OH.... So... I need to trim this from my rule: The 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog
On Apr 13, 11:12 am, "dan (ddp)" <[email protected]> wrote: > The log message is: > > WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no > user): no domain: tp-e420s-1546.mydomain.net: Microsoft Word The > password is incorrect. Word cannot open the document. > (C:\...\PW-linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 > P3: P4: > > The 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog is just a > header OSSEC adds on for log alls. > > > > > > > > On Fri, Apr 13, 2012 at 2:04 PM, santa rocks <[email protected]> wrote: > > Any Ideas what my next step is? No Alert logged even though rule > > tests and seems to work. > > Can this be a bug? > > > Here is a record from the archives.log showing the win7 ossec.conf is > > sending alerts to the OSSEC HIDS Server, (server configured with > > logall option) > > > 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog: > > OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no > > domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is > > incorrect. Word cannot open the document. (C:\...\PW- > > linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: P4: > > > When I paste this log line into ossec-logtest it seems to pass. > > > [root@it-mgmt bin]# ./ossec-logtest > > 2012/04/13 10:57:17 ossec-testrule: INFO: Reading local decoder file. > > 2012/04/13 10:57:17 ossec-testrule: INFO: Started (pid: 3107). > > ossec-testrule: Type one log per line. > > > 2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog WinEvtLog: > > OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no user): no > > domain: tp-e420s-1546.mydomain.net: Microsoft Word The password is > > incorrect. Word cannot open the document. (C:\...\PW- > > linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: P4: > > > **Phase 1: Completed pre-decoding. > > full event: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0- > >>WinEvtLog WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 > > Alerts: (no user): no domain: tp-e420s-1546.mydomain.net: Microsoft > > Word The password is incorrect. Word cannot open the document. (C:\... > > \PW-linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: > > P4:' > > hostname: 'it-mgmt' > > program_name: '(null)' > > log: '2012 Apr 13 09:27:29 (E420S-1546) 172.17.3.0->WinEvtLog > > WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 14 Alerts: (no > > user): no domain: tp-e420s-1546.mydomain.net: Microsoft Word The > > password is incorrect. Word cannot open the document. (C:\...\PW- > > linux_baseline_install.docx) P1: 200603 P2: 14.0.6029.1000 P3: P4:' > > > **Phase 2: Completed decoding. > > decoder: 'Office-Alerts' > > dstuser: 'Microsoft Office 14 Alerts: ' > > status: 'tp-e420s-1546.mydomain.net:' > > action: 'Microsoft Word The password is incorrect. Word cannot > > open the document.' > > > **Phase 3: Completed filtering (rules). > > Rule id: '109101' > > Level: '14' > > Description: 'Password Protected Document was submitted' > > **Alert to be generated.
