RE: [ossec-list] Re: OSSEC + RSA Envision

[Carter, Dennis A]

Shawn,

Here is a copy of the files you need to parse OSSEC logs in envision. We 
currently do not have the EnVision product anymore. If my memory serves me you 
will need to create a folder called ossec in the devices directory and copy 
these files into the ossec folder. If you are running the LS series you will 
need to create the ossec folder and copy these files in all three LS 
appliances. You will need to restart your envision services after you have 
completed the above process. You can contact me if you have any issues.

Thanks

Dennis Carter
Business Technology Services
727-464-4527
-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Jefferson, Shawn
Sent: Wednesday, March 03, 2010 11:55 AM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Re: OSSEC + RSA Envision

Would you be willing to share your XML file for it?  It would at least give me 
a starting point to go from.

Thanks,
Shawn

-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Gags
Sent: Tuesday, March 02, 2010 9:35 PM
To: ossec-list
Subject: [ossec-list] Re: OSSEC + RSA Envision

Hi Shawn

We have done in our environment, but we have customised only a few
alerts which we feel were critical and to be monitored at EnVision.
This depends on
1) The alerts critical for your setup
2) Devices, applications and OS part of your setup. Since based on
this alerts would be different and they needed to be parsed
differently.

Regards
Gagan


On Mar 2, 4:08 am, "Jefferson, Shawn" <shawn.jeffer...@bcferries.com>
wrote:
> Hi,
>
> Just getting started with OSSEC.  Does anyone have an XML device file to 
> integrate with RSA Envision that they wouldn't mind sharing?
>
> --
> Thanks!
> Shawn Jefferson
> shawn.jeffer...@bcferries.com

ossecmsg.xml.mod
Description: ossecmsg.xml.mod

ossec.ini
Description: ossec.ini

<?xml version="1.0" encoding="ISO-8859-1"?>
<DEVICEMESSAGES>
<!-- 
If the message tag does not contain a definition of a property,
the default value will be used.
The default values are:
		level="1"
		parse="0"
		parsedefvalue="0"
		tableid="1"
		id1=""
		id2=""
		content=""
		reportcategory="0"
		sitetrack="0"
		eventcategory=""


The following are the entity references for all the predefined entities:
&lt;		<(openning angle bracket)
&gt;		>(closing angle bracket)
&amp;		&(ampersand)
&apos;		'(apostrophe)
&quot;		"(double quotation mark)

-->
<HEADER 
		id1="0001" 
		id2="0001" 
		messageid="" 
		devts="" 
		content="&lt;month&gt; &lt;day&gt; &lt;time&gt; ossec ossec: Alert Level:&lt;priority&gt;; Rule: &lt;messageid&gt; - &lt;!payload&gt;" />
<MESSAGE 
		parse="1" 
		parsedefvalue="1" 
		tableid="20" 
		id1="18149" 
		id2="18149" 
		eventcategory="1401070000" 
		summary="" 
		content="Windows User Logoff.; Location: (&lt;source&gt;) &lt;daddr&gt;-&gt;WinEvtLog; user: &lt;username&gt;;&lt;context&gt;Logon ID&lt;@priority:*HDR(priority)&gt;&lt;@SIGID:*HDR(messageid)&gt; " />
<MESSAGE 
		parse="1" 
		parsedefvalue="1" 
		tableid="20" 
		id1="18107" 
		id2="18107" 
		eventcategory="1402020300" 
		summary="" 
		content="Windows Logon Success.; Location: (&lt;source&gt;) &lt;daddr&gt;-&gt;WinEvtLog; user: &lt;username&gt;;&lt;context&gt;{Source Network|Client} Address: &lt;saddr&gt;&lt;@priority:*HDR(priority)&gt;&lt;@SIGID:*HDR(messageid)&gt;&lt;@event_category:*SYSVAL($EVNTCAT)&gt;" />
<MESSAGE 
		parse="1" 
		parsedefvalue="1" 
		tableid="20" 
		id1="18139" 
		id2="18139" 
		eventcategory="1401030000" 
		summary="" 
		content="Windows DC Logon Failure.; Location: (&lt;source&gt;) &lt;daddr&gt;-&gt;WinEvtLog; &lt;context&gt; User Name: &lt;username&gt;&lt;junk&gt;Client Address: &lt;saddr&gt;&lt;@priority:*HDR(priority)&gt;&lt;@SIGID:*HDR(messageid)&gt; " />
<MESSAGE 
		parse="1" 
		parsedefvalue="1" 
		tableid="20" 
		id1="18130" 
		id2="18130" 
		eventcategory="1401030000" 
		summary="" 
		content="Logon Failure - Unknown user or bad password.; Location: (&lt;source&gt;) &lt;daddr&gt;-&gt;WinEvtLog; &lt;context&gt; User Name: &lt;username&gt;&lt;junk&gt;Source Network Address: &lt;saddr&gt;&lt;@priority:*HDR(priority)&gt;&lt;@SIGID:*HDR(messageid)&gt; " />
<MESSAGE 
		parse="1" 
		parsedefvalue="1" 
		tableid="20" 
		id1="18111" 
		id2="18111" 
		eventcategory="1402020300" 
		summary="" 
		content="User account changed.; Location: (&lt;source&gt;) &lt;daddr&gt;-&gt;WinEvtLog; user: &lt;name&gt;&lt;junk&gt;Target Account Name: &lt;username&gt;&lt;@priority:*HDR(priority)&gt;&lt;@SIGID:*HDR(messageid)&gt;&lt;@event_category:*SYSVAL($EVNTCAT)&gt;" />
<MESSAGE 
		level="3" 
		parse="1" 
		parsedefvalue="1" 
		tableid="20" 
		id1="18152" 
		id2="18152" 
		eventcategory="1401030000" 
		summary="" 
		content="Multiple Windows Logon Failures.; Location: (&lt;source&gt;) &lt;daddr&gt;-&gt;WinEvtLog; user: &lt;name&gt;&lt;junk&gt;User Name: &lt;username&gt; &lt;junk&gt;Client Address:  &lt;saddr&gt;&lt;@priority:*HDR(priority)&gt;&lt;@SIGID:*HDR(messageid)&gt;  " />
<MESSAGE 
		level="3" 
		parse="1" 
		parsedefvalue="1" 
		tableid="20" 
		id1="550" 
		id2="550" 
		eventcategory="1001020200" 
		summary="" 
		content="Integrity Checksum Changed.; Location: (&lt;source&gt;) &lt;daddr&gt;-&gt;&lt;junk&gt;; Integrity checksum changed for: &apos;&lt;filename&gt;&apos;&lt;@priority:*HDR(priority)&gt;&lt;@SIGID:*HDR(messageid)&gt; " />
<MESSAGE 
		level="3" 
		parse="1" 
		parsedefvalue="1" 
		tableid="20" 
		id1="552" 
		id2="552" 
		eventcategory="1001020200" 
		summary="" 
		content="Integrity Checksum Changed again &lt;junk&gt;.; Location: (&lt;source&gt;) &lt;daddr&gt;-&gt;&lt;junk&gt;; Integrity checksum changed for: &apos;&lt;filename&gt;&apos;&lt;@priority:*HDR(priority)&gt;&lt;@SIGID:*HDR(messageid)&gt; " />
</DEVICEMESSAGES>

ossecmsg.stamp
Description: ossecmsg.stamp

ossecmsg.xml.test
Description: ossecmsg.xml.test

ossecmsg.xml.bak
Description: ossecmsg.xml.bak

ossecmsg.xml.base
Description: ossecmsg.xml.base