You can use ossec-logtest to see how ossec decodes an event in another language.
On Fri, Apr 8, 2011 at 1:58 AM, netkey <[email protected]> wrote: > i solve this,now on the server > > [root@localhost rules]# /app/ossec/bin/agent_control -u 008 -b 2.3.4.5 > -f win_nullroute600 > > OSSEC HIDS agent_control: Running active response 'win_nullroute600' > on: 008 > > and on the client,the active-response.log is: > > 星期五 12:10 "active-response/bin/route-null.cmd" delete "-" "3.3.3.4" > "(from_the_server) (no_rule_id)" > > my client's language is chinese.it seems work。 > > but when someone try to get my administrator's password,I received > some email alerts with level 10,but the active response doesn't work。 > > some email alert like this: > > =============================================================== > > eceived From: (Name-53-xxx) xxx.xxx.53.xxx->WinEvtLog > Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." > Portion of the log(s): > > WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT > AUTHORITY: ZJTG53-xxx: 登录失败: 原因: 用户名未知或密码错误 用户名: > administrator 域: ZYC 登录类型: 3 登录进程: NtLmSsp > 身份验证数据包: > NTLM 工作站名称: ZYC 调用方用户名: - 调用方域: - 调用方登录 ID: - > 调用方进 > 程 ID: - 传递服务: - 源网络地址: 122.xxx.xxx.11 源端口: 1318 > =============================================================== > > I think because my event log is in Chinese,so the decoder can't get > the srcip。isn't it? > > Best reguards。 > > Netkey > > On 4月8日, 上午11时04分, netkey <[email protected]> wrote: >> Hi, >> >> I am running on windows 2003 server agent 2.5.1 and linux (centos 5.4) >> server >> same version. >> I get the e-mail level 10 but agent not reponse. It not in the >> white_list >> (on server ossec.conf) >> >> ossec.conf client: >> >> <active-response> >> <disabled>no</disabled> >> </active-response> >> >> ossec.conf server: >> >> <command> >> <name>win-nullroute</name> >> <executable>route-null.cmd</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <active-response> >> <command>win-nullroute</command> >> <location>local</location> >> <level>10</level> >> <timeout>600</timeout> >> </active-response> >> >> then I restarted the ossec agent and the ossec server >> >> on the server, >> [root@localhost ~]# /app/ossec/bin/agent_control -L >> >> OSSEC HIDS agent_control. Available active responses: >> >> Response name: win-nullroute600, command: route-null.cmd >> Response name: host-deny600, command: host-deny.sh >> Response name: firewall-drop600, command: firewall-drop.sh >> >> [root@localhost ~]# /app/ossec/bin/agent_control -r -u 008 -b 2.3.4.5 - >> f win-nullroute600 >> >> OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 008 >> >> but it seems not add the 2.3.4.5 into the route table in the client >> >> I have C:\Program Files\ossec-agent\active-response/bin/route- >> null.cmd but >> see no active-responses.log file. >> in C:\Program Files\ossec-agent\shared\ar.conf >> Now i can see >> restart-ossec0 - restart-ossec.sh - 0 >> restart-ossec0 - restart-ossec.cmd - 0 >> win-nullroute600 - route-null.cmd - 600 >> host-deny600 - host-deny.sh - 600 >> firewall-drop600 - firewall-drop.sh - 600 >> >> Sorry for my bad english. >> >> Best regards, >> >> Netkey
