hi Dan,
I've done logall -> yes and logtest a log from archives.log.
Here is result. I think that the decode is not correct. I'm using
defaul decode and default rule ssh of OSsec.
2012 May 28 21:18:40 (xp) 192.168.1.1->WinEvtLog WinEvtLog:
Application: INFORMATION(0): sshd: SYSTEM: NT AUTHORITY: CUBEAN:
sshd : PID 888 : Failed password for illegal user phuonghien from
192.168.1.25 port 35681 ssh2
**Phase 1: Completed pre-decoding.
full event: '2012 May 28 21:18:40 (xp) 192.168.1.1->WinEvtLog
WinEvtLog: Application: INFORMATION(0): sshd: SYSTEM: NT AUTHORITY:
CUBEAN: sshd : PID 888 : Failed password for illegal user phuonghien
from 192.168.1.25 port 35681 ssh2'
hostname: 'phuonghien-laptop'
program_name: '(null)'
log: '2012 May 28 21:18:40 (xp) 192.168.1.1->WinEvtLog
WinEvtLog: Application: INFORMATION(0): sshd: SYSTEM: NT AUTHORITY:
CUBEAN: sshd : PID 888 : Failed password for illegal user phuonghien
from 192.168.1.25 port 35681 ssh2'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
On May 28, 7:14 pm, "dan (ddp)" <[email protected]> wrote:
> On Sun, May 27, 2012 at 1:04 PM, hoa nguyen <[email protected]> wrote:
> > Hi Dan,
>
> > Thanks you very much for your response.
> > My problem is OK. I found this error that the device tap0 (virtual
> > bridge). tap0 receive data from XP (not device eth0).
>
> > But, I have other problem: I'm trying test a rule using SSHD.
> > scenario: ossecserver: ubuntu and ossecagent: XP (virtual machine)
> > - I trying toconnectremotly (from ubuntu) to XP using ssh. On XP, i
> > see sshd event in Event viewer.
>
> Are you monitoring that stream (or whatever event viewer calls it?)?
> Turn on the log all option on the OSSECserver, restart the OSSEC
> processes and try again. Do you see the log in
> /var/ossec/logs/archives/archives.log? If not, then the log isn't
> making it to the OSSECserverto be processed. If it is, reply with a
> copy of the log. We'll use ossec-logtest to see how it is decoded and
> to correct any issues.
>
> > - But i can't see this event (or ALERT) on ossecserver.
>
> What alert are you expecting?
>
>
>
> > Please help me a solution
>
> > Thanks again
>
> > On May 23, 9:23 pm, "dan (ddp)" <[email protected]> wrote:
> >> What version of OSSEC (onserverandagent)?
>
> >> Has theagentever successfully communicated with theserver?
>
> >> Run tcpdump on theserver. Can you see the udp packets arriving on
> >> port 1514? Do you see response packets back to theagent? Are the
> >> packets from theagentcoming in from the correct IP (the correct IP
> >> is the IP you entered into manage_agents on theserverwhen adding the
> >>agent)?
>
> >> Recopy the key from theserverto theagentand restart theagent's
> >> ossec service.
>
> >> Anything in theserveroragent'sossec.log? Try running the ossec
> >> processes in debug mode. Does anything show up in the logs now?
>
> >> On Wed, May 23, 2012 at 5:26 AM, hoa nguyen <[email protected]> wrote:
> >> > I'd tried.
> >> > But this problem isn't OK yet.
>
> >> > Ubuntu and XP virtual machine, two node communicate via NIC eth0
> >> > Please help me a solution
> >> > Thanks
>
> >> > Hoa
>
> >> > On May 23, 3:16 pm, mikes <[email protected]> wrote:
> >> >> Try it:
>
> >> >> /etc/init.d/ossec stop
> >> >> rm /var/ossec/queue/rids/*
> >> >> /etc/init.d/ossec start
>
> >> >> And check key foragent. Try removeagentfromserverand generate new key,
> >> >> remember delete rids/* after
>
> >> >> W dniu ¶roda, 11 kwietnia 2012 09:59:41 UTC+2 u¿ytkownik
> >> >> [email protected]
> >> >> napisa³:
>
> >> >> > Hi,
> >> >> > I have ossecserveron ubuntu, and anagent on windows xp. windows xp
> >> >> > is a virtual machine.
> >> >> > At beginning, everything is OK. But when I chang virtual machine to
> >> >> > older snapshot (itsagentworks fine when I took this snapshot), the
> >> >> >agentcan notconnecttoserveronly more. It's log is as follow:
>
> >> >> > 2012/04/11 15:17:59 ossec-agent: INFO: Started (pid: 6404).
> >> >> > 2012/04/11 15:18:09 ossec-agent: WARN: Process locked. Waiting for
> >> >> > permission...
> >> >> > 2012/04/11 15:18:20 ossec-agent(4101): WARN: Waiting forserverreply
> >> >> > (not started). Tried: '202.197.1.100'.
> >> >> > 2012/04/11 15:18:22 ossec-agent: INFO: Trying toconnecttoserver
> >> >> > (202.197.1.100:1514).
> >> >> > 2012/04/11 15:18:22 ossec-agent: INFO: Using IPv4 for: 202.197.1.100 .
> >> >> > 2012/04/11 15:18:43 ossec-agent(4101): WARN: Waiting forserverreply
> >> >> > (not started). Tried: '202.197.1.100'.
>
> >> >> > What's the problem with it?
> >> >> > Gratitude!
