Okay I will check once again , SElinux is disabled on both server and agent.
On Thu, Mar 14, 2013 at 7:54 PM, dan (ddp) <[email protected]> wrote: > I just copy/pasted those contents into my own local_decoder.xml and it > worked fine. I guess you could try tracing the application to see why > it isn't reading that file. Maybe check selinux logs to see if that's > blocking access... > > On Thu, Mar 14, 2013 at 10:17 AM, S Pratap Singh <[email protected]> > wrote: > > cat local_decoder.xml > > <decoder name="pure-transfer"> > > <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d > > -\d\d\d\d]</prematch> > > <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] > > "(\S+) (\.+) (\d+) \d+$</regex> > > <order>extra_data,dstuser,action,url,status</order> > > </decoder> > > > > cat /etc/issue > > CentOS release 6.3 (Final) > > > > 32 bit > > > > Log file which is storing the transfer log is : > > /var/log/pure-ftpd/transfer.log > > > > > > On Thu, Mar 14, 2013 at 7:41 PM, dan (ddp) <[email protected]> wrote: > >> > >> On Thu, Mar 14, 2013 at 9:59 AM, S Pratap Singh <[email protected]> > >> wrote: > >> > ll /var/ossec/etc/local_decoder.xml > >> > -r--r----- 1 root ossec 262 Mar 14 18:39 > >> > /var/ossec/etc/local_decoder.xml > >> > > >> > ll /var/ossec/etc/decoder.xml > >> > -r--r----- 1 root ossec 88975 Jul 12 2011 /var/ossec/etc/decoder.xml > >> > > >> > It's a server installation. > >> > > >> > >> Please provide the entire local_decoder.xml file. What > >> OS/distro/version are you using? > >> > >> > On Thu, Mar 14, 2013 at 7:25 PM, dan (ddp) <[email protected]> wrote: > >> >> > >> >> On Thu, Mar 14, 2013 at 9:49 AM, S Pratap Singh <[email protected]> > >> >> wrote: > >> >> > Yes , decoder pure-transfer I had defined in "local_decoder.xml" > file > >> >> > but it > >> >> > was not detecting it. To fix the issue I have configured changed > the > >> >> > log > >> >> > settings for my ftp server to log all the event in syslog file and > >> >> > enabled > >> >> > rule id 1304 to match upload and download. It worked for me. > >> >> > > >> >> > I am not sure why it was not detecting the decoder "pure-transfer" > >> >> > defined > >> >> > in the file "local_decoder.xml" . > >> >> > > >> >> > >> >> What are the permissions on /var/ossec/etc/local_decoder.xml? > >> >> Permissions on /var/ossec/etc/decoder.xml? Is this a server, agent, > or > >> >> local installation? > >> >> > >> >> > > >> >> > > >> >> > On Thu, Mar 14, 2013 at 6:51 PM, S Pratap Singh < > [email protected]> > >> >> > wrote: > >> >> >> > >> >> >> Thanks for the help Dan.. I have fixed the issue and everything > >> >> >> works > >> >> >> perfectly .. :) > >> >> >> > >> >> >> > >> >> >> On Thu, Mar 14, 2013 at 2:11 PM, S Pratap Singh < > [email protected]> > >> >> >> wrote: > >> >> >>> > >> >> >>> Hi Dan, > >> >> >>> > >> >> >>> Things are working fine now. But I have another problem, now I am > >> >> >>> getting > >> >> >>> most of the alert for FTP activity excluding file upload and > >> >> >>> download > >> >> >>> alert. > >> >> >>> The rule which you have given works fine but when I restart > Ossec I > >> >> >>> am > >> >> >>> getting the following error : > >> >> >>> > >> >> >>> 2013/03/14 12:38:18 ossec-analysisd: Invalid decoder name: > >> >> >>> 'pure-transfer'. > >> >> >>> 2013/03/14 12:38:18 ossec-analysisd(1220): ERROR: Error loading > the > >> >> >>> rules: 'local_rules.xml'. > >> >> >>> 2013/03/14 12:38:21 ossec-remoted(1210): ERROR: Queue > >> >> >>> '/queue/ossec/queue' not accessible: 'Connection refused'. > >> >> >>> 2013/03/14 12:38:21 ossec-remoted(1211): ERROR: Unable to access > >> >> >>> queue: > >> >> >>> '/queue/ossec/queue'. Giving up.. > >> >> >>> > >> >> >>> So there is two problem I am facing currently : > >> >> >>> 1 Not getting alert for upload and download since this is > getting > >> >> >>> logged > >> >> >>> into another file and not into syslog file. > >> >> >>> 2 facing the issue with restart of ossec server. > >> >> >>> > >> >> >>> Thanks for your input and help so far. > >> >> >>> > >> >> >>> On Thu, Mar 14, 2013 at 2:58 AM, dan (ddp) <[email protected]> > >> >> >>> wrote: > >> >> >>>> > >> >> >>>> On Wed, Mar 13, 2013 at 7:43 AM, S Pratap Singh > >> >> >>>> <[email protected]> > >> >> >>>> wrote: > >> >> >>>> > All fixed but I am not getting alert to my mail box for FTP > >> >> >>>> > activity > >> >> >>>> > as > >> >> >>>> > other alerts. > >> >> >>>> > > >> >> >>>> > >> >> >>>> Are you getting other alerts in your email? > >> >> >>>> Do you have access to the maillogs? If so, check to see if the > >> >> >>>> mail > >> >> >>>> is > >> >> >>>> being rejected or something. > >> >> >>>> If not, use tcpdump or something similar to watch mail traffic > to > >> >> >>>> see > >> >> >>>> if OSSEC even attempts to send the message. > >> >> >>>> > >> >> >>>> > -- > >> >> >>>> > > >> >> >>>> > --- > >> >> >>>> > You received this message because you are subscribed to the > >> >> >>>> > Google > >> >> >>>> > Groups > >> >> >>>> > "ossec-list" group. > >> >> >>>> > To unsubscribe from this group and stop receiving emails from > >> >> >>>> > it, > >> >> >>>> > send > >> >> >>>> > an > >> >> >>>> > email to [email protected]. > >> >> >>>> > For more options, visit > >> >> >>>> > https://groups.google.com/groups/opt_out. > >> >> >>>> > > >> >> >>>> > > >> >> >>>> > >> >> >>>> -- > >> >> >>>> > >> >> >>>> --- > >> >> >>>> You received this message because you are subscribed to the > Google > >> >> >>>> Groups "ossec-list" group. > >> >> >>>> To unsubscribe from this group and stop receiving emails from > it, > >> >> >>>> send > >> >> >>>> an email to [email protected]. > >> >> >>>> For more options, visit > https://groups.google.com/groups/opt_out. > >> >> >>>> > >> >> >>>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> -- > >> >> >>> Regards, > >> >> >>> Pratap Singh > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> Regards, > >> >> >> Pratap Singh > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > Regards, > >> >> > Pratap Singh > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> >> > > >> >> > > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "ossec-list" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an > >> >> email to [email protected]. > >> >> For more options, visit https://groups.google.com/groups/opt_out. > >> >> > >> >> > >> > > >> > > >> > > >> > -- > >> > Regards, > >> > Pratap Singh > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> > > > > > > > > -- > > Regards, > > Pratap Singh > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Regards, Pratap Singh -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
