On Tue, Dec 28, 2010 at 5:53 AM, Js Opdebeeck <[email protected]> wrote: > Crap ... Now the dual (hostname / IP) is solved - see previous post. > But the rules is not matching, and just classified as 1002 . > > Any idea ? For me this should be not classified as 1002, those message > are success info. > > SAMPLE 1 > > ------- > r...@syslog:/var/ossec/bin# ./ossec-logtest > 2010/12/28 11:37:18 ossec-testrule: INFO: Reading local decoder file. > 2010/12/28 11:37:18 ossec-testrule: INFO: Started (pid: 6925). > ossec-testrule: Type one log per line. > > Dec 28 06:54:36 1.1.1.1 MSWinEventLog;1;Security;23875316;Tue: Dec 28 > 06:54:34 2010;680;Security;DOMAINUSER;User;Success > Audit;ADSERVER;Account Logon;;Logon attempt by: > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: DOMAINUSER > Source Workstation: DOMAINSTATION Error Code: 0x0 ; > 23866818 >
The decoder is expecting tabs between various elements in the log message, but your message is using ";". Changing the \t's to ;'s seems to make it work for me (adding this to local_decoder.xml): <decoder name="windows-snare2"> <type>windows</type> <prematch>MSWinEventLog;\d;\.+;\d+;\w\w\S+ \w\w\w \d\d \d\d</prematch> <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex> <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex> <order>id, extra_data, user, status, system_name</order> <fts>name, id, location, user, system_name</fts> </decoder> I'm not really familiar with snare or syslog-ng, so I'm wondering if that's configurable. > > **Phase 1: Completed pre-decoding. > full event: 'Dec 28 06:54:36 1.1.1.1 MSWinEventLog;1;Security; > 23875316;Tue: Dec 28 06:54:34 > 2010;680;Security;DOMAINUSER;User;Success Audit;ADSERVER;Account > Logon;;Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon account: DOMAINUSER Source Workstation: DOMAINSTATION > Error Code: 0x0 ;23866818' > hostname: '1.1.1.1' > program_name: '(null)' > log: 'MSWinEventLog;1;Security;23875316;Tue: Dec 28 06:54:34 > 2010;680;Security;DOMAINUSER;User;Success Audit;ADSERVER;Account > Logon;;Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon account: DOMAINUSER Source Workstation: DOMAINSTATION > Error Code: 0x0 ;23866818' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > ------- > > SAMPLE 2 > > > r...@syslog:/var/ossec/bin# ./ossec-logtest > 2010/12/28 11:49:24 ossec-testrule: INFO: Reading local decoder file. > 2010/12/28 11:49:24 ossec-testrule: INFO: Started (pid: 10082). > ossec-testrule: Type one log per line. > > Dec 28 11:30:12 1.1.1.2 MSWinEventLog;1;Security;23986439;Tue: Dec 28 > 11:30:09 2010;673;Security;SYSTEM;User;Success Audit;ADSERVER;Account > Logon;;Service Ticket Request: User Name: > [email protected] User Domain: > PETERCAM.CORP Service Name: ADSERVER$ > Service ID: % > {S-1-5-21-1424381949-1679034567-623647354-10835} Ticket > Options: 0x40800000 Ticket Encryption Type: > 0x17 Client Address: 10.10.2.3 Failure > Code: - Logon GUID: > {f471326b-4fb3-0f68-7bd8-974d71ba493f} Transited Services: > - ;23977936 > > > **Phase 1: Completed pre-decoding. > full event: 'Dec 28 11:30:12 1.1.1.2 MSWinEventLog;1;Security; > 23986439;Tue: Dec 28 11:30:09 2010;673;Security;SYSTEM;User;Success > Audit;ADSERVER;Account Logon;;Service Ticket Request: User > Name: [email protected] User Domain: > PETERCAM.CORP Service Name: ADSERVER$ > Service ID: % > {S-1-5-21-1424381949-1679034567-623647354-10835} Ticket > Options: 0x40800000 Ticket Encryption Type: > 0x17 Client Address: 10.10.2.3 Failure > Code: - Logon GUID: > {f471326b-4fb3-0f68-7bd8-974d71ba493f} Transited Services: > - ;23977936' > hostname: '1.1.1.2' > program_name: '(null)' > log: 'MSWinEventLog;1;Security;23986439;Tue: Dec 28 11:30:09 > 2010;673;Security;SYSTEM;User;Success Audit;ADSERVER;Account > Logon;;Service Ticket Request: User Name: > [email protected] User Domain: > PETERCAM.CORP Service Name: ADSERVER$ > Service ID: % > {S-1-5-21-1424381949-1679034567-623647354-10835} Ticket > Options: 0x40800000 Ticket Encryption Type: > 0x17 Client Address: 10.10.2.3 Failure > Code: - Logon GUID: > {f471326b-4fb3-0f68-7bd8-974d71ba493f} Transited Services: > - ;23977936' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > ---- > > > Any idea . > > On Dec 27, 10:56 am, Js Opdebeeck <[email protected]> wrote: >> Thanks for your troubleshoting >> >> I found the mistake ... >> Must *CHECK* "Enable SYSLOG Header?" option ... this is not the >> default value after Setup. >> >> Kind regards >> >> Js >> >> On Dec 24, 8:54 pm, "dan (ddp)" <[email protected]> wrote: >> >> >> >> >> >> >> >> > On Fri, Dec 24, 2010 at 6:55 AM, Js Opdebeeck <[email protected]> >> > wrote: >> > > Hello >> >> > > Thanks for your reply. >> >> > > The events are coming from Active Directory running SNARE, then >> > > forward the events to Syslog-NG >> > > Ossec tails the syslog-ng dedicated log. >> >> > > Does it help ? >> >> > > Kind regards >> >> > Ok, the format is funky, and the decoder isn't recognizing it. >> > Part of the issue may be that the IP address and hostname(?) are both >> > showing up in the header: >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME >> >> > This could throw it