Dear Dan,
Yes I went into the ossec.log and saw like below. I got few
things to ask here first I saw it say 1229 total rules enabled. Will the
rules increase by itself or need manual intervention ? Why some are showing
as errors? Another error is this one Queue '/queue/alerts/ar' not
accessible: 'Connection refused'.?
2013/08/31 15:12:10 ossec-monitord: INFO: Started (pid: 5986).
2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file
'/var/log/authlog'.
2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/authlog'.
2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file
'/var/log/xferlog'.
2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/xferlog'.
2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file
'/var/www/logs/access_log'.
2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file:
'/var/www/logs/access_log'.
2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file
'/var/www/logs/error_log'.
2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file:
'/var/www/logs/error_log'.
2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972).
2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar'
not accessible: 'Connection refused'.
2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect to
active response queue.
2013/08/31 15:12:15 ossec-analysisd: INFO: Connected to
'/queue/alerts/execq' (exec queue)
2013/08/31 15:12:16 ossec-syscheckd: INFO: Started (pid: 5982).
2013/08/31 15:12:16 ossec-rootcheck: INFO: Started (pid: 5982).
2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory:
'/usr/sbin'.
2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available,
ignoring it: '/var/log/authlog'.
2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available,
ignoring it: '/var/log/xferlog'.
2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available,
ignoring it: '/var/www/logs/access_log'.
2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available,
ignoring it: '/var/www/logs/error_log'.
2013/08/31 15:20:13 ossec-testrule: INFO: Reading local decoder file.
2013/08/31 15:20:13 ossec-testrule: INFO: Started (pid: 6010).
2013/08/31 15:20:14 ossec-remoted: INFO: Started (pid: 6064).
2013/08/31 15:26:10 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2013/08/31 15:26:24 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database).
2013/08/31 15:27:04 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/08/31 15:31:02 ossec-rootcheck: INFO: Ending rootcheck scan.
2013/08/31 16:47:07 ossec-execd: INFO: Active response command not present:
'/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
system.
2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found:
'/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over.
2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found:
'/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over.
2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found:
'/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over.
2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found:
'/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over.
2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found:
'/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over.
2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found:
'/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over.
2013/09/01 11:31:02 ossec-syscheckd: INFO: Starting syscheck scan.
2013/09/01 11:43:25 ossec-syscheckd: INFO: Ending syscheck scan.
2013/09/01 11:48:25 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/09/01 11:51:57 ossec-rootcheck: INFO: Ending rootcheck scan.
2013/09/01 21:29:43 ossec-monitord(1225): INFO: SIGNAL Received. Exit
Cleaning...
2013/09/01 21:29:43 ossec-logcollector(1225): INFO: SIGNAL Received. Exit
Cleaning...
2013/09/01 21:29:43 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2013/09/01 21:29:43 ossec-analysisd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2013/09/01 21:29:43 ossec-execd(1314): INFO: Shutdown received. Deleting
responses.
2013/09/01 21:29:43 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2013/09/01 21:32:07 ossec-testrule: INFO: Reading local decoder file.
2013/09/01 21:32:07 ossec-testrule: INFO: Started (pid: 1246).
2013/09/01 21:32:08 DEBUG: I am creating the SQLite table.
2013/09/01 21:32:08 ossec-execd: INFO: Started (pid: 1269).
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading local decoder file.
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'pure-ftpd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'web_appsec_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'cisco-ios_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'ms-exchange_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'spamd_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'trend-osce_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'ms-se_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'zeus_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2013/09/01 21:32:08 ossec-analysisd: INFO: Total rules enabled: '1229'
2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file:
'/etc/mail/statistics'
2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open file
'/var/log/authlog'.
2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/authlog'.
2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open file
'/var/log/xferlog'.
2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/xferlog'.
2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
2013/09/01 21:32:14 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar'
not accessible: 'Connection refused'.
2013/09/01 21:32:14 ossec-analysisd(1301): ERROR: Unable to connect to
active response queue.
2013/09/06 03:18:42 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/09/06 03:22:50 ossec-rootcheck: INFO: Ending rootcheck scan.
2013/09/06 16:33:13 ossec-testrule: INFO: Reading local decoder file.
2013/09/06 16:33:13 ossec-testrule: INFO: Started (pid: 10245).
2013/09/06 16:33:31 ossec-testrule: INFO: Reading local decoder file.
2013/09/06 16:33:31 ossec-testrule: INFO: Started (pid: 10248).
2013/09/06 16:34:01 ossec-testrule: INFO: Reading local decoder file.
2013/09/06 16:34:01 ossec-testrule: INFO: Started (pid: 10250).
2013/09/06 23:17:50 ossec-syscheckd: INFO: Starting syscheck scan.
2013/09/06 23:30:42 ossec-syscheckd: INFO: Ending syscheck scan.
2013/09/06 23:35:42 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/09/06 23:39:49 ossec-rootcheck: INFO: Ending rootcheck scan.
