Aurora, That is exactly what I was thinking. Good to know it's possible.
-Reggie Aurora Mazzone wrote: > Hi Martin, Reggie, > > Reggie Griffin ha scritto: > >> It's not possible from what I know. The hostname is picked up when >> parsing the log file, at least from what >> the online docs say. >> I was thinking outloud.:-p >> >> -Reggie >> >> Martin Tartarelli wrote: >> >>> Reggie, >>> >>> 2009/2/23 Reggie Griffin <[email protected]>: >>> >>> >>>> Martin, >>>> >>>> I see. In that case, it would be nice to insert a variable in the >>>> <hostname></hostname> tag. Then >>>> you could define groups of systems into one nice entry. >>>> >>>> >>>> >>> =) Interesting.......How can i do that? >>> >>> > > I know that in the syslog_rules.xml rules' file has been used the "var" > tag (the variable name is expressed in the "name" attribute) used to > group many words that could be symptom of a problem (used in a catchall > rule - 1002): > > [syslog_rules.xml] > > <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal > |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var> > > <rule id="1002" level="2"> > <match>$BAD_WORDS</match> > <options>alert_by_email</options> > <description>Unknown problem somewhere in the system.</description> > </rule> > > As you can see there are at least two possible ways: > > - with the two hostnames in "or" using the pipe (inside the rule) > > [local_rules.xml] > > <rule id="100999" level="10"> > <if_sid>5710</if_sid> > <hostname>pippo|pluto</hostname> > <description>test</description> > </rule> > > > > **Phase 1: Completed pre-decoding. > full event: 'Feb 24 10:09:43 aureliano sshd[18388]: Failed > password for invalid user piopio from 127.0.0.1 port 43765 ssh2' > hostname: 'aureliano' > program_name: 'sshd' > log: 'Failed password for invalid user piopio from 127.0.0.1 > port 43765 ssh2' > > **Phase 2: Completed decoding. > decoder: 'sshd' > srcip: '127.0.0.1' > > **Phase 3: Completed filtering (rules). > Rule id: '5710' > Level: '5' > Description: 'Attempt to login using a non-existent user' > **Alert to be generated. > > > > > **Phase 1: Completed pre-decoding. > full event: 'Feb 24 10:09:43 pluto sshd[18388]: Failed password > for invalid user piopio from 127.0.0.1 port 43765 ssh2' > hostname: 'pluto' > program_name: 'sshd' > log: 'Failed password for invalid user piopio from 127.0.0.1 > port 43765 ssh2' > > **Phase 2: Completed decoding. > decoder: 'sshd' > srcip: '127.0.0.1' > > **Phase 3: Completed filtering (rules). > Rule id: '100999' > Level: '10' > Description: 'test' > **Alert to be generated. > > > > - with the variable HOSTS1 defined and used in the "hostname" tag > > > [local_rules.xml] > > <var name="HOSTS1">pippo|pluto</var> > [...] > <rule id="100999" level="10"> > <if_sid>5710</if_sid> > <hostname>$HOSTS1</hostname> > <description>test</description> > </rule> > > **Phase 1: Completed pre-decoding. > full event: 'Feb 24 10:09:43 aureliano sshd[18388]: Failed > password for invalid user piopio from 127.0.0.1 port 43765 ssh2' > hostname: 'aureliano' > program_name: 'sshd' > log: 'Failed password for invalid user piopio from 127.0.0.1 > port 43765 ssh2' > > **Phase 2: Completed decoding. > decoder: 'sshd' > srcip: '127.0.0.1' > > **Phase 3: Completed filtering (rules). > Rule id: '5710' > Level: '5' > Description: 'Attempt to login using a non-existent user' > **Alert to be generated. > > > **Phase 1: Completed pre-decoding. > full event: 'Feb 24 10:09:43 pluto sshd[18388]: Failed password > for invalid user piopio from 127.0.0.1 port 43765 ssh2' > hostname: 'pluto' > program_name: 'sshd' > log: 'Failed password for invalid user piopio from 127.0.0.1 > port 43765 ssh2' > > **Phase 2: Completed decoding. > decoder: 'sshd' > srcip: '127.0.0.1' > > **Phase 3: Completed filtering (rules). > Rule id: '100999' > Level: '10' > Description: 'test' > **Alert to be generated. > > Is it what you needed? > > Aurora > > >>> >>> >>>> -Reggie >>>> >>>> Martin Tartarelli wrote: >>>> >>>> >>>>> Reggie, >>>>> >>>>> 2009/2/20 Reggie Griffin <[email protected]>: >>>>> >>>>> >>>>> >>>>>> Martin, >>>>>> >>>>>> I use the <hostname></hostname> parameter to accomplish this within my >>>>>> local_rules.xml file. >>>>>> Default location is /var/ossec/rules/local_rules.xml. >>>>>> >>>>>> Here is an example: >>>>>> >>>>>> <rule id="100019" level="0"> >>>>>> <if_sid>30112</if_sid> >>>>>> <hostname>server2</hostname> >>>>>> <description>Rule that ignores noisy errors from server2</description> >>>>>> </rule> >>>>>> >>>>>> <rule id="100020" level="3"> >>>>>> <if_sid>30112</if_sid> >>>>>> <hostname>server1</hostname> >>>>>> <description>Rule that limits the alert level for >>>>>> server1</description> >>>>>> </rule> >>>>>> >>>>>> If I am understanding you correctly. I believe you can have multiple >>>>>> <hostname></hostname> entries within the same rule id. >>>>>> >>>>>> -Reggie >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Thank´s for your answer it´s a good idea, but the problem with that is >>>>> when you have more than 500 servers, It´s very dificult to create a >>>>> rule by host. In my case i like to discriminate server vs risk on >>>>> ossec with alert level. >>>>> >>>>> >>>>> >>>>> >>>>>> Martin Tartarelli wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Any idea? >>>>>>> >>>>>>> >>>>>>> ---------- Forwarded message ---------- >>>>>>> From: Martin Tartarelli <[email protected]> >>>>>>> Date: 2009/2/13 >>>>>>> Subject: OSSEC with one or more Instance >>>>>>> To: [email protected] >>>>>>> >>>>>>> >>>>>>> List, I need your helps... >>>>>>> >>>>>>> OSSEC has the ability to discriminate critical alerts using the Alert >>>>>>> Level. Now, what happens when I use a second critical factor in terms >>>>>>> of servers? >>>>>>> For example... >>>>>>> >>>>>>> Critical H >>>>>>> SRV-PROD1 >>>>>>> SRV-PROD2 >>>>>>> roule id="1852" with alert level="8" >>>>>>> >>>>>>> Critical M >>>>>>> SRV-DESA1 >>>>>>> SRV-DESA2 >>>>>>> roule id="1852" with alert level="7" >>>>>>> >>>>>>> Critical L >>>>>>> SRV-RECO1 >>>>>>> SRV-TEMP >>>>>>> roule id="1852" with alert level="5" >>>>>>> >>>>>>> >>>>>>> What if I want to take the spoils but with a warning alert level >>>>>>> different? (because a server is more critical than the other). >>>>>>> Can create multiple Instance on the same server? in practice, how can >>>>>>> one discriminate xml (with rules) for different servers? Can i do >>>>>>> that? (maybe with more instance on the ossec server) >>>>>>> >>>>>>> Thank´s >>>>>>> >>>>>>> -- >>>>>>> Martin Tartarelli >>>>>>> Linux User #476492 >>>>>>> -- >>>>>>> >>>>>>> >>>>>>>
