Hello Chris/Daniel Below is the windows agent ossec.log:
/07/21 12:34:46 ossec-agent: INFO: Trying to connect to server (10.2.95.178:1514). 2009/07/21 12:34:46 ossec-agent: Starting syscheckd thread. 2009/07/21 12:34:46 ossec-rootcheck: INFO: Started (pid: 7256). 2009/07/21 12:34:46 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2009/07/21 12:34:46 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion'. 2009/07/21 12:34:46 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion'. 2009/07/21 12:34:46 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. 2009/07/21 12:34:46 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'. 2009/07/21 12:34:46 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. 2009/07/21 12:34:46 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2009/07/21 12:34:46 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2009/07/21 12:34:46 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/system32'. 2009/07/21 12:34:46 ossec-agent: INFO: Started (pid: 7256). 2009/07/21 12:34:56 ossec-agent: WARN: Process locked. Waiting for permission... 2009/07/21 12:35:07 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.2.95.178'. 2009/07/21 12:35:11 ossec-agent: INFO: Trying to connect to server (10.2.95.178:1514). 2009/07/21 12:35:32 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.2.95.178'. 2009/07/21 12:35:54 ossec-agent: INFO: Trying to connect to server (10.2.95.178:1514). 2009/07/21 12:35:55 ossec-agent(4102): INFO: Connected to the server (10.2.95.178:1514). 2009/07/21 12:35:55 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2009/07/21 12:35:56 ossec-agent: INFO: Lock free. Continuing... 2009/07/21 12:35:59 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2009/07/21 12:35:59 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2009/07/21 12:35:59 ossec-agent(1952): INFO: Monitoring variable log file: 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex090721.log'. 2009/07/21 12:35:59 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex090721.log'. 2009/07/21 12:35:59 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex090721.log'. 2009/07/21 12:35:59 ossec-agent(1952): INFO: Monitoring variable log file: 'C:\WINDOWS\System32\LogFiles\MSFTPSVC1\ex090721.log'. 2009/07/21 12:35:59 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\System32\LogFiles\MSFTPSVC1\ex090721.log'. 2009/07/21 12:35:59 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\System32\LogFiles\MSFTPSVC1\ex090721.log'. 2009/07/21 12:35:59 ossec-agent: INFO: Started (pid: 7256). 2009/07/21 12:40:20 ossec-agent: INFO: Event count after '20000': 12566995->7342480 (58%) 2009/07/21 12:43:46 ossec-agent: INFO: Starting syscheck scan (db). 2009/07/21 12:44:28 ossec-agent: INFO: Event count after '20000': 12498725->7315512 (58%) 2009/07/21 12:48:21 ossec-agent: INFO: Event count after '20000': 11845923->7007152 (59%) 2009/07/21 12:52:19 ossec-agent: INFO: Event count after '20000': 11891790->7039376 (59%) 2009/07/21 12:52:33 ossec-agent: INFO: Ending syscheck scan (db). 2009/07/21 12:52:53 ossec-agent: INFO: Starting rootcheck scan. 2009/07/21 12:56:28 ossec-agent: INFO: Event count after '20000': 12551992->7347824 (58%) 2009/07/21 13:00:44 ossec-agent: INFO: Event count after '20000': 12639626->7397368 (58%) The only alert/log entry is Windows Audit failure and The ossec.conf file has the proper Application, Security and System event log format configured. If possible kindly create a link with a format of tuned rules you used. Thanks so much, expecting your replies soonest. Best regards, Kelly ----- Original Message ----- From: "Chris Kolb" <[email protected]> To: <[email protected]> Sent: Thursday, July 23, 2009 3:37 PM Subject: [ossec-list] Re: Windows Audit We're implementing PCI DSS and will have to monitor events like this for particular directories or files, so even though I'm not having this issue (yet) I'm very interested in a solution to this issue as well. Chris Kolb Manager of Information Security GDSX, Ltd. Phone: 972-612-7121 Fax: 972-612-7021 Come see us this summer at NBTA in San Diego August 23 - 26! Booth #3019 Confidentiality Notice: This e-mail contains information that is confidential. It is intended for the exclusive use of the individual or entity to whom it is addressed. If you are not the named recipient, disclosure or distribution of the information transmitted herewith is strictly prohibited and may be subject to legal restriction or sanction. Please notify the sender, by return e-mail or telephone, of any unintended recipients and delete the original message without making any copies. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rafael Gomes Sent: Thursday, July 23, 2009 5:38 AM To: [email protected] Cc: Kelly Egode Subject: [ossec-list] Re: Windows Audit In my case, I just wanna get this log in ossec server: Event Type: Success Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 7/20/2009 Time: 4:54:04 PM User: UFBA\user1 Computer: server1 Description: Object Open: Object Server: Security Object Type: File Object Name: F:\foo\path\index.html Handle ID: 51652 Operation ID: {0,2956632565} Process ID: 4 Image File Name: Primary User Name: server1$ Primary Domain: DOMAIN1 Primary Logon ID: (0x0,0x3E7) Client User Name: user1 Client Domain: DOMAIN1 Client Logon ID: (0x0,0xB0216AFA) Accesses: DELETE ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x10080 I already get others logs from this server, but I think that there isn't any decoder or rule to handle this type of log in my ossec server. Thank you. -- Rafael Brito Gomes Projeto UFBA LPIC-1 CPM Braxis Tel : +55 71 3283 6102 http://www.cpmbraxis.com