all off. That maybe something you can "fix" with >> > syslog-ng, but I don't know enough about syslog-ng to offer any real >> > solutions. I think, if it can be done, this is the best place to >> > start. >> >> > You could also (and I don't think this is the best solution), adjust >> > the "windows-snare" decoder to deal with this situation. Removing the >> > "^" in the <prematch> may be all it takes. >> >> > You could also (still not the best option, but possibly better than >> > the one just above) add the following to local_decoder.xml: >> > <decoder name="windows-snare2"> >> > <type>windows</type> >> > <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d >> > \d\d</prematch> >> > <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex> >> > <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex> >> > <order>id, extra_data, user, status, system_name</order> >> > <fts>name, id, location, user, system_name</fts> >> > </decoder> >> >> > You might have to put it in decoder.xml above the "windows-snare" >> > decoder, I'm not sure. A quick test with ossec-logtest (pasting >> > everything from "Dec 23 09:08:13" to the end) would verify whether >> > this is working. >> >> > > On Dec 23, 5:18 pm, "dan (ddp)" <[email protected]> wrote: >> > >> These event messages seem odd. Running the first one through logtest >> > >> gives me the following: >> > >> 2010/12/23 11:12:21 ossec-testrule: INFO: Reading local decoder file. >> > >> 2010/12/23 11:12:21 ossec-testrule: INFO: Started (pid: 25248). >> > >> ossec-testrule: Type one log per line. >> >> > >> Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 >> > >> Security 19699453 Thu: Dec 23 09:08:15 2010 680 >> > >> Security USERXXX User Success Audit DOMAINCONTROLERNAME >> > >> Account Logon Logon attempt by: >> > >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT >> > >> Source Workstation: STATIONNAMEXXX Error Code: 0x0 >> > >> 19695682 >> >> > >> **Phase 1: Completed pre-decoding. >> > >> full event: 'Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME >> > >> MSWinEventLog 1 Security 19699453 Thu: Dec 23 09:08:15 >> > >> 2010 680 Security USERXXX User Success Audit >> > >> DOMAINCONTROLERNAME Account Logon Logon attempt by: >> > >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT >> > >> Source Workstation: STATIONNAMEXXX Error Code: 0x0 >> > >> 19695682 ' >> > >> hostname: '1.1.1.1' >> > >> program_name: '(null)' >> > >> log: 'DOMAINCONTROLERNAME MSWinEventLog 1 Security >> > >> 19699453 Thu: Dec 23 09:08:15 2010 680 Security >> > >> USERXXX User Success Audit DOMAINCONTROLERNAME Account Logon >> > >> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon >> > >> account: USERACCOUNT Source Workstation: STATIONNAMEXXX Error Code: >> > >> 0x0 19695682 ' >> >> > >> **Phase 2: Completed decoding. >> > >> No decoder matched. >> >> > >> **Phase 3: Completed filtering (rules). >> > >> Rule id: '1002' >> > >> Level: '2' >> > >> Description: 'Unknown problem somewhere in the system.' >> > >> **Alert to be generated. >> >> > >> How are these messages being passed to OSSEC? >> >> > >> On Thu, Dec 23, 2010 at 3:34 AM, Js Opdebeeck <[email protected]> >> > >> wrote: >> > >> > Hello >> >> > >> > Rule: 1002 'Unknown problem somewhere in the system.' represent 45% of >> > >> > the Alerts and >> >> > >> > Here are 2 kind of alert that should be passed to 0 or at least >> > >> > correctly classified. >> > >> > Those are 'Failures' and 'Errors' but a I thought it will be handled >> > >> > by 'msauth_rules.xml' >> >> > >> > Did someone already RE-classified this kind of rules ? If not , I'll >> > >> > probably have to ( mute them at least) >> >> > >> > ** Alert 1293091695.18221016: - syslog,errors, >> > >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log >> > >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> > >> > Src IP: (none) >> > >> > User: (none) >> > >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 >> > >> > Security 19699453 Thu: Dec 23 09:08:15 2010 680 >> > >> > Security USERXXX User Success Audit DOMAINCONTROLERNAME >> > >> > Account Logon Logon attempt by: >> > >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT >> > >> > Source >> > >> > Workstation: STATIONNAMEXXX Error Code: 0x0 19695682 >> >> > >> > ** Alert 1293091695.18219733: - syslog,errors, >> > >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log >> > >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> > >> > Src IP: (none) >> > >> > User: (none) >> > >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 >> > >> > Security 19699449 Thu: Dec 23 09:08:14 2010 673 >> > >> > Security SYSTEM User Success Audit DOMAINCONTROLERNAME >> > >> > Account Logon Service Ticket Request: User Name: >> > >> > [email protected] User Domain: PETERCAM.CORP Service >> > >> > Name: >> > >> > krbtgt Service ID: %{S-1-5-21-1424381949-1679034567-623647154-502} >> > >> > Ticket Options: 0x60810010 Ticket Encryption Type: 0x17 Client >> > >> > Address: 10.10.10.1 Failure Code: - Logon GUID: >> > >> > {d3ba7bf0-795b-27fd-f4a8-d70ed4268f72} Transited Services: - >> > >> > 19695678 >> >> > >> > Kind regards >> >> > >> > Js Op de Beeck
