Hello, Thanks for your advices, yes I've restarted the manager's OSSEC processes after I added the <logall> option to the manager's ossec.conf. It's the same things, no scan log detection logs are send to the manager.
On 1 août, 23:45, "dan (ddp)" <[email protected]> wrote: > On Mon, Aug 1, 2011 at 4:15 AM, Blauch Armand <[email protected]> wrote: > > Hello, > > > Thanks for your advices. > > The purpose of rule 100001 it's to alert when there is a port scan > > detection on the host. > > I tried to active <logall> option on, and I my symantec logs don't > > arrive to ossec server. I don't know why. > > In parallel I work on email alert via symantec endpoint protection > > manager, maybe it's simplest than try to read symantec non-conforming > > logs with ossec. > > That's always an option. > > Did you restart the manager's OSSEC processes after you added the > <logall> option to the manager's ossec.conf? You need to restart the > processes for the setting to take effect. > > > > > > > > > > > On 29 juil, 15:44, "dan (ddp)" <[email protected]> wrote: > >> On Thu, Jul 28, 2011 at 8:07 AM, Blauch Armand <[email protected]> wrote: > >> > Hello, > > >> > I want to check a symantec end point protection log file without > >> > succes. > > >> > This file (seclog.log) is here: > >> > C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\sec.log > > >> > So, I first add on the ossec.conf this lines (on the agent): > >> > *********************************************************** > >> > <localfile> > >> > <location>C:\Program Files (x86)\Symantec\Symantec Endpoint > >> > Protection\seclog.log</location> > >> > <log_format>syslog</log_format> > >> > </localfile> > >> > *********************************************************** > > >> > I've restarted ossec service and put full control for all user on the > >> > file sec.log. > > >> > I have theses lines on the ossec.log on the agent: > >> > 2011/07/28 03:54:12 ossec-agent(1950): INFO: Analyzing file: 'C: > >> > \Program Files (x86)\Symantec\Symantec Endpoint Protection > >> > \seclog.log'. > >> > 2011/07/28 03:54:12 ossec-agent: INFO: Started (pid: 1308). > > >> > On the ossec server, I've added a decoder: > >> > ******************************************************** > >> > <decoder name="symantec-EndpointProtection-SP"> > >> > <prematch>have been scanned from </prematch> > >> > <regex offset="after_prematch">(\S+)</regex> > >> > <order>srcip</order> > >> > </decoder> > >> > ********************************************************* > > >> > I've added to 3 rules: > >> > ********************************************************* > >> > <group name="symantecEP,"> > >> > <rule id="100000" level="5"> > >> > <decoded_as>symantec-EndpointProtection-SP</decoded_as> > >> > <description>Grouping of Symantec Endpoint Protection Rules.</ > >> > description> > >> > </rule> > > >> > <rule id="100001" level="5"> > >> > <category>windows</category> > >> > <description>Grouping of Symantec EP rules from file sec.log.</ > >> > description> > >> > </rule> > > >> What's the purpose of rule 100001? > > >> > <rule id="100002" level="15"> > >> > <if_sid>100000, 100001</if_sid> > >> > <group>recon</group> > >> > <description>Scan Port detected.</description> > >> > </rule> > > >> > </group> <!-- symantec --> > >> > ************************************************************* > >> > I've restarted ossec service on the server. > > >> > My seclog.log is like this: > >> > ************************************************************* > >> > 00000151 01cc4d09b71eCef1 000000ca 0000000b 460da2c0 > >> > 451da2c0 00000002 00000000 00000001 01cc42095af2e918 > >> > 01cc4d099113dfe8 000009c1 00000000 Somebody is scanning your > >> > computer. > >> > Your computer's TCP ports: > >> > 2068, 13705, 115, 83 and 1358 have been scanned from > >> > 192.168.25.69. PV¶ 6 PV¶ PV¶ > >> > ø[ Default test DOMAIN > >> > 00000151 01cc4d14fdV17f78 000000ca 0000000b 460da2c0 > >> > 450d28c0 00000002 00000000 00000001 01cc4d14af92e151 > >> > 01cc4d14d682ae78 000004b7 00000000 Somebody is scanning your > >> > computer. > >> > Your computer's TCP ports: > >> > 9999, 39, 3001, 254 and 22273 have been scanned from > >> > 192.168.25.69. PV¶ 6 PV¶ PV¶ > >> > ø[ Default test DOMAIN > >> > 00000151 01cc4d16b42e1e74 000000ca 0000000b 460d28c0 > >> > 450da2c0 00000002 00000000 00000001 01cc4d16592a2768 > >> > 01cc4d1690651668 00000800 00000000 Somebody is scanning your > >> > computer. > >> > Your computer's TCP ports: > >> > 627, 5432, 569, 1396 and 5901 have been scanned from > >> > 192.168.25.69. PV¶ 6 PV¶ PV¶ > >> > ø[ Default test DOMAIN > >> > 00000152 01cc4d17156723e4 000000ca 0000000b 462da2c0 > >> > 450da2c0 00000002 00000000 00000001 01cc4d16d0da2838 > >> > 01cc4d16edefed08 0000027a 00000000 Somebody is scanning your > >> > computer. > >> > Your computer's TCP ports: > >> > 340, 487, 220, 4660 and 5803 have been scanned from > >> > 192.168.25.69. PV¶ 6 PV¶ PV¶ > >> > ø[ Default test DOMAIN > >> > ************************************************************** > > >> Unfortunately, due to line wrapping I'm not sure where the logs begin an > >> end. > > >> > And ossec-logtest is ok for this kind of line: "340, 487, 220, 4660 > >> > and 5803 have been scanned from 192.168.25.69." > > >> > Does anyone has an idea with my issue? How can I check that the ossec > >> > server has the informations on the seclog.log? > > >> What is your issue? > >> If you want to make sure the logs are making it to the manager, turn > >> the <logall> option on. You can then check > >> /var/ossec/logs/archives/archives.log to see what log messages are > >> being > >> processed.http://www.ossec.net/doc/syntax/head_ossec_config.reports.html#elemen...
