However the logtest works fine for "deleted" and Logged in test: Not sure why log test is not working for transfer log. Also I have noticed I am not getting alert for login after applying it on the server. So far I have not received any alert for any FTP login. I have also set alert Level to 7.
*/var/ossec/bin/ossec-logtest* 2013/03/13 16:44:06 ossec-testrule: INFO: Reading local decoder file. 2013/03/13 16:44:06 ossec-testrule: INFO: Started (pid: 6667). ossec-testrule: Type one log per line. *Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content live-test.wmv* **Phase 1: Completed pre-decoding. full event: 'Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content live-test.wmv' hostname: 'localhost' program_name: 'pure-ftpd' log: '([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content live-test.wmv' **Phase 2: Completed decoding. decoder: 'pure-ftpd' dstuser: 'user1' srcip: 'example.com' **Phase 3: Completed filtering (rules). Rule id: '300002' Level: '7' Description: 'Content deleted.' **Alert to be generated. *Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is now logged in* **Phase 1: Completed pre-decoding. full event: 'Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is now logged in' hostname: 'localhost' program_name: 'pure-ftpd' log: '([email protected]) [INFO] user1 is now logged in' **Phase 2: Completed decoding. decoder: 'pure-ftpd' srcip: 'example.com' dstuser: 'user1' **Phase 3: Completed filtering (rules). Rule id: '300001' Level: '7' Description: 'User successfully logged in.' **Alert to be generated. On Wed, Mar 13, 2013 at 1:31 PM, S Pratap Singh <[email protected]> wrote: > Thanks Dan, > > I followed the steps as you mentioned but I am not able to setup the > local_decoder.xml . > > local_decoder file was not available under my ../etc folder so I created > one and added decoder for "pure_transfer" as you suggested. But after > running the logtest OSSEC is not able to identify the decoder. > > *pwd* > /var/ossec/etc > > * cat local_decoder.xml* > <decoder name="pure-transfer"> > <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] > </prematch> > <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] > "(\S+) (\.+) (\d+) \d+$</regex> > <order>extra_data,dstuser,action,url,status</order> > </decoder> > > > */var/ossec/bin/ossec-logtest* > 2013/03/13 13:26:39 ossec-testrule: INFO: Reading local decoder file. > 2013/03/13 13:26:39 ossec-testrule: INFO: Started (pid: 24289). > ossec-testrule: Type one log per line. > > example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT > /ftpdrive/user1/FinalBackup.zip" 200 25268220 > > > **Phase 1: Completed pre-decoding. > full event: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT > /ftpdrive/user1/FinalBackup.zip" 200 25268220' > hostname: 'localhost' > program_name: '(null)' > log: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT > /ftpdrive/user1/FinalBackup.zip" 200 25268220' > > **Phase 2: Completed decoding. > * No decoder matched.* > > > Is there something which I am missing. > > > On Tue, Mar 12, 2013 at 12:55 AM, dan (ddp) <[email protected]> wrote: > >> On Mon, Mar 11, 2013 at 2:52 PM, S Pratap Singh <[email protected]> >> wrote: >> > I am running Pure-FTPD. Sample Log is as below : >> > >> > Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New >> connection >> > from example.com >> > Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is >> now >> > logged in >> > Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] >> Deleted >> > 2013-03-08 14.38 Content live-test.wmv >> > >> > >> > Above log is getting logged in syslog file. >> > >> > Another file which is storing the transfer log is >> > "/var/log/pure-ftpd/transfer.log" >> > >> > example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT >> > /ftpdrive/user1/FinalBackup.zip" 200 25268220 >> > example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET >> > /ftpdrive/user1/FinalBackup.zip" 200 25268220 >> > >> > I need to get an alert for all download/upload/delete over FTP for any >> > connection along with login alert too. >> > >> >> How is this decoded? >> Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New >> connection from example.com >> >> # /var/ossec/bin/ossec-logtest >> 2013/03/11 15:03:55 ossec-testrule: INFO: Reading local decoder file. >> 2013/03/11 15:03:55 ossec-testrule: INFO: Started (pid: 5374). >> ossec-testrule: Type one log per line. >> >> Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] New >> connection from example.com >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Mar 11 14:16:50 localhost pure-ftpd: >> ([email protected]) [INFO] New connection from example.com' >> hostname: 'localhost' >> program_name: 'pure-ftpd' >> log: '([email protected]) [INFO] New connection from example.com' >> >> **Phase 2: Completed decoding. >> decoder: 'pure-ftpd' >> dstuser: '?' >> srcip: 