Thanks Dan,
I followed the steps as you mentioned but I am not able to setup the
local_decoder.xml .
local_decoder file was not available under my ../etc folder so I created
one and added decoder for "pure_transfer" as you suggested. But after
running the logtest OSSEC is not able to identify the decoder.
*pwd*
/var/ossec/etc
* cat local_decoder.xml*
<decoder name="pure-transfer">
<prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d]
</prematch>
<regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d]
"(\S+) (\.+) (\d+) \d+$</regex>
<order>extra_data,dstuser,action,url,status</order>
</decoder>
*/var/ossec/bin/ossec-logtest*
2013/03/13 13:26:39 ossec-testrule: INFO: Reading local decoder file.
2013/03/13 13:26:39 ossec-testrule: INFO: Started (pid: 24289).
ossec-testrule: Type one log per line.
example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT
/ftpdrive/user1/FinalBackup.zip" 200 25268220
**Phase 1: Completed pre-decoding.
full event: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT
/ftpdrive/user1/FinalBackup.zip" 200 25268220'
hostname: 'localhost'
program_name: '(null)'
log: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT
/ftpdrive/user1/FinalBackup.zip" 200 25268220'
**Phase 2: Completed decoding.
* No decoder matched.*
Is there something which I am missing.
On Tue, Mar 12, 2013 at 12:55 AM, dan (ddp) <[email protected]> wrote:
> On Mon, Mar 11, 2013 at 2:52 PM, S Pratap Singh <[email protected]>
> wrote:
> > I am running Pure-FTPD. Sample Log is as below :
> >
> > Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New
> connection
> > from example.com
> > Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is now
> > logged in
> > Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE]
> Deleted
> > 2013-03-08 14.38 Content live-test.wmv
> >
> >
> > Above log is getting logged in syslog file.
> >
> > Another file which is storing the transfer log is
> > "/var/log/pure-ftpd/transfer.log"
> >
> > example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT
> > /ftpdrive/user1/FinalBackup.zip" 200 25268220
> > example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET
> > /ftpdrive/user1/FinalBackup.zip" 200 25268220
> >
> > I need to get an alert for all download/upload/delete over FTP for any
> > connection along with login alert too.
> >
>
> How is this decoded?
> Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New
> connection from example.com
>
> # /var/ossec/bin/ossec-logtest
> 2013/03/11 15:03:55 ossec-testrule: INFO: Reading local decoder file.
> 2013/03/11 15:03:55 ossec-testrule: INFO: Started (pid: 5374).
> ossec-testrule: Type one log per line.
>
> Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New
> connection from example.com
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 11 14:16:50 localhost pure-ftpd:
> ([email protected]) [INFO] New connection from example.com'
> hostname: 'localhost'
> program_name: 'pure-ftpd'
> log: '([email protected]) [INFO] New connection from example.com'
>
> **Phase 2: Completed decoding.
> decoder: 'pure-ftpd'
> dstuser: '?'
> srcip: 'example.com'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '11301'
> Level: '3'
> Description: 'New FTP connection.'
> **Alert to be generated.
>
>
> The user we get is "?", and the rule that fires is 11301 "New FTP
> connection." I don't see anything special about the log message, so
> this seems correct. If you need e
> mail alerts, you may have to bump the level from 3 to whatever the
> minimum you have set is (default: 7).
>
> Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is
> now logged in
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 11 14:16:50 localhost pure-ftpd:
> ([email protected]) [INFO] user1 is now logged in'
> hostname: 'localhost'
> program_name: 'pure-ftpd'
> log: '([email protected]) [INFO] user1 is now logged in'
>
> **Phase 2: Completed decoding.
> decoder: 'pure-ftpd'
> srcip: 'example.com'
> dstuser: 'user1'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '11300'
> Level: '0'
> Description: 'Grouping for the pure-ftpd rules.'
>
>
> This one doesn't have a real alert associated to it, so let's create one.
