Crap ... Now the dual (hostname / IP) is solved - see previous post.
But the rules is not matching, and just classified as 1002 .
Any idea ? For me this should be not classified as 1002, those message
are success info.
SAMPLE 1
-------
r...@syslog:/var/ossec/bin# ./ossec-logtest
2010/12/28 11:37:18 ossec-testrule: INFO: Reading local decoder file.
2010/12/28 11:37:18 ossec-testrule: INFO: Started (pid: 6925).
ossec-testrule: Type one log per line.
Dec 28 06:54:36 1.1.1.1 MSWinEventLog;1;Security;23875316;Tue: Dec 28
06:54:34 2010;680;Security;DOMAINUSER;User;Success
Audit;ADSERVER;Account Logon;;Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: DOMAINUSER
Source Workstation: DOMAINSTATION Error Code: 0x0 ;
23866818
**Phase 1: Completed pre-decoding.
full event: 'Dec 28 06:54:36 1.1.1.1 MSWinEventLog;1;Security;
23875316;Tue: Dec 28 06:54:34
2010;680;Security;DOMAINUSER;User;Success Audit;ADSERVER;Account
Logon;;Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: DOMAINUSER Source Workstation: DOMAINSTATION
Error Code: 0x0 ;23866818'
hostname: '1.1.1.1'
program_name: '(null)'
log: 'MSWinEventLog;1;Security;23875316;Tue: Dec 28 06:54:34
2010;680;Security;DOMAINUSER;User;Success Audit;ADSERVER;Account
Logon;;Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: DOMAINUSER Source Workstation: DOMAINSTATION
Error Code: 0x0 ;23866818'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
-------
SAMPLE 2
r...@syslog:/var/ossec/bin# ./ossec-logtest
2010/12/28 11:49:24 ossec-testrule: INFO: Reading local decoder file.
2010/12/28 11:49:24 ossec-testrule: INFO: Started (pid: 10082).
ossec-testrule: Type one log per line.
Dec 28 11:30:12 1.1.1.2 MSWinEventLog;1;Security;23986439;Tue: Dec 28
11:30:09 2010;673;Security;SYSTEM;User;Success Audit;ADSERVER;Account
Logon;;Service Ticket Request: User Name:
[email protected] User Domain:
PETERCAM.CORP Service Name: ADSERVER$
Service ID: %
{S-1-5-21-1424381949-1679034567-623647354-10835} Ticket
Options: 0x40800000 Ticket Encryption Type:
0x17 Client Address: 10.10.2.3 Failure
Code: - Logon GUID:
{f471326b-4fb3-0f68-7bd8-974d71ba493f} Transited Services:
- ;23977936
**Phase 1: Completed pre-decoding.
full event: 'Dec 28 11:30:12 1.1.1.2 MSWinEventLog;1;Security;
23986439;Tue: Dec 28 11:30:09 2010;673;Security;SYSTEM;User;Success
Audit;ADSERVER;Account Logon;;Service Ticket Request: User
Name: [email protected] User Domain:
PETERCAM.CORP Service Name: ADSERVER$
Service ID: %
{S-1-5-21-1424381949-1679034567-623647354-10835} Ticket
Options: 0x40800000 Ticket Encryption Type:
0x17 Client Address: 10.10.2.3 Failure
Code: - Logon GUID:
{f471326b-4fb3-0f68-7bd8-974d71ba493f} Transited Services:
- ;23977936'
hostname: '1.1.1.2'
program_name: '(null)'
log: 'MSWinEventLog;1;Security;23986439;Tue: Dec 28 11:30:09
2010;673;Security;SYSTEM;User;Success Audit;ADSERVER;Account
Logon;;Service Ticket Request: User Name:
[email protected] User Domain:
PETERCAM.CORP Service Name: ADSERVER$
Service ID: %
{S-1-5-21-1424381949-1679034567-623647354-10835} Ticket
Options: 0x40800000 Ticket Encryption Type:
0x17 Client Address: 10.10.2.3 Failure
Code: - Logon GUID:
{f471326b-4fb3-0f68-7bd8-974d71ba493f} Transited Services:
- ;23977936'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
----
Any idea .
On Dec 27, 10:56 am, Js Opdebeeck <[email protected]> wrote:
> Thanks for your troubleshoting
>
> I found the mistake ...
> Must *CHECK* "Enable SYSLOG Header?" option ... this is not the
> default value after Setup.
>
> Kind regards
>
> Js
>
> On Dec 24, 8:54 pm, "dan (ddp)" <[email protected]> wrote:
>
>
>
>
>
>
>
> > On Fri, Dec 24, 2010 at 6:55 AM, Js Opdebeeck <[email protected]>
> > wrote:
> > > Hello
>
> > > Thanks for your reply.
>
> > > The events are coming from Active Directory running SNARE, then
> > > forward the events to Syslog-NG
> > > Ossec tails the syslog-ng dedicated log.
>
> > > Does it help ?
>
> > > Kind regards
>
> > Ok, the format is funky, and the decoder isn't recognizing it.
