Thank you Daniel, sure i've restarted the Ossec daemon. I've noted that the access time of the file I read is not modified by daemon but is modified by logtest. This is the evidence that analisysd can't access my text file.
Is there a reason or can be a bug? [r...@nordcom ~]# ls -la --time=atime /var/ossec/adslist -rwxrwxrwx 1 root root 2916 12 lug 12:13 /var/ossec/adslist tnx! On 12 Lug, 15:44, Daniel Cid <[email protected]> wrote: > Hi Stefano, > > Did you restart OSSEC after making all those changes? The steps you > took look correctly > to me, so if it is working inside logtest it should work as well > inside analysisd. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Tue, Jul 6, 2010 at 10:51 AM, Stefano Pedretti<[email protected]> > wrote: > > Dears, > > I have still not solved my problem. > > > I need to monitor audits of only a set of users. I build a compiled > > rule to check if the dstuser of > > These are the facts: I > > > - create a logman.c file (that's reported on bottom) > > - registered the rule with register_rule.sh script > > - used the install.sh script to compile and install a new ossec > > istance. > > - i modified the msauth xml file with <compiled_rule>logman</ > > compiled_rule> > > - i create and 777ed /var/ossec/adslist file with usernames i need to > > monitor. > > > Testing it with ossec-logtest work's like a charme but the same log > > (captured from windows agent debug log) never match. > > > What's wrong in my procedure? > > > === log test === > > > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: stefano.pedretti: > > AOVV: PROTOCOLLO: Successful Logon: User Name: stefano.pedretti > > Domain: AOVV Logon ID: (0x0,0xBC31F0D) > > Logon Type: 10 > > Logon Process: User32 Authentication Package: Negotiate > > Workstation Name: PROTOCOLLO Logon GUID: {0e5df325-5cbf- > > aa8c-81c3-0e4778ca5241} Caller User Name: PROTOCOLLO$ > > Caller > > Domain: AOVV Caller Logon ID: (0x0,0x3E7) Caller > > Process ID: > > 3204 Transited Services: - Source Network Address: > > 11.128.128.1 Source Port: 36567 > > > **Phase 1: Completed pre-decoding. > > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > > stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon: User Name: > > stefano.pedretti Domain: AOVV Logon ID: > > (0x0,0xBC31F0D) > > Logon Type: 10 Logon Process: User32 Authentication > > Package: > > Negotiate Workstation Name: PROTOCOLLO Logon GUID: > > {0e4df325-5cbf-aa8c-81c3-0e4778ca5241} Caller User Name: PROTOCOLLO > > $ Caller Domain: AOVV Caller Logon ID: (0x0,0x3E7) > > Caller > > Process ID: 3204 Transited Services: - Source Network > > Address: > > 10.128.128.1 Source Port: 36567 ' > > hostname: 'nordcom' > > program_name: '(null)' > > log: 'WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > > stefano.pedretti: AOVV: PROTOCOLLO: Successful Logon: User Name: > > stefano.pedretti Domain: AOVV Logon ID: > > (0x0,0xBC31F0D) > > Logon Type: 10 Logon Process: User32 Authentication > > Package: > > Negotiate Workstation Name: PROTOCOLLO Logon GUID: > > {0e4df325-5cbf-aa8c-81c3-0e4778ca5241} Caller User Name: PROTOCOLLO > > $ Caller Domain: AOVV Caller Logon ID: (0x0,0x3E7) > > Caller > > Process ID: 3204 Transited Services: - Source Network > > Address: > > 10.128.128.1 Source Port: 36567 ' > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > status: 'AUDIT_SUCCESS' > > id: '528' > > extra_data: 'Security' > > dstuser: 'stefano.pedretti' > > system_name: 'PROTOCOLLO' > > > **Phase 3: Completed filtering (rules). > > Rule id: '18107' > > Level: '3' > > Description: 'Windows Logon Success.' > > **Alert to be generated. > > > === logman.c === > > > /* > > * This program is a free software; you can redistribute it > > * and/or modify it under the terms of the GNU General Public > > * License (version 2) as published by the FSF - Free Software > > * Foundation. > > > Stefano Pedretti - NordCom S.p.A Italy > > Compiled rule logman for userlist matching. > > Put in a ossec readable file /var/ossec/adslist > > the user list in lower case. > > > Changelog > > rev 1.2 Comments > > rev 1.1 Review and semplification > > rev 1.0 Initial code implementation > > > <compiled_rule>logman</compiled_rule> > > > */ > > > #include "shared.h" > > #include "eventinfo.h" > > #include "config.h" > > #include <stdio.h> > > > void *logman(Eventinfo *lf) > > { > > static const char filename[] = "/var/ossec/adslist"; > > char *user = NULL; > > char line[256]; > > int i = 0; > > > //printf("Inizio custom rule logman.\n"); > > > if(!lf->dstuser) > > { > > // Cosa fare nel caso in cui il campo dstuser non è previsto dal > > decoder? > > //printf("Campo dstuser nullo.\n"); > > > //Accettare > > // return(lf); > > > //Rifiutare > > return(NULL); > > } > > > user = lf->dstuser; > > > //printf("Utente: %s\n",user); > > > Eventinfo *lfr = NULL; > > > if(strlen(user) > 0){ > > FILE *file = fopen ( filename, "r" ); > > > if ( file != NULL ){ > > > while (fgets(line, 256, file) != NULL){ > > > line[strlen(line)-1] = 0; > > > // printf("-%s-,-%s-\n",lf->dstuser,line); > > // printf("-%d-,-%d-\n",strlen(lf->dstuser), strlen(line)); > > > if (strlen(user) == (strlen(line))){ > > > for (i=0; i < strlen(line) ; i++) > > line[i] = tolower(line[i]); > > if (strcmp(user,line) == 0){ > > lfr=lf; > > break; > > } > > } > > } > > fclose ( file ); > > } > > else > > { > > perror ( filename ); > > } > > } > > return(lfr); > > } > > > =====EOF================= > > > Thank you! > > > On 25 Giu, 15:10, Stefano Pedretti <[email protected]> wrote: > >> Thank you for your reply, > > >> On 15 Giu, 14:31, Daniel Cid <[email protected]> wrote: > >> --- cut --
