On Tue, Feb 26, 2013 at 12:43 PM, Nathaniel Bentzinger <[email protected]> wrote: > I’ve written a powershell script to install windows updates and report back > status to the Application Event log so OSSEC can scrap them up and generate > alerts however I’m not getting the email generated. > > > > My rule: > > > > <group name="syslog,WindowsUpdateScript"> > > <rule id="100012" level="9"> > > <if_sid>1</if_sid> > > <match>WindowsUpdateScript</match> > > <description>Windows Update Script</description> > > </rule> > > </group> > > > > LogAll is enabled on my ossec.conf & the email alert level is 8. > > > > The logging results in the archives.log: > > > > # tail -f archives/archives.log | grep WindowsUpdate > > 2013 Feb 26 12:35:31 (testwin2008) 10.10.10.0->WinEvtLog WinEvtLog: > Application: INFORMATION(104): WindowsUpdateScript: (no user): no domain: > TESTWIN2008.archergroup.local: Starting Automated Windows Update > Installation: 2/26/2013 12:35:29 PM > > > > > > Ossec-Logtest output: > > > > [root@secserv bin]# ./ossec-logtest -f > > 2013/02/26 12:35:21 ossec-testrule: INFO: Reading local decoder file. > > 2013/02/26 12:35:21 ossec-testrule: INFO: Started (pid: 24615). > > ossec-testrule: Type one log per line. > > > > Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain: > TESTWIN2008.archergroup.local: Automated Windows Update Installation: > Completed: 2/26/2013 12:28:44 PM Windows Update Results: Security Update > for Microsoft Visual C++ 2010 Service Pack 1 Redistributable Package > (KB2565063) > > > > > > **Phase 1: Completed pre-decoding. > > full event: ' Application: INFORMATION(105): WindowsUpdateScript: (no > user): no domain: TESTWIN2008.archergroup.local: Automated Windows Update > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > Security Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable > Package (KB2565063)' > > hostname: 'secserv' > > program_name: '(null)' > > log: ' Application: INFORMATION(105): WindowsUpdateScript: (no user): > no domain: TESTWIN2008.archergroup.local: Automated Windows Update > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > Security Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable > Package (KB2565063)' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > **Rule debugging: > > Trying rule: 1 - Generic template for all syslog rules. > > *Rule 1 matched. > > *Trying child rules. > > Trying rule: 5500 - Grouping of the pam_unix rules. > > Trying rule: 5700 - SSHD messages grouped. > > Trying rule: 5600 - Grouping for the telnetd rules > > Trying rule: 2100 - NFS rules grouped. > > Trying rule: 2507 - OpenLDAP group. > > Trying rule: 2550 - rshd messages grouped. > > Trying rule: 2701 - Ignoring procmail messages. > > Trying rule: 2800 - Pre-match rule for smartd. > > Trying rule: 5100 - Pre-match rule for kernel messages > > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > > Trying rule: 2830 - Crontab rule group. > > Trying rule: 5300 - Initial grouping for su messages. > > Trying rule: 5400 - Initial group for sudo messages > > Trying rule: 9100 - PPTPD messages grouped > > Trying rule: 9200 - Squid syslog messages grouped > > Trying rule: 2900 - Dpkg (Debian Package) log. > > Trying rule: 2930 - Yum logs. > > Trying rule: 2931 - Yum logs. > > Trying rule: 7200 - Grouping of the arpwatch rules. > > Trying rule: 7300 - Grouping of Symantec AV rules. > > Trying rule: 7400 - Grouping of Symantec Web Security rules. > > Trying rule: 4300 - Grouping of PIX rules > > Trying rule: 12100 - Grouping of the named rules > > Trying rule: 13100 - Grouping for the smbd rules. > > Trying rule: 13106 - (null) > > Trying rule: 11400 - Grouping for the vsftpd rules. > > Trying rule: 