On Thu, Jul 28, 2011 at 8:07 AM, Blauch Armand <[email protected]> wrote: > Hello, > > I want to check a symantec end point protection log file without > succes. > > This file (seclog.log) is here: > C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\sec.log > > So, I first add on the ossec.conf this lines (on the agent): > *********************************************************** > <localfile> > <location>C:\Program Files (x86)\Symantec\Symantec Endpoint > Protection\seclog.log</location> > <log_format>syslog</log_format> > </localfile> > *********************************************************** > > I've restarted ossec service and put full control for all user on the > file sec.log. > > I have theses lines on the ossec.log on the agent: > 2011/07/28 03:54:12 ossec-agent(1950): INFO: Analyzing file: 'C: > \Program Files (x86)\Symantec\Symantec Endpoint Protection > \seclog.log'. > 2011/07/28 03:54:12 ossec-agent: INFO: Started (pid: 1308). > > On the ossec server, I've added a decoder: > ******************************************************** > <decoder name="symantec-EndpointProtection-SP"> > <prematch>have been scanned from </prematch> > <regex offset="after_prematch">(\S+)</regex> > <order>srcip</order> > </decoder> > ********************************************************* > > I've added to 3 rules: > ********************************************************* > <group name="symantecEP,"> > <rule id="100000" level="5"> > <decoded_as>symantec-EndpointProtection-SP</decoded_as> > <description>Grouping of Symantec Endpoint Protection Rules.</ > description> > </rule> > > <rule id="100001" level="5"> > <category>windows</category> > <description>Grouping of Symantec EP rules from file sec.log.</ > description> > </rule> >
What's the purpose of rule 100001? > <rule id="100002" level="15"> > <if_sid>100000, 100001</if_sid> > <group>recon</group> > <description>Scan Port detected.</description> > </rule> > > </group> <!-- symantec --> > ************************************************************* > I've restarted ossec service on the server. > > My seclog.log is like this: > ************************************************************* > 00000151 01cc4d09b71eCef1 000000ca 0000000b 460da2c0 > 451da2c0 00000002 00000000 00000001 01cc42095af2e918 > 01cc4d099113dfe8 000009c1 00000000 Somebody is scanning your > computer. > Your computer's TCP ports: > 2068, 13705, 115, 83 and 1358 have been scanned from > 192.168.25.69. PV¶ 6 PV¶ PV¶ > ø[ Default test DOMAIN > 00000151 01cc4d14fdV17f78 000000ca 0000000b 460da2c0 > 450d28c0 00000002 00000000 00000001 01cc4d14af92e151 > 01cc4d14d682ae78 000004b7 00000000 Somebody is scanning your > computer. > Your computer's TCP ports: > 9999, 39, 3001, 254 and 22273 have been scanned from > 192.168.25.69. PV¶ 6 PV¶ PV¶ > ø[ Default test DOMAIN > 00000151 01cc4d16b42e1e74 000000ca 0000000b 460d28c0 > 450da2c0 00000002 00000000 00000001 01cc4d16592a2768 > 01cc4d1690651668 00000800 00000000 Somebody is scanning your > computer. > Your computer's TCP ports: > 627, 5432, 569, 1396 and 5901 have been scanned from > 192.168.25.69. PV¶ 6 PV¶ PV¶ > ø[ Default test DOMAIN > 00000152 01cc4d17156723e4 000000ca 0000000b 462da2c0 > 450da2c0 00000002 00000000 00000001 01cc4d16d0da2838 > 01cc4d16edefed08 0000027a 00000000 Somebody is scanning your > computer. > Your computer's TCP ports: > 340, 487, 220, 4660 and 5803 have been scanned from > 192.168.25.69. PV¶ 6 PV¶ PV¶ > ø[ Default test DOMAIN > ************************************************************** > Unfortunately, due to line wrapping I'm not sure where the logs begin an end. > And ossec-logtest is ok for this kind of line: "340, 487, 220, 4660 > and 5803 have been scanned from 192.168.25.69." > > Does anyone has an idea with my issue? How can I check that the ossec > server has the informations on the seclog.log? What is your issue? If you want to make sure the logs are making it to the manager, turn the <logall> option on. You can then check /var/ossec/logs/archives/archives.log to see what log messages are being processed. http://www.ossec.net/doc/syntax/head_ossec_config.reports.html#element-logall
