> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Tuesday, February 26, 2013 3:29 PM > To: [email protected] > Subject: Re: [ossec-list] OSSEC 2.6: Capturing Custom Powershell Event to > generate an alert never generates the alert > > On Tue, Feb 26, 2013 at 12:43 PM, Nathaniel Bentzinger <nbentzinger@archer- > group.com> wrote: > > I've written a powershell script to install windows updates and report > > back status to the Application Event log so OSSEC can scrap them up > > and generate alerts however I'm not getting the email generated. > > > > > > > > My rule: > > > > > > > > <group name="syslog,WindowsUpdateScript"> > > > > <rule id="100012" level="9"> > > > > <if_sid>1</if_sid> > > > > <match>WindowsUpdateScript</match> > > > > <description>Windows Update Script</description> > > > > </rule> > > > > </group> > > > > > > > > LogAll is enabled on my ossec.conf & the email alert level is 8. > > > > > > > > The logging results in the archives.log: > > > > > > > > # tail -f archives/archives.log | grep WindowsUpdate > > > > 2013 Feb 26 12:35:31 (testwin2008) 10.10.10.0->WinEvtLog WinEvtLog: > > Application: INFORMATION(104): WindowsUpdateScript: (no user): no domain: > > TESTWIN2008.archergroup.local: Starting Automated Windows Update > > Installation: 2/26/2013 12:35:29 PM > > > > > > > > > > > > Ossec-Logtest output: > > > > > > > > [root@secserv bin]# ./ossec-logtest -f > > > > 2013/02/26 12:35:21 ossec-testrule: INFO: Reading local decoder file. > > > > 2013/02/26 12:35:21 ossec-testrule: INFO: Started (pid: 24615). > > > > ossec-testrule: Type one log per line. > > > > > > > > Application: INFORMATION(105): WindowsUpdateScript: (no user): no domain: > > TESTWIN2008.archergroup.local: Automated Windows Update Installation: > > Completed: 2/26/2013 12:28:44 PM Windows Update Results: Security > > Update for Microsoft Visual C++ 2010 Service Pack 1 Redistributable > > Package > > (KB2565063) > > > > > > > > > > > > **Phase 1: Completed pre-decoding. > > > > full event: ' Application: INFORMATION(105): > > WindowsUpdateScript: (no > > user): no domain: TESTWIN2008.archergroup.local: Automated Windows > > Update > > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > > Security Update for Microsoft Visual C++ 2010 Service Pack 1 > > Redistributable Package (KB2565063)' > > > > hostname: 'secserv' > > > > program_name: '(null)' > > > > log: ' Application: INFORMATION(105): WindowsUpdateScript: (no user): > > no domain: TESTWIN2008.archergroup.local: Automated Windows Update > > Installation: Completed: 2/26/2013 12:28:44 PM Windows Update Results: > > Security Update for Microsoft Visual C++ 2010 Service Pack 1 > > Redistributable Package (KB2565063)' > > > > > > > > **Phase 2: Completed decoding. > > > > No decoder matched. > > > > > > > > **Rule debugging: > > > > Trying rule: 1 - Generic template for all syslog rules. > > > > *Rule 1 matched. > > > > *Trying child rules. > > > > Trying rule: 5500 - Grouping of the pam_unix rules. > > > > Trying rule: 5700 - SSHD messages grouped. > > > > Trying rule: 5600 - Grouping for the telnetd rules > > > > Trying rule: 2100 - NFS rules grouped. > > > > Trying rule: 2507 - OpenLDAP group. > > > > Trying rule: 2550 - rshd messages grouped. > > > > Trying rule: 2701 - Ignoring procmail messages. > > > > Trying rule: 2800 - Pre-match rule for smartd. > > > > Trying rule: 5100 - Pre-match rule for kernel messages > > > > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > > > > Trying rule: 2830 - Crontab rule group. > > > > Trying rule: 5300 - Initial grouping for su messages. > > > > Trying rule: 5400 - Initial group for sudo messages > > > > Trying rule: 9100 - PPTPD messages grouped > > > > Trying rule: 9200 - Squid syslog messages grouped > > > > Trying rule: 2900 - Dpkg (Debian Package) log. > > > > Trying rule: 2930 - Yum logs. > > > > Trying rule: 2931 - Yum logs. > > > > Trying rule: 7200 - Grouping of the arpwatch rules. > > > > Trying rule: 7300 - Grouping of Symantec AV rules. > > > > Trying rule: 7400 - Grouping of Symantec Web Security rules. > > > > Trying rule: 4300 - Grouping of PIX rules > > > > Trying rule: 12100 - Grouping of the named rules > > > > Trying rule: 13100 - Grouping for the smbd rules. > > > > Trying rule: 13106 - (null) > > > > Trying rule: 11400 - Grouping for the vsftpd rules. > > > > Trying rule: 11300 - Grouping for the pure-ftpd rules. > > > > Trying rule: 11200 - Grouping for the proftpd rules. > > > > Trying rule: 11500 - Grouping