11300 - Grouping for the pure-ftpd rules. > > Trying rule: 11200 - Grouping for the proftpd rules. > > Trying rule: 11500 - Grouping for the Microsoft ftp rules. > > Trying rule: 11100 - Grouping for the ftpd rules. > > Trying rule: 9300 - Grouping for the Horde imp rules. > > Trying rule: 9400 - Roundcube messages groupe.d > > Trying rule: 9500 - Wordpress messages grouped. > > Trying rule: 9600 - cimserver messages grouped. > > Trying rule: 9900 - Grouping for the vpopmail rules. > > Trying rule: 9800 - Grouping for the vm-pop3d rules. > > Trying rule: 3900 - Grouping for the courier rules. > > Trying rule: 30100 - Apache messages grouped. > > Trying rule: 31300 - Nginx messages grouped. > > Trying rule: 31404 - PHP Warning message. > > Trying rule: 31405 - PHP Fatal error. > > Trying rule: 31406 - PHP Parse error. > > Trying rule: 50100 - MySQL messages grouped. > > Trying rule: 50500 - PostgreSQL messages grouped. > > Trying rule: 4700 - Grouping of Cisco IOS rules. > > Trying rule: 4500 - Grouping for the Netscreen Firewall rules > > Trying rule: 4800 - SonicWall messages grouped. > > Trying rule: 3300 - Grouping of the postfix reject rules. > > Trying rule: 3320 - Grouping of the postfix rules. > > Trying rule: 3390 - Grouping of the clamsmtpd rules. > > Trying rule: 3100 - Grouping of the sendmail rules. > > Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules. > > Trying rule: 3600 - Grouping of the imapd rules. > > Trying rule: 3700 - Grouping of mailscanner rules. > > Trying rule: 9700 - Dovecot Messages Grouped. > > Trying rule: 3800 - Grouping of Exchange rules. > > Trying rule: 14100 - Grouping of racoon rules. > > Trying rule: 14200 - Grouping of Cisco VPN concentrator rules > > Trying rule: 3500 - Grouping for the spamd rules > > Trying rule: 7600 - Grouping of Trend OSCE rules. > > Trying rule: 31200 - Grouping of Zeus rules. > > Trying rule: 6100 - Solaris BSM Auditing messages grouped. > > Trying rule: 19100 - VMWare messages grouped. > > Trying rule: 19101 - VMWare ESX syslog messages grouped. > > Trying rule: 6300 - Grouping for the MS-DHCP rules. > > Trying rule: 6350 - Grouping for the MS-DHCP rules. > > Trying rule: 6200 - Asterisk messages grouped. > > Trying rule: 600 - Active Response Messages Grouped > > Trying rule: 51500 - Grouping of bsd_kernel alerts > > Trying rule: 51521 - Grouping for groupdel rules. > > Trying rule: 51523 - No core dumps. > > Trying rule: 52500 - Grouping of the clamd rules. > > Trying rule: 52501 - ClamAV database update > > Trying rule: 52000 - Grouping for all bro-ids events. > > Trying rule: 51000 - Grouping for dropbear rules. > > Trying rule: 40102 - Buffer overflow attack on rpc.statd > > Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6 > > Trying rule: 40107 - Heap overflow in the Solaris cachefsd service. > > Trying rule: 1003 - Non standard syslog message (size too large). > > Trying rule: 40104 - Possible buffer overflow attempt. > > Trying rule: 40105 - "Null" user changed some information. > > Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd). > > Trying rule: 40109 - Stack overflow attempt or program exiting with SEGV > (Solaris). > > Trying rule: 2301 - Excessive number connections to a service. > > Trying rule: 2502 - User missed the password more than one time > > Trying rule: 2504 - Illegal root login. > > Trying rule: 100012 - Windows Update Script > > *Rule 100012 matched. > > > > **Phase 3: Completed filtering (rules). > > Rule id: '100012' > > Level: '9' > > Description: 'Windows Update Script' > > **Alert to be generated. > > >
Perhaps the level is too low? Does the alert show up in alerts.log? > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
