This error: "2009/05/28 13:46:34 ossec-agent(1103): ERROR: Unable to open file"
Is not really related to the decoder/rules, since it happens way before on the agent side. For some reason when ossec tries to open the file, it fails.... Is there a way to send me the content of 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log' ? Or even running "type 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'." on the command prompt? If there is one small typo in the file path ossec will not be able to open it. As far as the decoder (and rules), I tried them using the log samples provided in the rule file and seemed to work (*make sure to remove your local decoders too): 2009/05/29 10:03:35 ossec-testrule: INFO: Started (pid: 22553). ossec-testrule: Type one log per line. 24,3/10/2009,0:00:46,Database Cleanup Begin,,,, **Phase 1: Completed pre-decoding. full event: '24,3/10/2009,0:00:46,Database Cleanup Begin,,,,' hostname: 'enigma' program_name: '(null)' log: '24,3/10/2009,0:00:46,Database Cleanup Begin,,,,' **Phase 2: Completed decoding. decoder: 'ms-dhcp-ipv4' id: '24' **Phase 3: Completed filtering (rules). Rule id: '6316' Level: '3' Description: 'IP address cleanup operation has began.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: '11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,' hostname: 'enigma' program_name: '(null)' log: '11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,' **Phase 2: Completed decoding. decoder: 'ms-dhcp-ipv6' id: '11011' **Phase 3: Completed filtering (rules). Rule id: '6362' Level: '7' Description: 'Stopped.' **Alert to be generated. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, May 29, 2009 at 9:53 AM, phish phreek <phishphr...@gmail.com> wrote: > Daniel, > > Thanks for integrating them into the project. I've downloaded and installed > the latest snapshot. I've also renamed my local_decoder.xml file so it > wouldn't be included. I verified that the new decoder.xml file did have your > decoders. > > Ossec is not able to decode the logs with the decoders you created. I tested > this via the ossec-logtest utility. When I enable my decoders, it works fine > with the new rules file you created. I'm short on time this AM and can't > troubleshoot much more at the moment. I'll see what I can do with it this > afternoon or over the weekend. > > Thanks again, > > phishphreek > > On Thu, May 28, 2009 at 1:29 PM, Daniel Cid <daniel....@gmail.com> wrote: >> >> Hey, >> >> I included those on the latest snapshot. I did a few changes so I >> would like you to take a look: >> >> -Modified the use of <match> to <id> >> -Simplified the decoder to only extract the id, since we were not >> using the other information >> -Changed the ids to be in the 6300-6399 range (assigned now for MS DHCP) >> -Changed the levels from some informative rules to 0 (like ip assigned, >> etc). >> >> Can you test? Anyone here using ms dhcp to try it out? >> >> Link: http://ossec.net/files/snapshots/ossec-hids-090528.tar.gz >> >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On Wed, May 13, 2009 at 1:01 AM, phish phreek <phishphr...@gmail.com> >> wrote: >> > Here is the latest and *hopefully* final version. I've created three >> > separate decoders for Windows DHCP server. One for Windows 2003 IPv4, >> > one >> > for Windows 2008 IPv4 and the last one for Windows 2008 IPv6. I'm not >> > using >> > IPv6, so I could only test a few log entries against the decoder. If >> > someone >> > is using 2K8 IPv6 and you can send me more logs, I'd be happy to test. >> > Also, >> > I'm pretty new to writing rules in regular expression. If you look at my >> > decoders and think "WTF!", please let me know what I could do to make it >> > better. ;) >> > >> > I've moved my decoders from decoder.xml to local_decoder.xml as was >> > recommended on the mailing list. >> > >> > I've updated the ms_dhcp_rules.xml file to include 2 new rules from 2008 >> > IPv4 as well as a separate section for 2008 IPv6 rules. I've changed >> > them >> > from the 12200/12300 range to 120200 for 2k3/2k8 IPv4 and 120300 for 2k8 >> > IPv6. I also updated the alert levels to a little more reasonable level >> > and >> > I've changed the groups to match predefined groups when applicable. >> > >> > The decoders also fixed a "bug" when trying to filter out the MAC >> > address or >> > "extra data". In the last decoder I posted, it didn't always get it >> > right. >> > >> > If you've followed my previous instructions, please remove the decoder >> > from >> > your OSSEC server's decoder.xml file and use the attached >> > local_decoder.xml. >> > If you're already using a local_decoder.xml file, then don't overwrite >> > your >> > copy with mine! Copy and paste the contents of mine into yours... >> > Otherwise, >> > the rest of the previous instructions still apply. >> > >> > I'm still working out some possible bugs with the OSSEC agent monitoring >> > the >> > Windows logs. When I told the agent to monitor >> > c:\windows\system32\dhcp\*.log it stopped monitoring on Sunday at >> > Midnight. >> > I'm not sure if that was due to timestamps not being updated or not. >> > I've >> > since added an entry in the OSSEC agent's ossec.conf file for each day's >> > log >> > and we'll see if that works better. >> > >> > Will the dev team take notice of this on the list and decide if they >> > want to >> > include it in their project or do I need to send it elsewhere? >> > > >