Thanks for your prompt response and suggestions!
I added the <if_sid> line back to my rule, so it is now:
<rule id="101013" level="5">
<if_sid>18100</if_sid>
<match>HP Color LaserJet 8500 PS</match>
<description>Printer test</description>
</rule>
I then set <logall>yes</logall> and restarted the server.
archives.log then showed this:
WinEvtLog: System: INFORMATION(9): Print: SYSTEM: NT AUTHORITY:
SERVER: Printer HP Color LaserJet 8500 PS (from WORKSTATION) in
session 2 was set.
I had already tried to use ossec-logtest, but it didn't appear to work
on my box. It would go up to 100% CPU usage and just stay there
without showing "ossec-testrule: Type one log per line.", so I would
just kill it. I just tried letting ossec-logtest run instead of
killing it after 10 seconds and "ossec-testrule: Type one log per
line." finally did appear. Pasting the log, I got the following:
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: System: INFORMATION(9): Print: SYSTEM:
NT AUTHORITY: SERVER: Printer HP Color LaserJet 8500 PS (from
WORKSTATION) in session 2 was set.'
hostname: 'OSSEC'
program_name: '(null)'
log: 'WinEvtLog: System: INFORMATION(9): Print: SYSTEM: NT
AUTHORITY: SERVER: Printer HP Color LaserJet 8500 PS (from
WORKSTATION) in session 2 was set.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'INFORMATION'
id: '9'
extra_data: 'Print'
dstuser: 'SYSTEM'
system_name: 'SERVER'
**Phase 3: Completed filtering (rules).
Rule id: '18101'
Level: '0'
Description: 'Windows informational event.'
Since it decoded to Rule 18101, I changed my if_sid to 18101 like so:
<rule id="101013" level="5">
<if_sid>18101</if_sid>
<match>HP Color LaserJet 8500 PS</match>
<description>Printer test</description>
</rule>
I restarted the OSSEC server, forced the event on the agent, and then
checked the log on the server:
** Alert 1267727612.987986828: - windows,
2010 Mar 04 13:33:32 (SERVER) 192.168.1.101->WinEvtLog
Rule: 101013 (level 5) -> 'Printer test'
Src IP: (none)
User: SYSTEM
WinEvtLog: System: INFORMATION(9): Print: SYSTEM: NT AUTHORITY:
SERVER: Printer HP Color LaserJet 8500 PS (from WORKSTATION) in
session 2 was set.
So my mistake was thinking that I could make my new rule a child of
the generic Windows event (18100) when you have to follow the event to
the end of its natural decoding and then make your new rule a child to
the final decoded event (18101 Windows Informational Event). Lesson
learned! Thanks for your help in resolving this issue!
Thanks,
Doug Burks
On Mar 4, 12:16 pm, "dan (ddp)" <[email protected]> wrote:
> On Thu, Mar 4, 2010 at 10:14 AM, Doug Burks <[email protected]> wrote:
> > I'm having trouble getting a rule to fire for a Windows agent. I've
> > written other Windows rules before and they work fine, but I can't
> > figure out why this isn't working.
>
> > Here's what shows up in the Windows System log:
> > Printer HP Color LaserJet 8500 PS (from WORKSTATION) in session 2 was
> > set.
>
> > I am receiving other alerts from that Windows System log, so I know
> > the Agent is working properly.
>
> > I added the following to /var/ossec/rules/local_rules.xml on my OSSEC
> > server:
> > <rule id="101013" level="5">
> > <if_sid>18100</if_sid>
> > <match>HP Color LaserJet 8500 PS</match>
> > <description>Printer test</description>
> > </rule>
>
> > I then restarted both the OSSEC Server and the OSSEC Agent on the
> > Windows box. I can generate new log entries on the Windows box, but
> > they never show up on the OSSEC server.
>
> > I then tried removing the if_sid line making the rule just:
> > <rule id="101013" level="5">
> > <match>HP Color LaserJet 8500 PS</match>
> > <description>Printer test</description>
> > </rule>
>
> > I then restarted both the OSSEC Server and the OSSEC Agent on the
> > Windows box. It still doesn't work.
>
> > Here are my questions:
> > 1. What is the bare minimum in a rule definition? Can I get by with
> > just a <match>?
> > 2. After adding the rule to local_rules.xml, is it necessary to
> > restart both the server and the agent? Or just one or the other?
> > 3. Is there something obviously wrong with my rule that would prevent
> > it from matching the above log snippet?
>
> > Thanks,
> > Doug Burks
>
> 1. You'll probably need the <if_sid> line in your rule.
> 2. You should only have to restart the server after adding a rule.
>
> In the global section of your ossec.conf, you can try setting the
> <logall>yes</logall> option. This will populate /var/ossec/logs/archives
> on the server.
> In the archive.log file you should then have all of the alerts sent to the
> server. Look for the one you're trying to create a rule for. You can then
> copy and paste part of that line into ossec-logtest to see how it is being
> decoded.
>
> For example, I have the following line in my archives.log file:
> 2010 Mar 04 01:39:16 (giediprime-win) 192.168.17.0->WinEvtLog
> WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT
> AUTHORITY: GIEDIPRIME: Logon Failure: Reason: Unknown
> user name or bad password User Name: guest Domain:
> Logon Type: 3 Logon Process: NtLmSsp
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: \\192.168.1.9
>
> If I copy everything after the first "WinEvtLog" and paste it into
> ossec-logtest
> I get the information I'm looking for.
>
> If you still have issues, paste the line from the archives.log file to
> the list,
> we can probably help a bit more then.
