Getting errors now: 2009/05/20 10:42:32 ossec-agent(1951): INFO: Analyzing event log: 'Application'.
2009/05/20 10:42:32 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2009/05/20 10:42:33 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sat.log'. 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sat.log'. 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sun.log'. 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sun.log'. 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Mon.log'. 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Mon.log'. 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Tue.log'. 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Tue.log'. 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file 'c:\windows\system32\dhcp\DhcpSrvLog-Wed.log'. 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file: 'c:\windows\system32\dhcp\DhcpSrvLog-Wed.log'. 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'. 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'. 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Fri.log'. 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Fri.log'. 2009/05/20 10:42:34 ossec-agent: INFO: Started (pid: 3848). > Here is the latest and *hopefully* final version. I've created three > separate decoders for Windows DHCP server. One for Windows 2003 IPv4, one > for Windows 2008 IPv4 and the last one for Windows 2008 IPv6. I'm not using > IPv6, so I could only test a few log entries against the decoder. If someone > is using 2K8 IPv6 and you can send me more logs, I'd be happy to test. Also, > I'm pretty new to writing rules in regular expression. If you look at my > decoders and think "WTF!", please let me know what I could do to make it > better. ;) > > I've moved my decoders from decoder.xml to local_decoder.xml as was > recommended on the mailing list. > > I've updated the ms_dhcp_rules.xml file to include 2 new rules from 2008 > IPv4 as well as a separate section for 2008 IPv6 rules. I've changed them > from the 12200/12300 range to 120200 for 2k3/2k8 IPv4 and 120300 for 2k8 > IPv6. I also updated the alert levels to a little more reasonable level and > I've changed the groups to match predefined groups when applicable. > > The decoders also fixed a "bug" when trying to filter out the MAC address or > "extra data". In the last decoder I posted, it didn't always get it right. > > If you've followed my previous instructions, please remove the decoder from > your OSSEC server's decoder.xml file and use the attached local_decoder.xml. > If you're already using a local_decoder.xml file, then don't overwrite your > copy with mine! Copy and paste the contents of mine into yours... Otherwise, > the rest of the previous instructions still apply. > > I'm still working out some possible bugs with the OSSEC agent monitoring the > Windows logs. When I told the agent to monitor > c:\windows\system32\dhcp\*.log it stopped monitoring on Sunday at Midnight. > I'm not sure if that was due to timestamps not being updated or not. I've > since added an entry in the OSSEC agent's ossec.conf file for each day's log > and we'll see if that works better. > > Will the dev team take notice of this on the list and decide if they want to > include it in their project or do I need to send it elsewhere? >
