[ossec-list] OSSEC 2.6: Capturing Custom Powershell Event to generate an alert never generates the alert

Tue, 26 Feb 2013 09:56:19 -0800 

I've written a powershell script to install windows updates and report back 
status to the Application Event log so OSSEC can scrap them up and generate 
alerts however I'm not getting the email generated.

My rule:

<group name="syslog,WindowsUpdateScript">
  <rule id="100012" level="9">
  <if_sid>1</if_sid>
  <match>WindowsUpdateScript</match>
  <description>Windows Update Script</description>
  </rule>
</group>

LogAll is enabled on my ossec.conf & the email alert level is 8.

The logging results in the archives.log:

# tail -f archives/archives.log | grep WindowsUpdate
2013 Feb 26 12:35:31 (testwin2008) 10.10.10.0->WinEvtLog WinEvtLog: 
Application: INFORMATION(104): WindowsUpdateScript: (no user): no domain: 
TESTWIN2008.archergroup.local: Starting Automated Windows Update Installation: 
2/26/2013 12:35:29 PM


Ossec-Logtest output:

[root@secserv bin]# ./ossec-logtest -f
2013/02/26 12:35:21 ossec-testrule: INFO: Reading local decoder file.
2013/02/26 12:35:21 ossec-testrule: INFO: Started (pid: 24615).
ossec-testrule: Type one log per line.

Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain: 
TESTWIN2008.archergroup.local: Automated Windows Update Installation: 
Completed: 2/26/2013 12:28:44 PM Windows Update Results:  Security Update for 
Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package (KB2565063)


**Phase 1: Completed pre-decoding.
      full event: ' Application: INFORMATION(105): WindowsUpdateScript: (no 
user): no domain: TESTWIN2008.archergroup.local: Automated Windows Update 
Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results:  
Security Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable 
Package (KB2565063)'
       hostname: 'secserv'
       program_name: '(null)'
       log: ' Application: INFORMATION(105): WindowsUpdateScript: (no user): no 
domain: TESTWIN2008.archergroup.local: Automated Windows Update Installation: 
Completed: 2/26/2013 12:28:44 PM Windows Update Results:  Security Update for 
Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package (KB2565063)'

**Phase 2: Completed decoding.
       No decoder matched.

**Rule debugging:
    Trying rule: 1 - Generic template for all syslog rules.
       *Rule 1 matched.
       *Trying child rules.
    Trying rule: 5500 - Grouping of the pam_unix rules.
    Trying rule: 5700 - SSHD messages grouped.
    Trying rule: 5600 - Grouping for the telnetd rules
    Trying rule: 2100 - NFS rules grouped.
    Trying rule: 2507 - OpenLDAP group.
    Trying rule: 2550 - rshd messages grouped.
    Trying rule: 2701 - Ignoring procmail messages.
    Trying rule: 2800 - Pre-match rule for smartd.
    Trying rule: 5100 - Pre-match rule for kernel messages
    Trying rule: 5200 - Ignoring hpiod for producing useless logs.
    Trying rule: 2830 - Crontab rule group.
    Trying rule: 5300 - Initial grouping for su messages.
    Trying rule: 5400 - Initial group for sudo messages
    Trying rule: 9100 - PPTPD messages grouped
    Trying rule: 9200 - Squid syslog messages grouped
    Trying rule: 2900 - Dpkg (Debian Package) log.
    Trying rule: 2930 - Yum logs.
    Trying rule: 2931 - Yum logs.
    Trying rule: 7200 - Grouping of the arpwatch rules.
    Trying rule: 7300 - Grouping of Symantec AV rules.
    Trying rule: 7400 - Grouping of Symantec Web Security rules.
    Trying rule: 4300 - Grouping of PIX rules
    Trying rule: 12100 - Grouping of the named rules
    Trying rule: 13100 - Grouping for the smbd rules.
    Trying rule: 13106 - (null)
    Trying rule: 11400 - Grouping for the vsftpd rules.
    Trying rule: 11300 - Grouping for the pure-ftpd rules.
    Trying rule: 11200 - Grouping for the proftpd rules.
    Trying rule: 11500 - Grouping for the Microsoft ftp rules.
    Trying rule: 11100 - Grouping for the ftpd rules.
    Trying rule: 9300 - Grouping for the Horde imp rules.
    Trying rule: 9400 - Roundcube messages groupe.d
    Trying rule: 9500 - Wordpress messages grouped.
    Trying rule: 9600 - cimserver messages grouped.
    Trying rule: 9900 - Grouping for the vpopmail rules.
    Trying rule: 9800 - Grouping for the vm-pop3d rules.
    Trying rule: 3900 - Grouping for the courier rules.
    Trying rule: 30100 - Apache messages grouped.
    Trying rule: 31300 - Nginx messages grouped.
    Trying rule: 31404 - PHP Warning message.
    Trying rule: 31405 - PHP Fatal error.
    Trying rule: 31406 - PHP Parse error.
    Trying rule: 50100 - MySQL messages grouped.
    Trying rule: 50500 - PostgreSQL messages grouped.
    Trying rule: 4700 - Grouping of Cisco IOS rules.
    Trying rule: 4500 - Grouping for the Netscreen Firewall rules
    Trying rule: 4800 - SonicWall messages grouped.
    Trying rule: 3300 - Grouping of the postfix reject rules.
    Trying rule: 3320 - Grouping of the postfix rules.
    Trying rule: 3390 - Grouping of the clamsmtpd rules.
    Trying rule: 3100 - Grouping of the sendmail rules.
    Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
    Trying rule: 3600 - Grouping of the imapd rules.
    Trying rule: 3700 - Grouping of mailscanner rules.
    Trying rule: 9700 - Dovecot Messages Grouped.
    Trying rule: 3800 - Grouping of Exchange rules.
    Trying rule: 14100 - Grouping of racoon rules.
    Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
    Trying rule: 3500 - Grouping for the spamd rules
    Trying rule: 7600 - Grouping of Trend OSCE rules.
    Trying rule: 31200 - Grouping of Zeus rules.
    Trying rule: 6100 - Solaris BSM Auditing messages grouped.
    Trying rule: 19100 - VMWare messages grouped.
    Trying rule: 19101 - VMWare ESX syslog messages grouped.
    Trying rule: 6300 - Grouping for the MS-DHCP rules.
    Trying rule: 6350 - Grouping for the MS-DHCP rules.
    Trying rule: 6200 - Asterisk messages grouped.
    Trying rule: 600 - Active Response Messages Grouped
    Trying rule: 51500 - Grouping of bsd_kernel alerts
    Trying rule: 51521 - Grouping for groupdel rules.
    Trying rule: 51523 - No core dumps.
    Trying rule: 52500 - Grouping of the clamd rules.
    Trying rule: 52501 - ClamAV database update
    Trying rule: 52000 - Grouping for all bro-ids events.
    Trying rule: 51000 - Grouping for dropbear rules.
    Trying rule: 40102 - Buffer overflow attack on rpc.statd
    Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
    Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
    Trying rule: 1003 - Non standard syslog message (size too large).
    Trying rule: 40104 - Possible buffer overflow attempt.
    Trying rule: 40105 - "Null" user changed some information.
    Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
    Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV 
(Solaris).
    Trying rule: 2301 - Excessive number connections to a service.
    Trying rule: 2502 - User missed the password more than one time
    Trying rule: 2504 - Illegal root login.
    Trying rule: 100012 - Windows Update Script
       *Rule 100012 matched.

**Phase 3: Completed filtering (rules).
       Rule id: '100012'
       Level: '9'
       Description: 'Windows Update Script'
**Alert to be generated.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to