>
> Add this rule to /var/ossec/rules/local_rules.xml:
> <rule id="300001" level="7"> <!-- Set it to trigger alerts at
> default levels, I would set this lower by default -->
> <if_sid>11300</if_sid> <!-- This is the catch-all pure-ftpd
> grouping rule -->
> <match> is now logged in$</match> <!-- The last bit of the log
> message -->
>
> <description>User successfully logged in.</description>
> </rule>
>
>
> Run ossec-logtest again:
> # /var/ossec/bin/ossec-logtest
> 2013/03/11 15:09:11 ossec-testrule: INFO: Reading local decoder file.
> 2013/03/11 15:09:11 ossec-testrule: INFO: Started (pid: 31416).
> ossec-testrule: Type one log per line.
>
> Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is
> now logged in
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 11 14:16:50 localhost pure-ftpd:
> ([email protected]) [INFO] user1 is now logged in'
> hostname: 'localhost'
> program_name: 'pure-ftpd'
> log: '([email protected]) [INFO] user1 is now logged in'
>
> **Phase 2: Completed decoding.
> decoder: 'pure-ftpd'
> srcip: 'example.com'
> dstuser: 'user1'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '300001'
> Level: '7'
> Description: 'User successfully logged in.'
> **Alert to be generated.
>
> We now have an alert for this log message.
>
> Next:
> Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE]
> Deleted 2013-03-08 14.38 Content live-test.wmv
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 11 14:16:56 localhost pure-ftpd:
> ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content
> live-test.wmv'
> hostname: 'localhost'
> program_name: 'pure-ftpd'
> log: '([email protected]) [NOTICE] Deleted 2013-03-08 14.38
> Content live-test.wmv'
>
> **Phase 2: Completed decoding.
> decoder: 'pure-ftpd'
> dstuser: 'user1'
> srcip: 'example.com'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '11304'
> Level: '0'
> Description: 'FTP notice messages'
>
> This isn't good enough. Time to add another rule!
>
> <rule id="300002" level="7">
> <if_sid>11304</if_sid>
> <match> Deleted </match>
> <description>Content deleted.</description>
> </rule>
>
> There is some possibility of false positives with the above (if the
> word Deleted appears in the content's name), but it seems good enough
> for now.
>
> Re-run ossec-logtest:
> # /var/ossec/bin/ossec-logtest
> 2013/03/11 15:11:00 ossec-testrule: INFO: Reading local decoder file.
> 2013/03/11 15:11:00 ossec-testrule: INFO: Started (pid: 24053).
> ossec-testrule: Type one log per line.
>
> Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE]
> Deleted 2013-03-08 14.38 Content live-test.wmv
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Mar 11 14:16:56 localhost pure-ftpd:
> ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content
> live-test.wmv'
> hostname: 'localhost'
> program_name: 'pure-ftpd'
> log: '([email protected]) [NOTICE] Deleted 2013-03-08 14.38
> Content live-test.wmv'
>
> **Phase 2: Completed decoding.
> decoder: 'pure-ftpd'
> dstuser: 'user1'
> srcip: 'example.com'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '300002'
> Level: '7'
> Description: 'Content deleted.'
> **Alert to be generated.
>
>
> Looking good!
>
> On to the transfer.log. These log entries look horrible, this probably
> won't be fun.
>
> example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT
> /ftpdrive/user1/FinalBackup.zip" 200 25268220
>
> # /var/ossec/bin/ossec-logtest
> 2013/03/11 15:12:36 ossec-testrule: INFO: Reading local decoder file.
> 2013/03/11 15:12:36 ossec-testrule: INFO: Started (pid: 9921).
> ossec-testrule: Type one log per line.
>
> example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT
> /ftpdrive/user1/FinalBackup.zip" 200 25268220
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'example.com - user1 [11/Mar/2013:12:10:23 -0000]
> "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220'
> hostname: 'arrakis'
> program_name: '(null)'
> log: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT
> /ftpdrive/user1/FinalBackup.zip" 200 25268220'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> No decoder... Time to make one! Try adding this to
> /var/ossec/etc/local_decoder.xml:
> <decoder name="pure-transfer">
> <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d]
> </prematch>
> </decoder>
>
> Re-run ossec-logtest:
> # /var/ossec/bin/ossec-logtest
> 2013/03/11 15:16:10 ossec-testrule: INFO: Reading local decoder file.
