile;
                markerFileHashValue=`md5sum -t $markerFile| cut -f1 -d' '`;
                tempFileHashValue=`md5sum -t $tempFile| cut -f1 -d' '`;
                if [ "${markerFileHashValue}" != "${tempFileHashValue}" ]; then
                        diff -i $markerFile $tempFile|cut -s -d">" -f2|/usr/bin/logger -t WTMP
                        cp $tempFile $markerFile
                        rm -f $tempFile
                fi
fi

  • If you use Windows make sure to convert EOL characters to Unix format (for instance in Notepad++, Edit--->EOL Conversion---> Unix/Osx Format) and then save the file.
  • Under Linux you can run this command from the command line to correct this issue: sed -i -e 's/\r$//' nicwtmp_new4.sh
2) Login into the Linux/Red Hat machine and create a new directory named wtmp, copy nicwtmp_new4.sh into your $HOME directory and move  it inside this new folder, lastly make it executable: 
mkdir -p /$HOME/wtmp
mv /$HOME/nicwtmp_new4.sh /$HOME/wtmp/
chmod +x /$HOME/nicwtmp_new4.sh

3) Schedule the script to run as a Cron task every hour using crontab as suggested below then save and close the file (in Vi press ZZ):
crontab -e
0 * * * * /$HOME/wtmp/nicwtmp_new4.sh

4) If you already sending Linux/Red Hat syslog events to SA you should have already configured /etc/rsyslog.conf, see an example below:
# ### end of the forwarding rule ###
*.*   @@192.168.12.112:514 #tcp
*.*   @192.168.12.112:514 #udp

  • those entries indicate that all the syslog facilities and severities are forwarded using both TCP and UDP over the network to 192.168.12.112 on port 514 where  192.168.12.112 is the Ip Address of the SA VLC or Log Decoder you would like to send these events to.
Note: New versions of the Logger command (check logger man page for further info) allows to send syslog messages remotely without configuring the system global /etc/rsyslog.conf configuration file.
If this is the case we could modify the script by adding the -n option to the Logger so lines 26 and 36 could be replaced by the following lines:
cat $markerFile|/usr/bin/logger -n LOG_COLLECTOR_IP -P 514 --tcp -t WTMP
diff -i $markerFile $tempFile|cut -s -d">" -f2|/usr/bin/logger -n LOG_COLLECTOR_IP -P 514 --tcp -t WTMP

Where LOG_COLLECTOR_IP is the SA VLC or Log Decoder ip address you would like to send these events to.
 

Attachments

    Outcomes