Quoting "dan (ddp)" <[email protected]>:
On Thu, Nov 1, 2012 at 10:44 AM, <[email protected]> wrote:
Ok. Is SyslogAgent v3.5 by Datagram ... see picture attached.
If this one is not good, what agent is recommended?
Regards,
Alx
It's not a question as to whether it's good or not, it just isn't
currently supported. But this is an easy fix. It's apparently based on
NTSyslog, which does have a decoder.
Let's write a decoder! First, how does the log sample look in ossec-logtest?
2012/11/01 10:52:54 ossec-testrule: INFO: Reading decoder file
etc/decoder.xml.
2012/11/01 10:52:54 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/11/01 10:52:55 ossec-testrule: INFO: Reading the lists file:
'lists/blocked.txt'
2012/11/01 10:52:55 ossec-testrule: INFO: Reading the lists file:
'lists/userlist.txt'
2012/11/01 10:52:55 ossec-testrule: INFO: Reading the lists file:
'lists/auser.txt'
2012/11/01 10:52:55 ossec-testrule: INFO: Started (pid: 4131).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Oct 30 08:15:44 sftp
microsoft-windows-security-auditing[success] 4663 An attempt was made
to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses:
DELETE#177#177Access Mask:0x10000'
hostname: 'sftp'
program_name: '(null)'
log: 'microsoft-windows-security-auditing[success] 4663 An
attempt was made to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses:
DELETE#177#177Access Mask:0x10000'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
No decoder, just like we knew. The log starts with (after the header),
"microsoft-windows-security-auditing[success]." The windows-ntsyslog
decoder looks for "<prematch>^security[\w+] \d+ </prematch>" first.
These two things don't quite line up, so open the
/var/ossec/etc/decoder.xml in vi/emacs. Change the prematch to look
like: "<prematch>^security[\w+] \d+
|^microsoft-windows-security-auditing[\w+] \d+ </prematch>", save, and
close.
The decoder should look like this now:
<decoder name="windows-ntsyslog">
<type>windows</type>
<prematch>^security[\w+] \d+
|^microsoft-windows-security-auditing[\w+] \d+ </prematch>
<regex>^(\w+)[(\w+)] (\d+) </regex>
<order>extra_data, status, id</order>
</decoder>
Now rerun the log message through ossec-logtest, and look at the results:
# cat /tmp/lll | /var/ossec/bin/ossec-logtest
2012/11/01 10:58:23 ossec-testrule: INFO: Reading decoder file
etc/decoder.xml.
2012/11/01 10:58:23 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/11/01 10:58:23 ossec-testrule: INFO: Reading the lists file:
'lists/blocked.txt'
2012/11/01 10:58:23 ossec-testrule: INFO: Reading the lists file:
'lists/userlist.txt'
2012/11/01 10:58:23 ossec-testrule: INFO: Reading the lists file:
'lists/auser.txt'
2012/11/01 10:58:23 ossec-testrule: INFO: Started (pid: 24943).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Oct 30 08:15:44 sftp
microsoft-windows-security-auditing[success] 4663 An attempt was made
to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses:
DELETE#177#177Access Mask:0x10000'
hostname: 'sftp'
program_name: '(null)'
log: 'microsoft-windows-security-auditing[success] 4663 An
attempt was made to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses:
DELETE#177#177Access Mask:0x10000'
**Phase 2: Completed decoding.
decoder: 'windows-ntsyslog'
extra_data: 'microsoft-windows-security-auditing'
status: 'success'
id: '4663'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
Notice how Phase 2 changed? It is now being decoded a bit better, and
I have a patch to submit to ossec-dev. ;)
Yeeees, beautiful ....
it should be submitted to dev and is much better than in the past, but
still not decoding correctly other events coming from the same host.
See below:
First:
Nov 2 10:47:17 sftp srv[warning] 2012 While transmitting or receiving
data, the server#177encountered a network error. Occassional errors
are#177expected, but large amounts of these indicate a
possible#177error in your network configuration. The error status
code#177is contained within the returned data (formatted as
Words)#177and may point you towards the problem.
Second:
Nov 2 10:47:20 sftp dnsapi[info] 11157 The system failed to register
pointer (PTR) resource#177records (RRs) for network adapter#177with
settings:#177#177 Adapter Name :
{30C62049-E39A-4C15-A0F7-7BF2B56A025F}#177 Host Name : sftp#177
Adapter-specific Domain Suffix : sens.com#177 DNS server list :#177
192.168.50.50#177 Sent update to server : <?>#177 IP Address :
192.168.52.202#177#177 The cause was DNS server failure. This may
because the#177reverse lookup zone is busy or missing on the DNS
server#177that your computer needs to update. In most cases, this
is#177a minor problem because it does not affect normal
(forward)#177name resolution.#177#177 If reverse (address-to-name)
resolution is required for#177your computer, you can manually retry
DNS registration of#177the network adapter and its settings by typing
"ipconfig#177/registerdns" at the command prompt. If problems
still#177persist, contact your DNS server or network
systems#177administrator. For specific error code information,
see#177the record data below.
Can you update please above decoder to cath [info] and [warning] messages too?
Regards,
Alx
-------------------------------------------------
2012 - Make an informed choice http://www.isidewith.com/
Sponsored by VFEmail.net - http://www.vfemail.net
$14.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
