I'm using OSSEC in an almost exclusively Windows environment, and use it
very successfully to monitor the System, Application and Security event
logs, as well as IIS, RRAS and several proprietary application-specific
logs.
1. It looks like you're indicating that the only log entries that
the clients are sending to the OSSEC server are from the Windows
Security event log. Is this correct? If this isn't correct, my further
questions probably aren't relevant and you can stop reading here.
2. When I'm not getting events that I'm expecting, I've found it
useful to review the ossec.log file on the Windows client in the agent
directory (usually C:\Program Files\ossec-agent\) for any errors.
Perhaps you have a permissions issue?
3. If there are no errors in the log files, check the ossec.conf
file on the Windows client in the same agent directory to ensure you see
directives to monitor the Application and System event logs:
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
4. If none of that turns up anything promising, you might consider
that the type of event you've given as examples below seem to be the
result of turning on Object Level Access auditing in the windows
security policy. If I am correct that this is turned on, you will see
far more of these types of events than any other event. In my
environment, the Security event log events outnumber the other log
events by more than 1000 to 1. Perhaps you could consider turning off
the Object Level Access auditing for a while to see what else comes
through. Note that I have had to write many custom rules for my
environment to tune out alerts similar to the ones that you list because
they happen way too frequently and aren't relevant to the purpose that
I'm monitoring for - you will likely have to write custom rules to tune
your OSSEC setup as well.
Hope this helps.
Chris Kolb
Manager of Information Security
GDSX, Ltd.
Phone: 972-612-7121
Fax: 972-612-7021
Come see us this summer at NBTA in San Diego August 23 - 26! Booth #3019
Confidentiality Notice: This e-mail contains information that is
confidential. It is intended for the exclusive use of the individual or
entity to whom it is addressed. If you are not the named recipient,
disclosure or distribution of the information transmitted herewith is
strictly prohibited and may be subject to legal restriction or sanction.
Please notify the sender, by return e-mail or telephone, of any
unintended recipients and delete the original message without making any
copies.
From: [email protected] [mailto:[email protected]]
On Behalf Of Kelly Egode
Sent: Wednesday, July 22, 2009 5:41 AM
To: Kelly Egode; [email protected]
Subject: [ossec-list] Re: Windows Audit
Hello All.
Kindly help me with mail below to redeem my time spent on reviewing
OSSEC please.
My Management are complaining I have spent too much time on OSSEC PoC
because we have more Windows 2003 boxes
Best regards,
Kelly
----- Original Message -----
From: Kelly Egode <mailto:[email protected]>
To: [email protected]
Sent: Monday, July 20, 2009 9:26 AM
Subject: Re: [ossec-list] Re: Windows Audit
Hello Daniel,
I am having similar issues.
I have been able to install and configure client/server
installation on a windows 2003 box/linux.
But my challenge is I can only get this logs:
** Alert 1247727461.1398511: - windows,
2009 Jul 16 07:57:41 (APPDEVBCK) 10.1.1.116->WinEvtLog
Rule: 18105 (level 4) -> 'Windows audit failure event.'
Src IP: (none)
User: Taiwo.Aluko
WinEvtLog: Security: AUDIT_FAILURE(560): Security: Taiwo.Aluko:
APPDEVDB-BACKUP: APPDEVDB-BACKUP: Object Open: O
bject Server: Security Object Type: Directory
Object Name: \Driver Handle ID: - Op
eration ID: {0,1946955072} Process ID: 436
Image File Name: C:\WINDOWS\system32\services.exe Pri
mary User Name: APPDEVDB-BACKUP$ Primary Domain: GTBPLC
Primary Logon ID: (0x0,0x3E7) Client User
Name: Taiwo.Aluko Client Domain: APPDEVDB-BACKUP
Client Logon ID: (0x0,0xF7F86C1) Accesses: %%4
368 %%4369
Privileges: - Restricted Sid Count: 0
Access Mask: 0x3
** Alert 1247727461.1399326: - windows,
2009 Jul 16 07:57:41 (APPDEVBCK) 10.1.1.116->WinEvtLog
Rule: 18105 (level 4) -> 'Windows audit failure event.'
Src IP: (none)
User: Taiwo.Aluko
WinEvtLog: Security: AUDIT_FAILURE(560): Security: Taiwo.Aluko:
APPDEVDB-BACKUP: APPDEVDB-BACKUP: Object Open: O
bject Server: Security Object Type: Directory
Object Name: \Driver Handle ID: - Op
eration ID: {0,1946955073} Process ID: 436
Image File Name: C:\WINDOWS\system32\services.exe Pri
mary User Name: APPDEVDB-BACKUP$ Primary Domain: GTBPLC
Primary Logon ID: (0x0,0x3E7) Client User
Name: Taiwo.Aluko Client Domain: APPDEVDB-BACKUP
Client Logon ID: (0x0,0xF7F86C1) Accesses: %%4
368 %%4369
Privileges: - Restricted Sid Count: 0
Access Mask: 0x3
** Alert 1247727461.1400141: mail - windows,
2009 Jul 16 07:57:41 (APPDEVBCK) 10.1.1.116->WinEvtLog
Rule: 18153 (level 10) -> 'Multiple Windows audit failure
events.'
on alert.log. Kindly guide me on how to fine tune the rules and
decoders to be able to spool other logs and alerts.
Thanks hope to hear from you soonest.
Best regards,
Kelly Egode.
:
----- Original Message -----
From: "Daniel Cid" <[email protected]>
To: <[email protected]>
Sent: Monday, July 20, 2009 4:56 AM
Subject: [ossec-list] Re: Windows Audit
>
> Hi Rafael,
>
> OSSEC already have decoders for Windows audit logs. If you are
not
> seeing them on the
> alerts.log file you may need to modify some rules to increase
the
> severity of these
> events.
>
> Post the Windows event ids of them so we can help (just look
at the
> Windows event viewer).
>
> Thanks,
>
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Thu, Jul 16, 2009 at 10:47 AM, Rafael
Gomes<[email protected]> wrote:
>>
>> I am applying the audit of windows to log every change in its
folders.
>>
>> How can I get this logs in Ossec server?
>>
>> Already is there a decoder or rule to do this?
>>
>> Thanks,
>>
>> --
>> Rafael Brito Gomes
>> Projeto UFBA
>> LPIC-1
>> CPM Braxis
>> Tel : +55 71 3283 6102
>> http://www.cpmbraxis.com
>>
