On Mon, Jan 28, 2013 at 6:04 AM, C. L. Martinez <[email protected]> wrote: > On Fri, Jan 25, 2013 at 2:10 PM, dan (ddp) <[email protected]> wrote: >>> >>> >> >> I'm not seeing this with any of my systems. What syslog daemon are you >> using? If you turn on logall, do you see the "missing" messages in >> archives.log? I don't know what facilities there are on FreeBSD for >> debugging things like this. Any chance there's an strace or ktrace you >> can do and see if you spot an issue? >> > > I have do it several checks without luck ... Logs are sended from > FreeBSD to ossec server without problems, but my alerts are not > triggered. For example this: > > 2013/01/28 11:02:02 ossec-testrule: INFO: Reading local decoder file. > 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: > 'lists/dshield_list' > 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: > 'lists/dragon_list' > 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: > 'lists/rbn_host_list' > 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: > 'lists/rbn_subnet_list' > 2013/01/28 11:02:02 ossec-testrule: INFO: Reading the lists file: > 'lists/zeustracker_list' > 2013/01/28 11:02:02 ossec-testrule: INFO: Started (pid: 23967). > ossec-testrule: Type one log per line. > > Jan 28 11:01:46 172.31.0.2 2013-01-28T12:01:45.572 INET-FW-SRX > RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="TCP > FIN" source-address="10.196.129.26" source-port="59012" > destination-address="174.127.127.152" destination-port="80" > service-name="junos-http" nat-source-address="212.31.40.37" > nat-source-port="56918" nat-destination-address="174.127.127.152" > nat-destination-port="80" src-nat-rule-name="r1" > dst-nat-rule-name="None" protocol-id="6" > policy-name="UTM_trust-to-untrust" source-zone-name="trust" > destination-zone-name="untrust" session-id-32="38153" > packets-from-client="8" bytes-from-client="337" > packets-from-server="8" bytes-from-server="567" elapsed-time="3"] > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 28 11:01:46 172.31.0.2 > 2013-01-28T12:01:45.572 INET-FW-SRX RT_FLOW - RT_FLOW_SESSION_CLOSE > [[email protected] reason="TCP FIN" source-address="10.196.129.26" > source-port="59012" destination-address="174.127.127.152" > destination-port="80" service-name="junos-http" > nat-source-address="212.31.40.37" nat-source-port="56918" > nat-destination-address="174.127.127.152" nat-destination-port="80" > src-nat-rule-name="r1" dst-nat-rule-name="None" protocol-id="6" > policy-name="UTM_trust-to-untrust" source-zone-name="trust" > destination-zone-name="untrust" session-id-32="38153" > packets-from-client="8" bytes-from-client="337" > packets-from-server="8" bytes-from-server="567" elapsed-time="3"]' > hostname: '172.31.0.2' > program_name: '(null)' > log: ' 2013-01-28T12:01:45.572 INET-FW-SRX RT_FLOW - > RT_FLOW_SESSION_CLOSE [[email protected] reason="TCP FIN" > source-address="10.196.129.26" source-port="59012" > destination-address="174.127.127.152" destination-port="80" > service-name="junos-http" nat-source-address="212.31.40.37" > nat-source-port="56918" nat-destination-address="174.127.127.152" > nat-destination-port="80" src-nat-rule-name="r1" > dst-nat-rule-name="None" protocol-id="6" > policy-name="UTM_trust-to-untrust" source-zone-name="trust" > destination-zone-name="untrust" session-id-32="38153" > packets-from-client="8" bytes-from-client="337" > packets-from-server="8" bytes-from-server="567" elapsed-time="3"]' > > **Phase 2: Completed decoding. > decoder: 'custom-juniper-srx' > action: 'TCP FIN' > srcip: '10.196.129.26' > srcport: '59012' > dstip: '174.127.127.152' > dstport: '80' > extra_data: 'junos-http' > proto: '6' > extra_data: 'UTM_trust-to-untrust' > > **Phase 3: Completed filtering (rules). > Rule id: '113002' > Level: '14' > Description: 'Connection to an IP listed under ZeusTracker > Reputation IP lists !!!. Please, review your logs' > **Alert to be generated. > > As you can see, my rules works and an alert needs to be generated, but not > .... > > -- >
What syslog daemon are you using? If you turn on logall (on the server), do you see the "missing" messages in archives.log? I don't know what facilities there are on FreeBSD for debugging things like this. Any chance there's an strace or ktrace you can do and see if you spot an issue? > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
