Thanks for your troubleshoting
I found the mistake ... Must *CHECK* "Enable SYSLOG Header?" option ... this is not the default value after Setup. Kind regards Js On Dec 24, 8:54 pm, "dan (ddp)" <[email protected]> wrote: > On Fri, Dec 24, 2010 at 6:55 AM, Js Opdebeeck <[email protected]> wrote: > > Hello > > > Thanks for your reply. > > > The events are coming from Active Directory running SNARE, then > > forward the events to Syslog-NG > > Ossec tails the syslog-ng dedicated log. > > > Does it help ? > > > Kind regards > > Ok, the format is funky, and the decoder isn't recognizing it. > Part of the issue may be that the IP address and hostname(?) are both > showing up in the header: > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME > > This could throw it all off. That maybe something you can "fix" with > syslog-ng, but I don't know enough about syslog-ng to offer any real > solutions. I think, if it can be done, this is the best place to > start. > > You could also (and I don't think this is the best solution), adjust > the "windows-snare" decoder to deal with this situation. Removing the > "^" in the <prematch> may be all it takes. > > You could also (still not the best option, but possibly better than > the one just above) add the following to local_decoder.xml: > <decoder name="windows-snare2"> > <type>windows</type> > <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch> > <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex> > <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex> > <order>id, extra_data, user, status, system_name</order> > <fts>name, id, location, user, system_name</fts> > </decoder> > > You might have to put it in decoder.xml above the "windows-snare" > decoder, I'm not sure. A quick test with ossec-logtest (pasting > everything from "Dec 23 09:08:13" to the end) would verify whether > this is working. > > > > > > > > > On Dec 23, 5:18 pm, "dan (ddp)" <[email protected]> wrote: > >> These event messages seem odd. Running the first one through logtest > >> gives me the following: > >> 2010/12/23 11:12:21 ossec-testrule: INFO: Reading local decoder file. > >> 2010/12/23 11:12:21 ossec-testrule: INFO: Started (pid: 25248). > >> ossec-testrule: Type one log per line. > > >> Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 > >> Security 19699453 Thu: Dec 23 09:08:15 2010 680 > >> Security USERXXX User Success Audit DOMAINCONTROLERNAME > >> Account Logon Logon attempt by: > >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT > >> Source Workstation: STATIONNAMEXXX Error Code: 0x0 > >> 19695682 > > >> **Phase 1: Completed pre-decoding. > >> full event: 'Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME > >> MSWinEventLog 1 Security 19699453 Thu: Dec 23 09:08:15 > >> 2010 680 Security USERXXX User Success Audit > >> DOMAINCONTROLERNAME Account Logon Logon attempt by: > >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT > >> Source Workstation: STATIONNAMEXXX Error Code: 0x0 > >> 19695682 ' > >> hostname: '1.1.1.1' > >> program_name: '(null)' > >> log: 'DOMAINCONTROLERNAME MSWinEventLog 1 Security > >> 19699453 Thu: Dec 23 09:08:15 2010 680 Security > >> USERXXX User Success Audit DOMAINCONTROLERNAME Account Logon > >> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon > >> account: USERACCOUNT Source Workstation: STATIONNAMEXXX Error Code: > >> 0x0 19695682 ' > > >> **Phase 2: Completed decoding. > >> No decoder matched. > > >> **Phase 3: Completed filtering (rules). > >> Rule id: '1002' > >> Level: '2' > >> Description: 'Unknown problem somewhere in the system.' > >> **Alert to be generated. > > >> How are these messages being passed to OSSEC? > > >> On Thu, Dec 23, 2010 at 3:34 AM, Js Opdebeeck <[email protected]> > >> wrote: > >> > Hello > > >> > Rule: 1002 'Unknown problem somewhere in the system.' represent 45% of > >> > the Alerts and > > >> > Here are 2 kind of alert that should be passed to 0 or at least > >> > correctly classified. > >> > Those are 'Failures' and 'Errors' but a I thought it will be handled > >> > by 'msauth_rules.xml' > > >> > Did someone already RE-classified this kind of rules ? If not , I'll > >> > probably have to ( mute them at least) > > >> > ** Alert 1293091695.18221016: - syslog,errors, > >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log > >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > >> > Src IP: (none) > >> > User: (none) > >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 > >> > Security 19699453 Thu: Dec 23 09:08:15 2010 680 > >> > Security USERXXX User Success Audit DOMAINCONTROLERNAME > >> > Account Logon Logon attempt by: > >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT > >> > Source > >> > Workstation: STATIONNAMEXXX Error Code: 0x0 19695682 > > >> > ** Alert 1293091695.18219733: - syslog,errors, > >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log > >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > >> > Src IP: (none) > >> > User: (none) > >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 > >> > Security 19699449 Thu: Dec 23 09:08:14 2010 673 > >> > Security SYSTEM User Success Audit DOMAINCONTROLERNAME > >> > Account Logon Service Ticket Request: User Name: > >> > [email protected] User Domain: PETERCAM.CORP Service > >> > Name: > >> > krbtgt Service ID: %{S-1-5-21-1424381949-1679034567-623647154-502} > >> > Ticket Options: 0x60810010 Ticket Encryption Type: 0x17 Client > >> > Address: 10.10.10.1 Failure Code: - Logon GUID: > >> > {d3ba7bf0-795b-27fd-f4a8-d70ed4268f72} Transited Services: - > >> > 19695678 > > >> > Kind regards > > >> > Js Op de Beeck
