Hello,
I want to check a symantec end point protection log file without
succes.
This file (seclog.log) is here:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\sec.log
So, I first add on the ossec.conf this lines (on the agent):
***********************************************************
<localfile>
<location>C:\Program Files (x86)\Symantec\Symantec Endpoint
Protection\seclog.log</location>
<log_format>syslog</log_format>
</localfile>
***********************************************************
I've restarted ossec service and put full control for all user on the
file sec.log.
I have theses lines on the ossec.log on the agent:
2011/07/28 03:54:12 ossec-agent(1950): INFO: Analyzing file: 'C:
\Program Files (x86)\Symantec\Symantec Endpoint Protection
\seclog.log'.
2011/07/28 03:54:12 ossec-agent: INFO: Started (pid: 1308).
On the ossec server, I've added a decoder:
********************************************************
<decoder name="symantec-EndpointProtection-SP">
<prematch>have been scanned from </prematch>
<regex offset="after_prematch">(\S+)</regex>
<order>srcip</order>
</decoder>
*********************************************************
I've added to 3 rules:
*********************************************************
<group name="symantecEP,">
<rule id="100000" level="5">
<decoded_as>symantec-EndpointProtection-SP</decoded_as>
<description>Grouping of Symantec Endpoint Protection Rules.</
description>
</rule>
<rule id="100001" level="5">
<category>windows</category>
<description>Grouping of Symantec EP rules from file sec.log.</
description>
</rule>
<rule id="100002" level="15">
<if_sid>100000, 100001</if_sid>
<group>recon</group>
<description>Scan Port detected.</description>
</rule>
</group> <!-- symantec -->
*************************************************************
I've restarted ossec service on the server.
My seclog.log is like this:
*************************************************************
00000151 01cc4d09b71eCef1 000000ca 0000000b 460da2c0
451da2c0 00000002 00000000 00000001 01cc42095af2e918
01cc4d099113dfe8 000009c1 00000000 Somebody is scanning your
computer.
Your computer's TCP ports:
2068, 13705, 115, 83 and 1358 have been scanned from
192.168.25.69. PV¶ 6 PV¶ � PV¶ �
ø[� Default test DOMAIN
00000151 01cc4d14fdV17f78 000000ca 0000000b 460da2c0
450d28c0 00000002 00000000 00000001 01cc4d14af92e151
01cc4d14d682ae78 000004b7 00000000 Somebody is scanning your
computer.
Your computer's TCP ports:
9999, 39, 3001, 254 and 22273 have been scanned from
192.168.25.69. PV¶ 6 PV¶ � PV¶ �
ø[� Default test DOMAIN
00000151 01cc4d16b42e1e74 000000ca 0000000b 460d28c0
450da2c0 00000002 00000000 00000001 01cc4d16592a2768
01cc4d1690651668 00000800 00000000 Somebody is scanning your
computer.
Your computer's TCP ports:
627, 5432, 569, 1396 and 5901 have been scanned from
192.168.25.69. PV¶ 6 PV¶ � PV¶ �
ø[� Default test DOMAIN
00000152 01cc4d17156723e4 000000ca 0000000b 462da2c0
450da2c0 00000002 00000000 00000001 01cc4d16d0da2838
01cc4d16edefed08 0000027a 00000000 Somebody is scanning your
computer.
Your computer's TCP ports:
340, 487, 220, 4660 and 5803 have been scanned from
192.168.25.69. PV¶ 6 PV¶ � PV¶ �
ø[� Default test DOMAIN
**************************************************************
And ossec-logtest is ok for this kind of line: "340, 487, 220, 4660
and 5803 have been scanned from 192.168.25.69."
Does anyone has an idea with my issue? How can I check that the ossec
server has the informations on the seclog.log?