for the Microsoft ftp rules. > > > > Trying rule: 11100 - Grouping for the ftpd rules. > > > > Trying rule: 9300 - Grouping for the Horde imp rules. > > > > Trying rule: 9400 - Roundcube messages groupe.d > > > > Trying rule: 9500 - Wordpress messages grouped. > > > > Trying rule: 9600 - cimserver messages grouped. > > > > Trying rule: 9900 - Grouping for the vpopmail rules. > > > > Trying rule: 9800 - Grouping for the vm-pop3d rules. > > > > Trying rule: 3900 - Grouping for the courier rules. > > > > Trying rule: 30100 - Apache messages grouped. > > > > Trying rule: 31300 - Nginx messages grouped. > > > > Trying rule: 31404 - PHP Warning message. > > > > Trying rule: 31405 - PHP Fatal error. > > > > Trying rule: 31406 - PHP Parse error. > > > > Trying rule: 50100 - MySQL messages grouped. > > > > Trying rule: 50500 - PostgreSQL messages grouped. > > > > Trying rule: 4700 - Grouping of Cisco IOS rules. > > > > Trying rule: 4500 - Grouping for the Netscreen Firewall rules > > > > Trying rule: 4800 - SonicWall messages grouped. > > > > Trying rule: 3300 - Grouping of the postfix reject rules. > > > > Trying rule: 3320 - Grouping of the postfix rules. > > > > Trying rule: 3390 - Grouping of the clamsmtpd rules. > > > > Trying rule: 3100 - Grouping of the sendmail rules. > > > > Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules. > > > > Trying rule: 3600 - Grouping of the imapd rules. > > > > Trying rule: 3700 - Grouping of mailscanner rules. > > > > Trying rule: 9700 - Dovecot Messages Grouped. > > > > Trying rule: 3800 - Grouping of Exchange rules. > > > > Trying rule: 14100 - Grouping of racoon rules. > > > > Trying rule: 14200 - Grouping of Cisco VPN concentrator rules > > > > Trying rule: 3500 - Grouping for the spamd rules > > > > Trying rule: 7600 - Grouping of Trend OSCE rules. > > > > Trying rule: 31200 - Grouping of Zeus rules. > > > > Trying rule: 6100 - Solaris BSM Auditing messages grouped. > > > > Trying rule: 19100 - VMWare messages grouped. > > > > Trying rule: 19101 - VMWare ESX syslog messages grouped. > > > > Trying rule: 6300 - Grouping for the MS-DHCP rules. > > > > Trying rule: 6350 - Grouping for the MS-DHCP rules. > > > > Trying rule: 6200 - Asterisk messages grouped. > > > > Trying rule: 600 - Active Response Messages Grouped > > > > Trying rule: 51500 - Grouping of bsd_kernel alerts > > > > Trying rule: 51521 - Grouping for groupdel rules. > > > > Trying rule: 51523 - No core dumps. > > > > Trying rule: 52500 - Grouping of the clamd rules. > > > > Trying rule: 52501 - ClamAV database update > > > > Trying rule: 52000 - Grouping for all bro-ids events. > > > > Trying rule: 51000 - Grouping for dropbear rules. > > > > Trying rule: 40102 - Buffer overflow attack on rpc.statd > > > > Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to > > 2.6 > > > > Trying rule: 40107 - Heap overflow in the Solaris cachefsd service. > > > > Trying rule: 1003 - Non standard syslog message (size too large). > > > > Trying rule: 40104 - Possible buffer overflow attempt. > > > > Trying rule: 40105 - "Null" user changed some information. > > > > Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd). > > > > Trying rule: 40109 - Stack overflow attempt or program exiting > > with SEGV (Solaris). > > > > Trying rule: 2301 - Excessive number connections to a service. > > > > Trying rule: 2502 - User missed the password more than one time > > > > Trying rule: 2504 - Illegal root login. > > > > Trying rule: 100012 - Windows Update Script > > > > *Rule 100012 matched. > > > > > > > > **Phase 3: Completed filtering (rules). > > > > Rule id: '100012' > > > > Level: '9' > > > > Description: 'Windows Update Script' > > > > **Alert to be generated. > > > > > > > > > Perhaps the level is too low? Does the alert show up in alerts.log? What do you mean by the Perhaps the level is too low? the Level 9 for this alert? it should have generated an alert since my ossec.conf is for 8 and up. I even made an explicit do not group, do not delay for Rule ID 100012 and it still never sent it.
Nothing is logged in the alerts/alerts.log file by registered Application name or agent name: tail -f alerts/alerts.log | grep testwin tail -f alerts/alerts.log | grep WindowsUpdateScript I've run wireshark and I see the agent pass some data off to the server but the server never generates the SMTP email. Am I correct to assume the archive.log is not the same format as the alerts.log? > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
