Hello, Thanks for your advices. The purpose of rule 100001 it's to alert when there is a port scan detection on the host. I tried to active <logall> option on, and I my symantec logs don't arrive to ossec server. I don't know why. In parallel I work on email alert via symantec endpoint protection manager, maybe it's simplest than try to read symantec non-conforming logs with ossec.
On 29 juil, 15:44, "dan (ddp)" <[email protected]> wrote: > On Thu, Jul 28, 2011 at 8:07 AM, Blauch Armand <[email protected]> wrote: > > Hello, > > > I want to check a symantec end point protection log file without > > succes. > > > This file (seclog.log) is here: > > C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\sec.log > > > So, I first add on the ossec.conf this lines (on the agent): > > *********************************************************** > > <localfile> > > <location>C:\Program Files (x86)\Symantec\Symantec Endpoint > > Protection\seclog.log</location> > > <log_format>syslog</log_format> > > </localfile> > > *********************************************************** > > > I've restarted ossec service and put full control for all user on the > > file sec.log. > > > I have theses lines on the ossec.log on the agent: > > 2011/07/28 03:54:12 ossec-agent(1950): INFO: Analyzing file: 'C: > > \Program Files (x86)\Symantec\Symantec Endpoint Protection > > \seclog.log'. > > 2011/07/28 03:54:12 ossec-agent: INFO: Started (pid: 1308). > > > On the ossec server, I've added a decoder: > > ******************************************************** > > <decoder name="symantec-EndpointProtection-SP"> > > <prematch>have been scanned from </prematch> > > <regex offset="after_prematch">(\S+)</regex> > > <order>srcip</order> > > </decoder> > > ********************************************************* > > > I've added to 3 rules: > > ********************************************************* > > <group name="symantecEP,"> > > <rule id="100000" level="5"> > > <decoded_as>symantec-EndpointProtection-SP</decoded_as> > > <description>Grouping of Symantec Endpoint Protection Rules.</ > > description> > > </rule> > > > <rule id="100001" level="5"> > > <category>windows</category> > > <description>Grouping of Symantec EP rules from file sec.log.</ > > description> > > </rule> > > What's the purpose of rule 100001? > > > > > > > > > > > <rule id="100002" level="15"> > > <if_sid>100000, 100001</if_sid> > > <group>recon</group> > > <description>Scan Port detected.</description> > > </rule> > > > </group> <!-- symantec --> > > ************************************************************* > > I've restarted ossec service on the server. > > > My seclog.log is like this: > > ************************************************************* > > 00000151 01cc4d09b71eCef1 000000ca 0000000b 460da2c0 > > 451da2c0 00000002 00000000 00000001 01cc42095af2e918 > > 01cc4d099113dfe8 000009c1 00000000 Somebody is scanning your > > computer. > > Your computer's TCP ports: > > 2068, 13705, 115, 83 and 1358 have been scanned from > > 192.168.25.69. PV¶ 6 PV¶ PV¶ > > ø[ Default test DOMAIN > > 00000151 01cc4d14fdV17f78 000000ca 0000000b 460da2c0 > > 450d28c0 00000002 00000000 00000001 01cc4d14af92e151 > > 01cc4d14d682ae78 000004b7 00000000 Somebody is scanning your > > computer. > > Your computer's TCP ports: > > 9999, 39, 3001, 254 and 22273 have been scanned from > > 192.168.25.69. PV¶ 6 PV¶ PV¶ > > ø[ Default test DOMAIN > > 00000151 01cc4d16b42e1e74 000000ca 0000000b 460d28c0 > > 450da2c0 00000002 00000000 00000001 01cc4d16592a2768 > > 01cc4d1690651668 00000800 00000000 Somebody is scanning your > > computer. > > Your computer's TCP ports: > > 627, 5432, 569, 1396 and 5901 have been scanned from > > 192.168.25.69. PV¶ 6 PV¶ PV¶ > > ø[ Default test DOMAIN > > 00000152 01cc4d17156723e4 000000ca 0000000b 462da2c0 > > 450da2c0 00000002 00000000 00000001 01cc4d16d0da2838 > > 01cc4d16edefed08 0000027a 00000000 Somebody is scanning your > > computer. > > Your computer's TCP ports: > > 340, 487, 220, 4660 and 5803 have been scanned from > > 192.168.25.69. PV¶ 6 PV¶ PV¶ > > ø[ Default test DOMAIN > > ************************************************************** > > Unfortunately, due to line wrapping I'm not sure where the logs begin an end. > > > And ossec-logtest is ok for this kind of line: "340, 487, 220, 4660 > > and 5803 have been scanned from 192.168.25.69." > > > Does anyone has an idea with my issue? How can I check that the ossec > > server has the informations on the seclog.log? > > What is your issue? > If you want to make sure the logs are making it to the manager, turn > the <logall> option on. You can then check > /var/ossec/logs/archives/archives.log to see what log messages are > being > processed.http://www.ossec.net/doc/syntax/head_ossec_config.reports.html#elemen...
