*Hey Dan, *
**
*
I set the server to logall and restarted it
*
* * <global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>xxxx.xxxxxx.xxx.</smtp_server>
<email_from>ossecm@xxxxxx1</email_from>
*<logall>yes</logall>
* </global>
**
* I then ran the logger the way you requested it on the client: *
logger -pauth.err -t su "pam_unix(su-l:auth): authentication failure;
logname=albee uid=xxxx euid=0 tty=pts/1 ruser=albee rhost= user=root"
*I saw the message hit the ossec-logcollector via the ossec.log on the
client. *
2013/06/21 16:11:35 ossec-logcollector: DEBUG: Reading syslog message: 'Jun
21 16:11:35 XXXXX auth|security:err|error su: pam_unix(su-l:auth):
authentication failure; logname=albee uid=xxxx euid=0 tty=pts/1 ruser=albee
rhost= user=root '
2013/06/21 16:11:35 ossec-logcollector: DEBUG: Reading syslog message: 'Jun
21 16:11:35 XXXXX auth|security:err|error su: pam_unix(su-l:auth):
authentication failure; logname=albee uid=xxxx euid=0 tty=pts/1 ruser=albee
rhost= user=root '
*I then checked the logs/archives/archive.log, the entry made it to the
server but alas still no alert. *
grep XXXXXX archives.log
2013 Jun 21 16:19:52 Message->134.174.26.15 Jun 21 16:19:52 Message
forwarded from XXXXXX: su: pam_unix(su-l:auth): authentication failure;
logname=albee uid=xxxx euid=0 tty=pts/1 ruser=albee rhost= user=root
On Friday, June 21, 2013 3:40:50 PM UTC-4, Lalbee99 wrote:
> I have configued remote alerting via ossec-remotd but am unable to get
> alerts from the client. I am running ossec 2.7 on both the client and
> server.
>
> Below I have listed what I have done thus far.
>
>
>
>
>
> *My server is up and running the following daemons:*
>
>
>
> ossecm 14539 1 0 14:51 ? 00:00:00
> /backup/ossec/bin/ossec-dbd -d
> ossecm 14545 1 0 14:51 ? 00:00:00
> /backup/ossec/bin/ossec-maild -d
> ossec 14552 1 0 14:51 ? 00:00:00
> /backup/ossec/bin/ossec-analysisd -d
> root 14556 1 0 14:51 ? 00:00:00
> /backup/ossec/bin/ossec-logcollector -d
> ossecr 14561 1 0 14:51 ? 00:00:00
> /backup/ossec/bin/ossec-remoted -d
> root 14565 1 0 14:51 ? 00:00:00
> /backup/ossec/bin/ossec-syscheckd -d
> ossec 14571 1 0 14:51 ? 00:00:00
> /backup/ossec/bin/ossec-monitord -d
>
> *My server is able to run the rootcheck & syscheck on the client with no
> problems:*
>
> **
>
> OSSEC HIDS agent_control. Agent information:
> Agent ID: 001
>
> Agent Name: XXXXXX
>
> IP address: xxx.xxx.xxx.15
> Status: Active
>
> Operating system: AIX XXXXXX 1 6
>
> Client version: OSSEC HIDS v2.7 / 3d94910986a318645f68e44531fd5742
> Last keep alive: Fri Jun 21 15:01:58 2013
>
> Syscheck last started at: Fri Jun 21 09:01:04 2013
> Syscheck last ended at: Fri Jun 21 09:15:29 2013
> Rootcheck last started at: Fri Jun 21 05:20:26 2013
> Rootcheck last ended at: Fri Jun 21 05:21:04 2013
>
>
>
> *I see my client is active: *
>
> OSSEC HIDS agent_control. List of available agents:
> ID: 000, Name: XXXXX (server), IP: 127.0.0.1, Active/Local
> ID: 006, Name: XXXXX, IP: xxx.xxx.xxx.15, Active
>
>
>
> *I have my server setup to accept secure connections from the client:
> (global ossec.conf)*
>
>
> <remote>
> <connection>secure</connection>
> <port>1514</port>
> <allowed-ips>xxx.xxx.xxx.15</allowed-ips> <!-- cistest -->
> </remote>
>
> *I can see the ossec_remotd daemon running on port 1514 on my server *
>
> netstat -panu | grep 514
> udp 0 0 0.0.0.0:1514
> 0.0.0.0:* 14561/ossec-remoted
>
>
>
> *I can see the connection to the master on port 1514 from the client *
>
> netstat -an | grep 1514
>
> udp4 0 0 xxx.xxx.xxx.15.34095 xxx.xxx.xxx.119.1514
>
>
>
> *I setup a tcpdump on the client to monitor traffic on port 1514*
>
> tcpdump -i eno port 1514
>
>
>
> *I then performed a logtest on the master server to make sure everything
> was ok *
>
> echo "Jun 21 11:08:58 sysutil1 su: pam_unix(su-l:auth): authentication
> failure; logname=albee uid=XXXXeuid=0 tty=pts/1 ruser=albee rhost=
> user=root" | /backup/ossec/bin/ossec-logtest -a |
> /backup/ossec/bin/ossec-reportd
> 2013/06/21 15:11:19 ossec-reportd: INFO: Started (pid: 17468).
> 2013/06/21 15:11:19 ossec-testrule: INFO: Reading local decoder file.
> 2013/06/21 15:11:19 ossec-testrule: INFO: Started (pid: 17467).
> 2013/06/21 15:11:24 ossec-reportd: INFO: Report completed. Creating
> output...
>
> Report completed. ==
> ------------------------------------------------
> ->Processed alerts: 1
> ->Post-filtering alerts: 1
> ->First alert: 2013 Jun 21 15:11:19
> ->Last alert: 2013 Jun 21 15:11:19
>
>
> Top entries for 'Level':
> ------------------------------------------------
> Severity 6 |1 |
>
>
> Top entries for 'Group':
> ------------------------------------------------
> authentication_failed |1 |
> local |1 |
> syslog |1 |
>
>
> Top entries for 'Location':
> ------------------------------------------------
> sysutil1->stdin |1 |
>
>
> Top entries for 'Rule':
> ------------------------------------------------
> 5503 - User login failed. |1 |
>
>
>
>
>
> *While the tcpdump was running I performed a logger command with the same
> info on the client *
>
> **
>
> logger -pauth.err "Jun 21 11:08:58 xxxxx su: pam_unix(su-l:auth):
> authentication failure; logname=albee uid=xxxx euid=0 tty=pts/1 ruser=albee
> rhost= user=root"
>
>
>
> *When I look at the tcpdump screen I can see the data was sent to the
> ossec-remoted daemon running on the master server via port 1514 *
>
>
>
> root: --> tcpdump -i en0 port 1514
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on en0, link-type 1, capture size 96 bytes
> 15:16:56.102511 IP xxxxx.pdc.tch.harvard.edu.33812 > xxxxx.tch.harvard.edu:
> UDP, length 209
>
>
>
> *Although I receive an alert when tested from the server , the same test
> does not generate an alert when run from the client. This despite seeing
> the message being sent from the client and received by *
>
> *the ossec-remotd daemon on the server. Any help would be appreciated. *
>
> **
>
> *-Leo
>
> *
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