> > Part of the issue may be that the IP address and hostname(?) are both
> > showing up in the header:
> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME
>
> > This could throw it all off. That maybe something you can "fix" with
> > syslog-ng, but I don't know enough about syslog-ng to offer any real
> > solutions. I think, if it can be done, this is the best place to
> > start.
>
> > You could also (and I don't think this is the best solution), adjust
> > the "windows-snare" decoder to deal with this situation. Removing the
> > "^" in the <prematch> may be all it takes.
>
> > You could also (still not the best option, but possibly better than
> > the one just above) add the following to local_decoder.xml:
> > <decoder name="windows-snare2">
> > <type>windows</type>
> > <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch>
> > <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
> > <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
> > <order>id, extra_data, user, status, system_name</order>
> > <fts>name, id, location, user, system_name</fts>
> > </decoder>
>
> > You might have to put it in decoder.xml above the "windows-snare"
> > decoder, I'm not sure. A quick test with ossec-logtest (pasting
> > everything from "Dec 23 09:08:13" to the end) would verify whether
> > this is working.
>
> > > On Dec 23, 5:18 pm, "dan (ddp)" <[email protected]> wrote:
> > >> These event messages seem odd. Running the first one through logtest
> > >> gives me the following:
> > >> 2010/12/23 11:12:21 ossec-testrule: INFO: Reading local decoder file.
> > >> 2010/12/23 11:12:21 ossec-testrule: INFO: Started (pid: 25248).
> > >> ossec-testrule: Type one log per line.
>
> > >> Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1
> > >> Security 19699453 Thu: Dec 23 09:08:15 2010 680
> > >> Security USERXXX User Success Audit DOMAINCONTROLERNAME
> > >> Account Logon Logon attempt by:
> > >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT
> > >> Source Workstation: STATIONNAMEXXX Error Code: 0x0
> > >> 19695682
>
> > >> **Phase 1: Completed pre-decoding.
> > >> full event: 'Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME
> > >> MSWinEventLog 1 Security 19699453 Thu: Dec 23 09:08:15
> > >> 2010 680 Security USERXXX User Success Audit
> > >> DOMAINCONTROLERNAME Account Logon Logon attempt by:
> > >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT
> > >> Source Workstation: STATIONNAMEXXX Error Code: 0x0
> > >> 19695682 '
> > >> hostname: '1.1.1.1'
> > >> program_name: '(null)'
> > >> log: 'DOMAINCONTROLERNAME MSWinEventLog 1 Security
> > >> 19699453 Thu: Dec 23 09:08:15 2010 680 Security
> > >> USERXXX User Success Audit DOMAINCONTROLERNAME Account Logon
> > >> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon
> > >> account: USERACCOUNT Source Workstation: STATIONNAMEXXX Error Code:
> > >> 0x0 19695682 '
>
> > >> **Phase 2: Completed decoding.
> > >> No decoder matched.
>
> > >> **Phase 3: Completed filtering (rules).
> > >> Rule id: '1002'
> > >> Level: '2'
> > >> Description: 'Unknown problem somewhere in the system.'
> > >> **Alert to be generated.
>
> > >> How are these messages being passed to OSSEC?
>
> > >> On Thu, Dec 23, 2010 at 3:34 AM, Js Opdebeeck <[email protected]>
> > >> wrote:
> > >> > Hello
>
> > >> > Rule: 1002 'Unknown problem somewhere in the system.' represent 45% of
> > >> > the Alerts and
>
> > >> > Here are 2 kind of alert that should be passed to 0 or at least
> > >> > correctly classified.
> > >> > Those are 'Failures' and 'Errors' but a I thought it will be handled
> > >> > by 'msauth_rules.xml'
>
> > >> > Did someone already RE-classified this kind of rules ? If not , I'll
> > >> > probably have to ( mute them at least)
>
> > >> > ** Alert 1293091695.18221016: - syslog,errors,
> > >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log
> > >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> > >> > Src IP: (none)
> > >> > User: (none)
> > >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1
> > >> > Security 19699453 Thu: Dec 23 09:08:15 2010 680
> > >> > Security USERXXX User Success Audit DOMAINCONTROLERNAME
> > >> > Account Logon Logon attempt by:
> > >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT
> > >> > Source
> > >> > Workstation: STATIONNAMEXXX Error Code: 0x0 19695682
>
> > >> > ** Alert 1293091695.18219733: - syslog,errors,
> > >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log
> > >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> > >> > Src IP: (none)
> > >> > User: (none)
> > >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1
> > >> > Security 19699449 Thu: Dec 23 09:08:14 2010 673
> > >> > Security SYSTEM User Success Audit DOMAINCONTROLERNAME
> > >> > Account Logon Service Ticket Request: User Name:
> > >> > [email protected] User Domain: PETERCAM.CORP Service
> > >> > Name:
> > >> > krbtgt Service ID: %{S-1-5-21-1424381949-1679034567-623647154-502}
> > >> > Ticket Options: 0x60810010 Ticket Encryption Type: 0x17 Client
> > >> > Address: 10.10.10.1 Failure Code: - Logon GUID:
> > >> > {d3ba7bf0-795b-27fd-f4a8-d70ed4268f72} Transited Services: -
> > >> > 19695678
>
> > >> > Kind regards
>
> > >> > Js Op de Beeck
