Hi, I have a manager/agent setup and everything seems to be working
fine.
However, I added one more log file (Zeus error log) to monitor and
added the following in my manager's agent.conf file, then verified
that it was deployed successfully to all my agents.
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/zeus/admin/log/errors</location>
</localfile>
Then when I run some fake login attempts, the following is logged on
the Zeus error file as it should:
[29/Jun/2011:19:37:28 +0000] WARN:admin:Authentication failure, url=/
index.cgi, host=10.20.6.155, user=hackertest
However, this does NOT trigger an alert nor email. I see nothing in
my manager's alert.log file.
I just don't understand why....the manager has the zeus rules file in
place and I double checked that it should decode it fine...right?
This is in the Zeus rules file on the manager side:
<rule id="31205" level="8">
<if_sid>31202</if_sid>
<match>admin:Authentication failure</match>
<description>Admin authentication failed.</description>
<group>authentication_failed,</group>
</rule>
And in decoder file on the manager side:
<!-- Zeus decoder.
- Will extract the severity and the srcip/username when available.
- Examples:
- [08/Aug/2006:22:32:12 +0100] WARN:admin:Authentication failure,
url=/index.c
gi, host=xx.yy.com, user=admin
- [10/Dec/2006:16:59:26 +0000] INFO:Zeus Admin Server running
-->
<decoder name="zeus">
<prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
<regex offset="after_prematch"> host=(\S+), </regex>
<order>srcip</order>
</decoder>
So what gives? Can someone please help?