2013/09/07 19:34:49 ossec-syscheckd: INFO: Starting syscheck scan.
2013/09/07 19:47:41 ossec-syscheckd: INFO: Ending syscheck scan.
2013/09/07 19:52:41 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/09/07 19:56:47 ossec-rootcheck: INFO: Ending rootcheck scan.
The rootcheck runs by itself is it automatically?
NExt I went into alerts.log. So will all this be alerted via email or only
some alerts?
Saw this.
** Alert 1378572677.0: - syslog,sshd,authentication_success,
2013 Sep 08 00:51:17 capture->/var/log/secure
Rule: 5715 (level 3) -> 'SSHD authentication success.'
Src IP: 60.50.38.78
User: root
Sep 8 00:51:17 capture sshd[11987]: Accepted password for root
from **.**.**.78 port 3516 ssh2
** Alert 1378572679.290: - pam,syslog,authentication_success,
2013 Sep 08 00:51:19 capture->/var/log/secure
Rule: 5501 (level 3) -> 'Login session opened.'
Sep 8 00:51:17 capture sshd[11987]: pam_unix(sshd:session): session opened
for user root by (uid=0)
** Alert 1378572745.548: - syslog,sshd,authentication_success,
2013 Sep 08 00:52:25 capture->/var/log/secure
Rule: 5715 (level 3) -> 'SSHD authentication success.'
Src IP: 60.50.38.78
User: root
Sep 8 00:52:24 capture sshd[11985]: Accepted password for root from
**.**.**.78 port 3512 ssh2
** Alert 1378572745.840: - pam,syslog,authentication_success,
2013 Sep 08 00:52:25 capture->/var/log/secure
Rule: 5501 (level 3) -> 'Login session opened.'
Sep 8 00:52:25 capture sshd[11985]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Another thing this process zcat /var/log/*.gz |
/var/ossec/bin/ossec-logtest basically what are we going to look out from
here?
On Friday, September 6, 2013 11:14:40 PM UTC+8, dan (ddpbsd) wrote:
>
> On Fri, Sep 6, 2013 at 4:51 AM, frwa onto <[email protected] <javascript:>>
> wrote:
> > Dear Dan,
> > I know your option you gave is just for single file. I
> Want to
> > do the whole of /var/log how to go about with that which I think that
> is
> > what ossec-logtest does right.
> > I know neither of this does now work..
> > cat /var/log | /var/ossec/bin/ossec-logtest > /usr/local/ossetest.txt
> 2>&1
> > cat: /var/log: Is a directory
> > [root@capture var]# zcat /var/log | /var/ossec/bin/ossec-logtest >
> > /usr/local/ossetest.txt 2>&1
> > gzip: /var/log is a directory -- ignored
> >
>
> You're running this on a linux or unix-like system, use the tools
> available.
> zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest
>
>
> > How to confirm that syscheck is running. Normally where and what are the
> > logfiles of ossec for us to to view or look?. Thank you. Sorry very new
> to
> > this tool.
> >
>
> /var/ossec/logs/ossec.log contains information like when syscheck runs.
> /var/ossec/logs/alerts/alerts.log has alert information.
>
>
> > On Thursday, September 5, 2013 9:25:13 PM UTC+8, dan (ddpbsd) wrote:
> >>
> >> On Wed, Sep 4, 2013 at 1:54 PM, frwa onto <[email protected]> wrote:
> >> > Dear Dan,
> >> > For ossec-logtest I just ran like this ./ossec-logtest?
> >> > How
> >>
> >> The easiest way is to pipe the log file through logtest:
> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest
> >>
> >> Use zcat if the logfile is compressed. If you want to redirect the
> >> output to a file, use this:
> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest > /path/to/file
> 2>&1
> >>
> >>
> >> > about the syscheck how to run it? What will both of this script
> >> > eventually
> >>
> >> By default, syscheck will run when OSSEC starts.
> >>
> >> > be doing? Do I need to run the rootcheck ?
> >> >
> >>
> >> Same as syscheck I believe.
> >>
> >> > On Wednesday, September 4, 2013 9:38:07 PM UTC+8, dan (ddpbsd) wrote:
> >> >>
> >> >> On Tue, Sep 3, 2013 at 12:36 AM, frwa onto <[email protected]>
> wrote:
> >> >> > Hi All,
> >> >> > I just rebuild and install ossec on my centos 6.4 machine.
> So
> >> >> > what
> >> >> > is the next step be done as this is any existing machine and I
> want
> >> >> > to
> >> >> > check
> >> >> > for any previous intrusion? I also want to get alerts on updates
> on
> >> >> > my
> >> >> > local
> >> >> > files or any new files created? I am sorry very new to it.
> >> >> >
> >> >>
> >> >> You can use ossec-logtest to check old log files, and syscheck has a
> >> >> default configuration that can cover most needs. If you have custom
> >> >> locations that must be monitored, you should add them to the
> >> >> ossec.conf in the syscheck section.
> >> >>
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
