Re: [ossec-list] Re: Feeding ossec-logtest

Fri, 22 Jan 2010 10:14:34 -0800 

On Tue, Jan 19, 2010 at 9:58 AM, Dave S <[email protected]> wrote:
> Dan,
> I think the reason you have no archive.log is because you need to add
>
> <global>
>  <logall>yes</logall>
> </global>
>
> to ossec.conf.  Great way when you're debugging to get a thorough
> record of all events sent to the server.
>
> Unfortunately, the event I'm trying to reproduce is a Windows Event
> log record, so I've no file (that I know of) where I can retrieve the
> raw log entry.
>
> - Dave
>

Wow, that worked. Thanks!

Ok, I have a Windows event log or two in there now. Here's an example:
2010 Jan 19 17:56:24 (bunny) 192.168.17.0->WinEvtLog WinEvtLog:
System: INFORMATION(7036): Service Control Manager: (no user): no
domain: Bunny-PC: Windows Modules Installer running

It's a short example (there are long ones in there too, but this
seemed easier).
If I paste the whole line into ossec-logtest I get back bad results:
**Phase 1: Completed pre-decoding.
       full event: '2010 Jan 19 17:56:24 (bunny)
192.168.17.0->WinEvtLog WinEvtLog: System: INFORMATION(7036): Service
Control Manager: (no user): no domain: Bunny-PC: Windows Modules
Installer running'
       hostname: 'ix'
       program_name: '(null)'
       log: '2010 Jan 19 17:56:24 (bunny) 192.168.17.0->WinEvtLog
WinEvtLog: System: INFORMATION(7036): Service Control Manager: (no
user): no domain: Bunny-PC: Windows Modules Installer running'

**Phase 2: Completed decoding.
       No decoder matched.

However, if I paste everything after "192.168.17.0->WinEvtLog", the
results are much better:
WinEvtLog: System: INFORMATION(7036): Service Control Manager: (no
user): no domain: Bunny-PC: Windows Modules Installer running


**Phase 1: Completed pre-decoding.
       full event: 'WinEvtLog: System: INFORMATION(7036): Service
Control Manager: (no user): no domain: Bunny-PC: Windows Modules
Installer running'
       hostname: 'ix'
       program_name: '(null)'
       log: 'WinEvtLog: System: INFORMATION(7036): Service Control
Manager: (no user): no domain: Bunny-PC: Windows Modules Installer
running'

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'INFORMATION'
       id: '7036'
       extra_data: 'Service Control Manager'
       dstuser: '(no user)'
       system_name: 'Bunny-PC'

**Phase 3: Completed filtering (rules).
       Rule id: '18101'
       Level: '0'
       Description: 'Windows informational event.'

Not perfect, since the wrong hostname is used (that's my ossec
server), but better.

HTH,
dan

Reply via email to