On Tue, Nov 20, 2012 at 4:12 AM, Michiel van Es <[email protected]> wrote: > > To respond to my own question: > > It is fixed! I had to restart ossec-hids on the client/agent and voila: it > works! > > Thanks again for all the help! > > Michiel >
Using globs in the localfile blocks only works for files present when OSSEC starts. If a new file gets created, it won't be picked up automatically, > > 2012/11/20 Michiel van Es <[email protected]> >> >> >> >> 2012/11/19 dan (ddp) <[email protected]> >>> >>> <snip> >>> >>> The decoder is clavister, not clavister-alert. >>> >>> Before changing the decoder name: >>> **Phase 1: Completed pre-decoding. >>> full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] >>> EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet >>> action=drop rule=d_all_any_to_external recvif=cpub1003 >>> srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 >>> srcport=80 destport=49511 ack=1 fin=1' >>> hostname: '10.170.80.3' >>> program_name: '(null)' >>> log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 >>> event=ruleset_drop_packet action=drop rule=d_all_any_to_external >>> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP >>> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'clavister' >>> action: 'drop' >>> srcip: '10.170.83.14' >>> dstip: '81.83.145.188' >>> srcport: '80' >>> dstport: '49511' >>> extra_data: 'ack=1 fin=1' >>> >>> >>> After changing the decoder name: >>> **Phase 1: Completed pre-decoding. >>> full event: 'Nov 14 12:19:53 10.170.80.3 [2012-11-14 12:20:08] >>> EFW: RULE: prio=6 id=06000051 rev=1 event=ruleset_drop_packet >>> action=drop rule=d_all_any_to_external recvif=cpub1003 >>> srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP ipdatalen=20 >>> srcport=80 destport=49511 ack=1 fin=1' >>> hostname: '10.170.80.3' >>> program_name: '(null)' >>> log: '[2012-11-14 12:20:08] EFW: RULE: prio=6 id=06000051 rev=1 >>> event=ruleset_drop_packet action=drop rule=d_all_any_to_external >>> recvif=cpub1003 srcip=10.170.83.14 destip=81.83.145.188 ipproto=TCP >>> ipdatalen=20 srcport=80 destport=49511 ack=1 fin=1' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'clavister' >>> action: 'drop' >>> srcip: '10.170.83.14' >>> dstip: '81.83.145.188' >>> srcport: '80' >>> dstport: '49511' >>> extra_data: 'ack=1 fin=1' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '700006' >>> Level: '12' >>> Description: 'Clavister drop firewall!' >>> **Alert to be generated. >>> >>> >>> <snip> >> >> >> Ok, thanks, I can see now via logtest that it will alert. I don't see >> anything appearing in the alert.log logfile on the manager. >> Could the syntax be wrong of the agent.conf and location : >> <agent_config name="*machine*"> >> <localfile> >> <log_format>syslog</log_format> >> <location>/data/logs/host/fw-10.170.80.*.log</location> >> </localfile> >> >> Notice I use fw-10.170.80.*.log, will the wildcard work? >> (the firewall logfiles are named fw-10.170.80.2.log, fw-10.170.80.3.log, >> fw-10.170.80.4.log, etc. >> >> Michiel > >
