This is normal. The "Deleting PID" messages are left overs from the failed starts you had ealier.
On Tue, Jun 28, 2011 at 5:36 PM, Chad Hammond <[email protected]> wrote: > Ok I think I have that fixed now I am getting this error when it starts up. > > > > Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... > > Deleting PID file '/var/ossec/var/run/ossec-logcollector-12047.pid' not > used... > > Deleting PID file '/var/ossec/var/run/ossec-remoted-12051.pid' not used... > > ossec-csyslogd already running... > > ossec-maild already running... > > ossec-execd already running... > > Started ossec-analysisd... > > Started ossec-logcollector... > > Started ossec-remoted... > > Started ossec-syscheckd... > > Started ossec-monitord... > > Completed. > > root@mnossec1:~# > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Tuesday, June 28, 2011 4:14 PM > To: [email protected] > Subject: Re: [ossec-list] Email filter > > > > On Tue, Jun 28, 2011 at 4:53 PM, Chad Hammond > > <[email protected]> wrote: > >> I am getting this error now below. There are only 7 lines so I am not sure >> I guess. > >> > >> > >> Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... > >> 2011/06/28 15:48:51 ossec-analysisd(1226): ERROR: Error reading XML file >> 'rules//ESX_Ignore_Rule1.xml': XML ERR: End of file and some elements were >> not closed (line 8). > >> 2011/06/28 15:48:51 ossec-testrule(1220): ERROR: Error loading the rules: >> 'ESX_Ignore_Rule1.xml'. > >> ossec-analysisd: Configuration error. Exiting. > >> > >> > >> <group name="local"> > >> <rule id="100101" level="0"> > >> <if_sid>18139</if_sid> > >> <id>675</id> > >> <match>User Name: MNESX1</match> > >> <description>Events ignored</description> > >> </rule> > >> > > > > You didn't close the "<group" tag. You need a </group> at the end. > > > > This would have been easier if you modified > > /var/ossec/rules/local_rules.xml instead. ;) > > > >> > >> > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) > >> Sent: Tuesday, June 28, 2011 3:43 PM > >> To: [email protected] > >> Subject: Re: [ossec-list] Email filter > >> > >> On Tue, Jun 28, 2011 at 4:29 PM, Chad Hammond > >> <[email protected]> wrote: > >>> Ok here is an error message that I get when I try and start the service. >>> I also attached the rules that I modified to fit your suggestion as I >>> understood. > >>> Please let me know if I am missing something. > >>> > >>> Thanks again. > >>> > >>> Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... > >>> 2011/06/28 15:26:13 rules_op: Invalid root element "rule".Only "group" is >>> allowed > >>> 2011/06/28 15:26:13 ossec-testrule(1220): ERROR: Error loading the rules: >>> 'ESX_Ignore_Rule1.xml'. > >>> ossec-analysisd: Configuration error. Exiting. > >>> > >>> > >>> > >> > >> You need something like "<group name="local">" around the rules, just > >> like all the rest of the rule files. > >> > >>> > >>> -----Original Message----- > >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of Chad Hammond > >>> Sent: Tuesday, June 28, 2011 3:12 PM > >>> To: [email protected] > >>> Subject: RE: [ossec-list] Email filter > >>> > >>> I will give it a try then. I was just curious. I will post something when >>> I get this updated. > >>> > >>> -----Original Message----- > >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of dan (ddp) > >>> Sent: Tuesday, June 28, 2011 3:07 PM > >>> To: [email protected] > >>> Subject: Re: [ossec-list] Email filter > >>> > >>> Hi Chad, > >>> > >>> On Tue, Jun 28, 2011 at 4:02 PM, Chad Hammond > >>> <[email protected]> wrote: > >>>> Here is the full email. So you think the number is 18139 instead of >>>> 18152? > >>>> > >>> > >>> Not in your email example it isn't. But if 18139 doesn't fire 18152 > >>> won't be triggered. At least by these alerts. You can always try what > >>> you had again, but without the "$" character. > >>> > >>>> OSSEC HIDS Notification. > >>>> 2011 Jun 28 14:56:06 > >>>> > >>>> Received From: (MNDC2) 10.0.0.52->WinEvtLog > >>>> Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." > >>>> Portion of the log(s): > >>>> > >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> MNDC2: Pre-authentication failed: User Name: _ryan User ID: >>>> %{S-1-5-21-1995130590-1722771374-355810188-12042} Service Name: >>>> krbtgt/NORTHLAND Pre-Authentication Type: 0x0 Failure >>>> Code: 0x19 Client Address: 10.0.0.10 > >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>>> Failure Code: 0x19 Client Address: 10.0.0.114 > >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>>> Failure Code: 0x19 Client Address: 10.0.0.114 > >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID: >>>> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name: >>>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>>> Failure Code: 0x19 Client Address: 10.0.0.113 > >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID: >>>> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name: >>>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>>> Failure Code: 0x19 Client Address: 10.0.0.113 > >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>>> Failure Code: 0x19 Client Address: 10.0.0.112 > >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>>> Failure Code: 0x19 Client Address: 10.0.0.112 > >>>> > >>>> -----Original Message----- > >>>> From: [email protected] [mailto:[email protected]] >>>> On Behalf Of dan (ddp) > >>>> Sent: Tuesday, June 28, 2011 2:09 PM > >>>> To: [email protected] > >>>> Subject: Re: [ossec-list] Email filter > >>>> > >>>> Rule 1: > >>>> <rule id="100101" level="0"> > >>>> <if_sid>18152</if_sid> <!-- ossec-logtest shows this as 18139 on > >>>> my system, but 18152 might work if there are more than 1 log events > >>>> --> > >>>> <match>Pre-authentication failed: User Name: MNESX1$ > >>>> </match> <!