check the security log on the clients, if auditing is not turned on the
events wont be generated.
On 01/05/2011 09:44 AM, Anthony, Russell (Information Security) wrote:
Hi,
I am trying to troubleshoot why I am not seeing any windows type events from my windows
ossec agents. Linux events are pouring in just fine. I have enabled "logall"
in the Global options of my ossec manager and restarted ossec. However when I tail the
archives.log the only events I see from my windows agent is ossec-keepalives, agent
started, etc. I don't see any windows logins logoffs, failures, etc. I have also looked
in /var/ossec/logs/alerts/alerts.log and I see no windows events. I also looked in
ossec.log on my windows box and I don't see any windows event logs there. Where are
windows events logged locally on the agent? Suggestions? Thank you in advance for your
help!
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Thursday, December 23, 2010 3:01 PM
To: [email protected]
Subject: EXTERNAL:Re: [ossec-list] custom rules for windows events
On Thu, Dec 23, 2010 at 2:50 PM, Anthony, Russell (Information
Security)<[email protected]> wrote:
Hi,
If anyone has created custom rules for windows events, I would really
appreciate some pointers and examples. I have read the FAQs, bought and
read the book, and googled as much as I could, but I'm stuck. I have also
looked at the msauth rules but most all of them are simply matching an id.
A couple contain match or regex or user strings. Is match, regex and
user the only options I have besides matching the id?
Examples:
<regex> ID:\s+\p*S-1-5-32-544\p*</regex>
<match>Target Account Name: None</match>
<user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
I would like to create a rule which will alert on a failed or successful
terminal services connection which has event id
540 or 4624 with logon type 10.
My first question is how do you pull\format a windows event from the event
viewer so that ossec-logtest will decode and test it.
Below is the rule I made. I used the existing widows decoder. If there is a
better more preferred way to do this, please share. ( I also tried using
<Logon Type>10</Logon Type>) My rule is accepted by OSSEC but it does not
alert on a terminal services connection.
# vi local_rules.xml
<group name="custom-windows-event-alert">
<rule id="700005" level="0">
<decoded_as>windows</decoded_as>
<description>custom-windows-event-alert</description>
</rule>
<!-- Alert if terminal session attempted -->
<rule id="700006" level="12">
<if_sid>700005</if_sid>
<id>^540|^4624</id>
<match>Logon Type: 10</match>
</rule>
</group>
Thanks for the help and have a Happy Holiday.
Russ
You can turn on the<logall> option and pull the alerts you want out
of archives.log. There's a small "header" on the messages that you'll
have to get rid of, but that's pretty easy.
Once you get an example writing a rule will be a lot easier.
--
R. Loyd Darby, OSSIM-OCSE
Project Manager DOC/NOAA/NMFS
Infrastructure coordinator
Southeast Fisheries Science Center
305-361-4297