> 2013/03/11 15:16:10 ossec-testrule: INFO: Started (pid: 24178).
> ossec-testrule: Type one log per line.
>
> example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET
> /ftpdrive/user1/FinalBackup.zip" 200 25268220
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'example.com - user1 [11/Mar/2013:12:24:57 -0000]
> "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220'
> hostname: 'arrakis'
> program_name: '(null)'
> log: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET
> /ftpdrive/user1/FinalBackup.zip" 200 25268220'
>
> **Phase 2: Completed decoding.
> decoder: 'pure-transfer'
>
> Sweet, that works! But we want some other info. So change the decoder to:
> <decoder name="pure-transfer">
> <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d]
> </prematch>
> <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d
> -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$</regex>
> <order>extra_data,dstuser,action,url,status</order>
> </decoder>
>
> Now we get:
> **Phase 1: Completed pre-decoding.
> full event: '[\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] '
> hostname: 'arrakis'
> program_name: '(null)'
> log: '[\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] '
>
> **Phase 2: Completed decoding.
> No decoder matched.
> example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET
> /ftpdrive/user1/FinalBackup.zip" 200 25268220
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'example.com - user1 [11/Mar/2013:12:24:57 -0000]
> "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220'
> hostname: 'arrakis'
> program_name: '(null)'
> log: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET
> /ftpdrive/user1/FinalBackup.zip" 200 25268220'
>
> **Phase 2: Completed decoding.
> decoder: 'pure-transfer'
> extra_data: 'example.com'
> dstuser: 'user1'
> action: 'GET'
> url: '/ftpdrive/user1/FinalBackup.zip"'
> status: '200'
>
> This gives us plenty to work with in the decoder. Add a rule to
> local_rules.xml:
> <rule id="300003" level="7">
> <decoded_as>pure-transfer</decoded_as>
> <action>PUT</action>
> <description>File added to the ftpd.</description>
> </rule>
>
> And the results:
> # /var/ossec/bin/ossec-logtest
> 2013/03/11 15:23:37 ossec-testrule: INFO: Reading local decoder file.
> 2013/03/11 15:23:38 ossec-testrule: INFO: Started (pid: 31151).
> ossec-testrule: Type one log per line.
>
> example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT
> /ftpdrive/user1/FinalBackup.zip" 200 25268220
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'example.com - user1 [11/Mar/2013:12:10:23 -0000]
> "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220'
> hostname: 'arrakis'
> program_name: '(null)'
> log: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT
> /ftpdrive/user1/FinalBackup.zip" 200 25268220'
>
> **Phase 2: Completed decoding.
> decoder: 'pure-transfer'
> extra_data: 'example.com'
> dstuser: 'user1'
> action: 'PUT'
> url: '/ftpdrive/user1/FinalBackup.zip"'
> status: '200'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '300003'
> Level: '7'
> Description: 'File added to the ftpd.'
> **Alert to be generated.
>
> Adding something similar for GETs should be super easy. If you have
> issues, let us know.
>
>
> >
> > On Mon, Mar 11, 2013 at 7:37 PM, dan (ddp) <[email protected]> wrote:
> >>
> >> On Mon, Mar 11, 2013 at 3:38 AM, Pratap <[email protected]> wrote:
> >> > Hi ,
> >> >
> >> > I am trying to enable FTP log monitoring but my FTP logs are getting
> >> > stored
> >> > in syslog.log file and another file for transfer log for FTP. I need
> to
> >> > get
> >> > alert for any FTP user login/logout and file upload so that I can
> >> > monitor my
> >> > FTP server actively and keep an eye on it for any activity.
> >> >
> >> > Any help would be help full .
> >> >
> >> > Thanks,
> >> >
> >>
> >> What ftp daemon are you using? Is OSSEC monitoring the logfiles that
> >> it uses to log activity? Can you provide log samples?
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> >
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to [email protected].
> >> For more options, visit https://groups.google.com/groups/opt_out.
> >>
> >>
> >
> >
> >
> > --
> > Regards,
> > Pratap Singh
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
Regards,
Pratap Singh
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
