Thanks! I just confirmed your statement by looking at a recent correlation rule that tripped and I see how the original logs were spread out over 4 different log files. I really appreciate the clarification.
On Wednesday, June 28, 2017 at 11:05:18 AM UTC-6, Jesus Linares wrote: > > Hi Eric, > > Right now, I believe OSSEC is only able to correlate multiple failed >> logins if they all happen to show up on only 1 of the log files > > > That is not correct. The rules are based on the content of a log, not in > the source. > > Pay attention to the following rules: > > <rule id="5700" level="0" noalert="1"> > <decoded_as>sshd</decoded_as> > <description>SSHD messages grouped.</description> > </rule> > > <rule id="5710" level="5"> > <if_sid>5700</if_sid> > *<match>illegal user|invalid user</match>* > <description>sshd: Attempt to login using a non-existent user > </description> > <group> > invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, > </group> > </rule> > > It is looking for the strings: "illegal user" or "invalid user" in a ssh > log. When is a ssh log? If it is decoded as ssh: > > <decoder name="sshd"> > <program_name>^sshd</program_name> > </decoder> > > ... > > > Usually, there are no checks for the source of an event. > > I hope it helps. > Regards. > > On Tuesday, June 27, 2017 at 5:47:05 PM UTC+2, Eric wrote: >> >> I'm using OSSEC in a slightly untraditional way as a sudo SIEM. I have it >> running on 1 server and it's parsing through logs that are coming from >> multiple sources and then alerting me on what is going on. Overall this has >> worked fine but now I'm needing to spread out the load and the logs are >> being written to multiple files. Is there a way to tell OSSEC to treat 5 >> separate log files as the same source? >> >> The use case I have is file1.log, file2.log, file3.log, file4.log, and >> file5.log are all load balanced across a F5 VIP. So if you have fave >> multiple failed logins from user1 on server1, those failed logins could >> show up in any 5 of the log files. Right now, I believe OSSEC is only able >> to correlate multiple failed logins if they all happen to show up on only 1 >> of the log files. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