'example.com' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '11301' >> Level: '3' >> Description: 'New FTP connection.' >> **Alert to be generated. >> >> >> The user we get is "?", and the rule that fires is 11301 "New FTP >> connection." I don't see anything special about the log message, so >> this seems correct. If you need e >> mail alerts, you may have to bump the level from 3 to whatever the >> minimum you have set is (default: 7). >> >> Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is >> now logged in >> >> **Phase 1: Completed pre-decoding. >> full event: 'Mar 11 14:16:50 localhost pure-ftpd: >> ([email protected]) [INFO] user1 is now logged in' >> hostname: 'localhost' >> program_name: 'pure-ftpd' >> log: '([email protected]) [INFO] user1 is now logged in' >> >> **Phase 2: Completed decoding. >> decoder: 'pure-ftpd' >> srcip: 'example.com' >> dstuser: 'user1' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '11300' >> Level: '0' >> Description: 'Grouping for the pure-ftpd rules.' >> >> >> This one doesn't have a real alert associated to it, so let's create one. >> >> Add this rule to /var/ossec/rules/local_rules.xml: >> <rule id="300001" level="7"> <!-- Set it to trigger alerts at >> default levels, I would set this lower by default --> >> <if_sid>11300</if_sid> <!-- This is the catch-all pure-ftpd >> grouping rule --> >> <match> is now logged in$</match> <!-- The last bit of the log >> message --> >> >> <description>User successfully logged in.</description> >> </rule> >> >> >> Run ossec-logtest again: >> # /var/ossec/bin/ossec-logtest >> 2013/03/11 15:09:11 ossec-testrule: INFO: Reading local decoder file. >> 2013/03/11 15:09:11 ossec-testrule: INFO: Started (pid: 31416). >> ossec-testrule: Type one log per line. >> >> Mar 11 14:16:50 localhost pure-ftpd: ([email protected]) [INFO] user1 is >> now logged in >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Mar 11 14:16:50 localhost pure-ftpd: >> ([email protected]) [INFO] user1 is now logged in' >> hostname: 'localhost' >> program_name: 'pure-ftpd' >> log: '([email protected]) [INFO] user1 is now logged in' >> >> **Phase 2: Completed decoding. >> decoder: 'pure-ftpd' >> srcip: 'example.com' >> dstuser: 'user1' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '300001' >> Level: '7' >> Description: 'User successfully logged in.' >> **Alert to be generated. >> >> We now have an alert for this log message. >> >> Next: >> Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] >> Deleted 2013-03-08 14.38 Content live-test.wmv >> >> **Phase 1: Completed pre-decoding. >> full event: 'Mar 11 14:16:56 localhost pure-ftpd: >> ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content >> live-test.wmv' >> hostname: 'localhost' >> program_name: 'pure-ftpd' >> log: '([email protected]) [NOTICE] Deleted 2013-03-08 14.38 >> Content live-test.wmv' >> >> **Phase 2: Completed decoding. >> decoder: 'pure-ftpd' >> dstuser: 'user1' >> srcip: 'example.com' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '11304' >> Level: '0' >> Description: 'FTP notice messages' >> >> This isn't good enough. Time to add another rule! >> >> <rule id="300002" level="7"> >> <if_sid>11304</if_sid> >> <match> Deleted </match> >> <description>Content deleted.</description> >> </rule> >> >> There is some possibility of false positives with the above (if the >> word Deleted appears in the content's name), but it seems good enough >> for now. >> >> Re-run ossec-logtest: >> # /var/ossec/bin/ossec-logtest >> 2013/03/11 15:11:00 ossec-testrule: INFO: Reading local decoder file. >> 2013/03/11 15:11:00 ossec-testrule: INFO: Started (pid: 24053). >> ossec-testrule: Type one log per line. >> >> Mar 11 14:16:56 localhost pure-ftpd: ([email protected]) [NOTICE] >> Deleted 2013-03-08 14.38 Content live-test.wmv >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Mar 11 14:16:56 localhost pure-ftpd: >> ([email protected]) [NOTICE] Deleted 2013-03-08 14.38 Content >> live-test.wmv' >> hostname: 'localhost' >> program_name: 'pure-ftpd' >> log: '([email protected]) [NOTICE] Deleted 2013-03-08 14.38 >> Content live-test.wmv' >> >> **Phase 2: Completed decoding. >> decoder: 'pure-ftpd' >> dstuser: 'user1' >> srcip: 'example.com' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '300002' >> Level: '7' >> Description: 'Content deleted.' >> **Alert to be generated. >> >> >> Looking good! >> >> On to the transfer.log. These log entries look horrible, this probably >> won't be fun. >> >> example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT >> /ftpdrive/user1/FinalBackup.zip" 200 25268220 >> >> # /var/ossec/bin/ossec-logtest >> 2013/03/11 15:12:36 ossec-testrule: INFO: Reading local decoder file. >> 2013/03/11 15:12:36 ossec-testrule: INFO: Started (pid: 9921). >> ossec-testrule: Type one log per line. >> >> example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT >> /ftpdrive/user1/FinalBackup.zip" 200 25268220 >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] >> "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220' >> hostname: 'arrakis' >> program_name: '(null)' >> log: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT >> /ftpdrive/user1/FinalBackup.zip" 200 25268220' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> No decoder... Time to make one! Try adding this to >> /var/ossec/etc/local_decoder.xml: >> <decoder name="pure-transfer"> >> <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] >> </prematch> >> </decoder> >> >> Re-run ossec-logtest: >> # /var/ossec/bin/ossec-logtest >> 2013/03/11 15:16:10 ossec-testrule: INFO: Reading local decoder file. >> 2013/03/11 15:16:10 ossec-testrule: INFO: Started (pid: 24178). >> ossec-testrule: Type one log per line. >> >> example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET >> /ftpdrive/user1/FinalBackup.zip" 200 25268220 >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] >> "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220' >> hostname: 'arrakis' >> program_name: '(null)' >> log: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET >> /ftpdrive/user1/FinalBackup.zip" 200 25268220' >> >> **Phase 2: Completed decoding. >> decoder: 'pure-transfer' >> >> Sweet, that works! But we want some other info. So change the decoder to: >> <decoder name="pure-transfer"> >> <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] >> </prematch> >> <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d >> -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$</regex> >> <order>extra_data,dstuser,action,url,status</order> >> </decoder> >> >> Now we get: >> **Phase 1: Completed pre-decoding. >> full event: '[\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] ' >> hostname: 'arrakis' >> program_name: '(null)' >> log: '[\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] ' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET >> /ftpdrive/user1/FinalBackup.zip" 200 25268220 >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] >> "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220' >> hostname: 'arrakis' >> program_name: '(null)' >> log: 'example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET >> /ftpdrive/user1/FinalBackup.zip" 200 25268220' >> >> **Phase 2: Completed decoding. >> decoder: 'pure-transfer' >> extra_data: 'example.com' >> dstuser: 'user1' >> action: 'GET' >> url: '/ftpdrive/user1/FinalBackup.zip"' >> status: '200' >> >> This gives us plenty to work with in the decoder. Add a rule to >> local_rules.xml: >> <rule id="300003" level="7"> >> <decoded_as>pure-transfer</decoded_as> >> <action>PUT</action> >> <description>File added to the ftpd.</description> >> </rule> >> >> And the results: >> # /var/ossec/bin/ossec-logtest >> 2013/03/11 15:23:37 ossec-testrule: INFO: Reading local decoder file. >> 2013/03/11 15:23:38 ossec-testrule: INFO: Started (pid: 31151). >> ossec-testrule: Type one log per line. >> >> example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT >> /ftpdrive/user1/FinalBackup.zip" 200 25268220 >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] >> "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220' >> hostname: 'arrakis' >> program_name: '(null)' >> log: 'example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT >> /ftpdrive/user1/FinalBackup.zip" 200 25268220' >> >> **Phase 2: Completed decoding. >> decoder: 'pure-transfer' >> extra_data: 'example.com' >> dstuser: 'user1' >> action: 'PUT' >> url: '/ftpdrive/user1/FinalBackup.zip"' >> status: '200' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '300003' >> Level: '7' >> Description: 'File added to the ftpd.' >> **Alert to be generated. >> >> Adding something similar for GETs should be super easy. If you have >> issues, let us know. >> >> >> > >> > On Mon, Mar 11, 2013 at 7:37 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Mon, Mar 11, 2013 at 3:38 AM, Pratap <[email protected]> wrote: >> >> > Hi , >> >> > >> >> > I am trying to enable FTP log monitoring but my FTP logs are getting >> >> > stored >> >> > in syslog.log file and another file for transfer log for FTP. I need >> to >> >> > get >> >> > alert for any FTP user login/logout and file upload so that I can >> >> > monitor my >> >> > FTP server actively and keep an eye on it for any activity. >> >> > >> >> > Any help would be help full . >> >> > >> >> > Thanks, >> >> > >> >> >> >> What ftp daemon are you using? Is OSSEC monitoring the logfiles that >> >> it uses to log activity? Can you provide log samples? >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> > >> > >> > >> > -- >> > Regards, >> > Pratap Singh >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > > -- > Regards, > Pratap Singh > -- Regards, Pratap Singh -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