-- The $ will be interpreted as the end of line character > >>>> --> > >>>> <description>Events ignored</description> > >>>> </rule> > >>>> > >>>> Maybe try: > >>>> > >>>> <rule id="100101" level="0"> > >>>> <if_sid>18139</if_sid> > >>>> <id>675</id> > >>>> <match>User Name: MNESX2</match> > >>>> <description>Events ignored</description> > >>>> </rule> > >>>> > >>>> > >>>> On Tue, Jun 28, 2011 at 2:46 PM, Chad Hammond > >>>> <[email protected]> wrote: > >>>>> Hello I would like to filter the following email out which I copied >>>>> below. I also attached a custom rules that I created and doesn't seem to >>>>> be >>>>> filtering all the emails out. I actually created 4 rules because there >>>>> are 4 >>>>> user accounts that I want to filter, mnesx1$, mnesx2$, mnesx3$ and mnesx4. >>>>> Any assistance on what I am doing wrong would be greatly appreciated. > >>>>> > >>>>> Thanks. > >>>>> > >>>>> > >>>>> > >>>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT >>>>> AUTHORITY: LOMBARDO: Pre-authentication failed: User Name: >>>>> MNESX2$ >>>>> User ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} >>>>> Service Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: >>>>> 0x0 >>>>> Failure Code: 0x19 Client Address: 10.0.0.112 > >>>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT >>>>> AUTHORITY: LOMBARDO: Pre-authentication failed: User Name: >>>>> MNESX2$ >>>>> User ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} >>>>> Service Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: >>>>> 0x0 >>>>> Failure Code: 0x19 Client Address: 10.0.0.112 > >>>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT >>>>> AUTHORITY: LOMBARDO: Pre-authentication failed: User Name: >>>>> _Varonis User ID: >>>>> %{S-1-5-21-1995130590-1722771374-355810188-12480} Service Name: >>>>> krbtgt/northlandgroup.com Pre-Authentication Type: 0x0 >>>>> Failure Code: 0x19 Client Address: 10.0.0.106 > >>>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT >>>>> AUTHORITY: MNDC2: Pre-authentication failed: User Name: MNESX4$ >>>>> User ID: %{S-1-5-21-1995130590-1722771374-355810188-11842} >>>>> Service Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: >>>>> 0x0 >>>>> Failure Code: 0x19 Client Address: 10.0.0.114 > >>>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT >>>>> AUTHORITY: MNDC2: Pre-authentication failed: User Name: MNESX4$ >>>>> User ID: %{S-1-5-21-1995130590-1722771374-355810188-11842} >>>>> Service Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: >>>>> 0x0 >>>>> Failure Code: 0x19 Client Address: 10.0.0.114 > >>>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT >>>>> AUTHORITY: LOMBARDO: Pre-authentication failed: User Name: >>>>> MNESX2$ >>>>> User ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} >>>>> Service Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: >>>>> 0x0 >>>>> Failure Code: 0x19 Client Address: 10.0.0.112 > >>>>> Chad Hammond > >>>>> Systems Administrator > >>>>> Northland Group > >>>>> 7831 Glenroy Rd > >>>>> Edina MN 55439 > >>>>> Direct: 952-837-0625 > >>>>> ________________________________ > >>>>> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND >>>>> PROPRIETARY, AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED >>>>> THIS TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND >>>>> DELETE THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS >>>>> MESSAGE, >>>>> IN WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >>>>> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR >>>>> THE >>>>> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >>>>> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >>>>> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >>>>> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE >>>>> FROM >>>>> VIRUSES, INTERCEPTIONS OR INTERFERENCE > >> > >>>>> > >>>> Chad Hammond > >>>> Systems Administrator > >>>> Northland Group > >>>> 7831 Glenroy Rd > >>>> Edina MN 55439 > >>>> Direct: 952-837-0625 > >>>> ________________________________ > >>>> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND >>>> PROPRIETARY, AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED >>>> THIS TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND >>>> DELETE THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, >>>> IN WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >>>> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >>>> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >>>> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >>>> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >>>> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >>>> VIRUSES, INTERCEPTIONS OR INTERFERENCE > >>>> > >>> Chad Hammond > >>> Systems Administrator > >>> Northland Group > >>> 7831 Glenroy Rd > >>> Edina MN 55439 > >>> Direct: 952-837-0625 > >>> ________________________________ > >>> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >>> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >>> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >>> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >>> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >>> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >>> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >>> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >>> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >>> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >>> VIRUSES, INTERCEPTIONS OR INTERFERENCE > >>> > >>> > >>> Ext. > >>> ________________________________ > >>> Chad Hammond > >>> Systems Administrator > >>> Northland Group > >>> 7831 Glenroy Rd > >>> Edina MN 55439 > >>> Direct: 952-837-0625 > >>> ________________________________ > >>> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >>> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >>> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >>> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >>> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >>> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >>> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >>> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >>> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >>> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >>> VIRUSES, INTERCEPTIONS OR INTERFERENCE > >>> > >> Chad Hammond > >> Systems Administrator > >> Northland Group > >> 7831 Glenroy Rd > >> Edina MN 55439 > >> Direct: 952-837-0625 > >> ________________________________ > >> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >> VIRUSES, INTERCEPTIONS OR INTERFERENCE > >> > > Chad Hammond > Systems Administrator > Northland Group > 7831 Glenroy Rd > Edina MN 55439 > Direct: 952-837-0625 > ________________________________ > > THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, > AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS > TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE > THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN > WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE > SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE > IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS > COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. > NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS > COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM > VIRUSES, INTERCEPTIONS OR INTERFERENCE
