Thanks for the help and the pointers. My issue turned out to be a simple one, Some logging was turned off and Client DHCP addresses changed on my windows clients and I didn't realize the client and server were no longer talking properly. Thanks, and with your earlier advice I got my first OSSEC rule working. Yippee!!!!! I Love OSSEC!
Russ -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Thursday, January 06, 2011 2:48 PM To: [email protected] Subject: EXTERNAL:Re: [ossec-list] windows event issues Hi Russell, On Wed, Jan 5, 2011 at 9:44 AM, Anthony, Russell (Information Security) <[email protected]> wrote: > Hi, > > I am trying to troubleshoot why I am not seeing any windows type events from > my windows ossec agents. Linux events are pouring in just fine. I have > enabled "logall" in the Global options of my ossec manager and restarted > ossec. However when I tail the archives.log the only events I see from my > windows agent is ossec-keepalives, agent started, etc. I don't see any > windows logins logoffs, failures, etc. I have also looked in > /var/ossec/logs/alerts/alerts.log and I see no windows events. I also looked > in ossec.log on my windows box and I don't see any windows event logs there. > Where are windows events logged locally on the agent? Suggestions? Thank > you in advance for your help! > > Make sure you are looking at the correct logs on the Windows agents. Look in the ossec.conf to see which logs are being looked at, and check Event Viewer on the agent to make sure those logs are being populated with data. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, December 23, 2010 3:01 PM > To: [email protected] > Subject: EXTERNAL:Re: [ossec-list] custom rules for windows events > > On Thu, Dec 23, 2010 at 2:50 PM, Anthony, Russell (Information > Security) <[email protected]> wrote: >> Hi, >> >> >> >> If anyone has created custom rules for windows events, I would really >> appreciate some pointers and examples. I have read the FAQs, bought and >> read the book, and googled as much as I could, but I'm stuck. I have also >> looked at the msauth rules but most all of them are simply matching an id. >> A couple contain match or regex or user strings. Is match, regex and >> user the only options I have besides matching the id? >> >> >> >> Examples: >> >> <regex> ID:\s+\p*S-1-5-32-544\p*</regex> >> >> <match>Target Account Name: None</match> >> >> <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user> >> >> >> >> >> >> >> >> I would like to create a rule which will alert on a failed or successful >> terminal services connection which has event id >> >> 540 or 4624 with logon type 10. >> >> >> >> My first question is how do you pull\format a windows event from the event >> viewer so that ossec-logtest will decode and test it. >> >> >> >> Below is the rule I made. I used the existing widows decoder. If there is a >> better more preferred way to do this, please share. ( I also tried using >> <Logon Type>10</Logon Type>) My rule is accepted by OSSEC but it does not >> alert on a terminal services connection. >> >> >> >> # vi local_rules.xml >> >> >> >> <group name="custom-windows-event-alert"> >> >> <rule id="700005" level="0"> >> >> <decoded_as>windows</decoded_as> >> >> <description>custom-windows-event-alert</description> >> >> </rule> >> >> >> >> >> >> <!-- Alert if terminal session attempted --> >> >> <rule id="700006" level="12"> >> >> <if_sid>700005</if_sid> >> >> <id>^540|^4624</id> >> >> <match>Logon Type: 10</match> >> >> </rule> >> >> </group> >> >> >> >> >> >> Thanks for the help and have a Happy Holiday. >> >> >> >> >> >> Russ >> >> > > You can turn on the <logall> option and pull the alerts you want out > of archives.log. There's a small "header" on the messages that you'll > have to get rid of, but that's pretty easy. > > Once you get an example writing a rule will be a lot easier. >
