NetWitness Community

Hi,

Thanks Khaled for your response.

I have actually checked it from my end for troubleshooting, but now also I have checked the file and found nothing in it.

There is no IP address is added in the file.

Below is the output.

#$ActionQueueType LinkedList   # run asynchronously

#$ActionResumeRetryCount -1    # infinite retries if host is down

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

#*.* @@remote-host:514

# ### end of the forwarding rule ###

[root@NCORP-VLC-01 yum.repos.d]#

[root@NCORP-VLC-01 yum.repos.d]#

Regards,

Deepanshu Sood.

Hi Sood,

In the rsyslog.conf file you should find an entry like the below:-

# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure

Change it to

# The authpriv file has restricted access.

authpriv.info                                              /var/log/secure

then restart the rsyslog service and check what happens.

Also another thing to check is the sshd configuration in /etc/ssh/sshd_config

LogLevel INFO

Make sure that it is either commented out or left as INFO not DEBUG.

The main issue you have in the secure logs is that there are debug logs there which are a lot and fills up the file quickly. You need to check how the debug logs were enabled and then disable them. Most likely it would be one of the 2 methods above.

Best regards

Khaled

Khaled I have checked both the ways.

1st way outcome

I have changed to the below and then restarted the service but when i check the time of the file it was the latest after doing the changes and the restart of the service also.

# The authpriv file has restricted access.

authpriv.info                                              /var/log/secure

2nd way outcome

I have check /etc/ssh/sshd_config and under it LogLevel INFO

It's already info not debug.

Note: But one thing i have noticed that when i stop the rsyslog service the file modification get stopped and the file get stopped updating.

But i am not sure that what impact would be if i keep the service disable, bcuz under /etc/ssh/sshd_config what I can see that there are some configuration exist for the file reader collection.

# SFTP server settings added for NwLogCollector

StrictModes no

Subsystem sftp internal-sftp

Match User sftp

    AllowTCPForwarding no

    PasswordAuthentication no

    X11Forwarding no

    ForceCommand internal-sftp

    ChrootDirectory /var/netwitness/logcollector

Match Group uploads

    ChrootDirectory /var/netwitness/logcollector/upload_chroot

    X11Forwarding no

    AllowTcpForwarding no

    PasswordAuthentication no

[root@NCORP-VLC-01 log]#

Please suggest what to do?

Regards,

Deepanshu Sood.

Hi Sood,

If I understand you correctly, When you stop the rsyslog service, the secure file doesn't get modified. If this is the case then this means that the change you did on the rsyslog configuration file will  help and will prevent debug logs from being written to the file.

Make sure that you restarted the rssylog service by the below command:-

service rsyslog restart

Then monitor to check if the size of the secure file gets big frequently again.

Hope this helps

Best regards

Khaled

I mean before doing any change on any file,

for a try i have stopped the rsyslog service after that the file modification gets stopped.

But After the above, i started the service again and then I followed your suggested steps and make changes in the file and then restarted the service but the file modification is still going on.

Are there any debug logs still?

If there is, send me the whole rsyslog.conf file.

Best regards

Khaled

sent the attachment at your email address.

The file seems OK.

Is the debug logs still present in the secure logs?