On Sat, Sep 7, 2013 at 1:03 PM, frwa onto <[email protected]> wrote: > Dear Dan, > Yes I went into the ossec.log and saw like below. I got few > things to ask here first I saw it say 1229 total rules enabled. Will the > rules increase by itself or need manual intervention ? Why some are showing
You will have to update the rules manually (for now). > as errors? Another error is this one Queue '/queue/alerts/ar' not What rules are showing up as errors? > accessible: 'Connection refused'.? Are you using active response? If not, ignore. > > > 2013/08/31 15:12:10 ossec-monitord: INFO: Started (pid: 5986). > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file > '/var/log/authlog'. > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/authlog'. > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file > '/var/log/xferlog'. > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/xferlog'. > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file > '/var/www/logs/access_log'. > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: > '/var/www/logs/access_log'. > 2013/08/31 15:12:15 ossec-logcollector(1103): ERROR: Unable to open file > '/var/www/logs/error_log'. > 2013/08/31 15:12:15 ossec-logcollector(1950): INFO: Analyzing file: > '/var/www/logs/error_log'. > 2013/08/31 15:12:15 ossec-logcollector: INFO: Started (pid: 5972). > 2013/08/31 15:12:15 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2013/08/31 15:12:15 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > 2013/08/31 15:12:15 ossec-analysisd: INFO: Connected to > '/queue/alerts/execq' (exec queue) > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Started (pid: 5982). > 2013/08/31 15:12:16 ossec-rootcheck: INFO: Started (pid: 5982). > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin'. > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2013/08/31 15:12:16 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2013/08/31 15:14:10 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/log/authlog'. > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/log/xferlog'. > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/www/logs/access_log'. > 2013/08/31 15:14:25 ossec-logcollector(1904): INFO: File not available, > ignoring it: '/var/www/logs/error_log'. > 2013/08/31 15:20:13 ossec-testrule: INFO: Reading local decoder file. > 2013/08/31 15:20:13 ossec-testrule: INFO: Started (pid: 6010). > 2013/08/31 15:20:14 ossec-remoted: INFO: Started (pid: 6064). > 2013/08/31 15:26:10 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2013/08/31 15:26:24 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > 2013/08/31 15:27:04 ossec-rootcheck: INFO: Starting rootcheck scan. > 2013/08/31 15:31:02 ossec-rootcheck: INFO: Ending rootcheck scan. > 2013/08/31 16:47:07 ossec-execd: INFO: Active response command not present: > '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this > system. > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over. > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: > '/logs/archives/2013/Aug/ossec-archive-30.log.sum'. Starting over. > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: > '/logs/alerts/2013/Aug/ossec-alerts-30.log.sum'. Starting over. > 2013/09/01 00:00:30 ossec-monitord: No previous md5 checksum found: > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over. > 2013/09/01 00:00:30 ossec-monitord: No previous sha1 checksum found: > '/logs/firewall/2013/Aug/ossec-firewall-30.log.sum'. Starting over. > 2013/09/01 11:31:02 ossec-syscheckd: INFO: Starting syscheck scan. > 2013/09/01 11:43:25 ossec-syscheckd: INFO: Ending syscheck scan. > 2013/09/01 11:48:25 ossec-rootcheck: INFO: Starting rootcheck scan. > 2013/09/01 11:51:57 ossec-rootcheck: INFO: Ending rootcheck scan. > 2013/09/01 21:29:43 ossec-monitord(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2013/09/01 21:29:43 ossec-logcollector(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2013/09/01 21:29:43 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2013/09/01 21:29:43 ossec-analysisd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2013/09/01 21:29:43 ossec-execd(1314): INFO: Shutdown received. Deleting > responses. > 2013/09/01 21:29:43 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2013/09/01 21:32:07 ossec-testrule: INFO: Reading local decoder file. > 2013/09/01 21:32:07 ossec-testrule: INFO: Started (pid: 1246). > 2013/09/01 21:32:08 DEBUG: I am creating the SQLite table. > 2013/09/01 21:32:08 ossec-execd: INFO: Started (pid: 1269). > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading local decoder file. > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'pure-ftpd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'web_appsec_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'mysql_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'postgresql_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'ids_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'squid_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'cisco-ios_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'netscreenfw_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'sonicwall_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'postfix_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'sendmail_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'imapd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'mailscanner_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'dovecot_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'ms-exchange_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'racoon_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'vpn_concentrator_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'spamd_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'msauth_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'mcafee_av_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'trend-osce_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'ms-se_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'zeus_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'solaris_bsm_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'vmware_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'ms_dhcp_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'asterisk_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'attack_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Total rules enabled: '1229' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: > '/etc/mail/statistics' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime' > 2013/09/01 21:32:08 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs' > > > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open file > '/var/log/authlog'. > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/authlog'. > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2013/09/01 21:32:14 ossec-logcollector(1103): ERROR: Unable to open file > '/var/log/xferlog'. > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/xferlog'. > 2013/09/01 21:32:14 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > > 2013/09/01 21:32:14 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' > not accessible: 'Connection refused'. > 2013/09/01 21:32:14 ossec-analysisd(1301): ERROR: Unable to connect to > active response queue. > > 2013/09/06 03:18:42 ossec-rootcheck: INFO: Starting rootcheck scan. > 2013/09/06 03:22:50 ossec-rootcheck: INFO: Ending rootcheck scan. > 2013/09/06 16:33:13 ossec-testrule: INFO: Reading local decoder file. > 2013/09/06 16:33:13 ossec-testrule: INFO: Started (pid: 10245). > 2013/09/06 16:33:31 ossec-testrule: INFO: Reading local decoder file. > 2013/09/06 16:33:31 ossec-testrule: INFO: Started (pid: 10248). > 2013/09/06 16:34:01 ossec-testrule: INFO: Reading local decoder file. > 2013/09/06 16:34:01 ossec-testrule: INFO: Started (pid: 10250). > 2013/09/06 23:17:50 ossec-syscheckd: INFO: Starting syscheck scan. > 2013/09/06 23:30:42 ossec-syscheckd: INFO: Ending syscheck scan. > 2013/09/06 23:35:42 ossec-rootcheck: INFO: Starting rootcheck scan. > 2013/09/06 23:39:49 ossec-rootcheck: INFO: Ending rootcheck scan. > 2013/09/07 19:34:49 ossec-syscheckd: INFO: Starting syscheck scan. > 2013/09/07 19:47:41 ossec-syscheckd: INFO: Ending syscheck scan. > 2013/09/07 19:52:41 ossec-rootcheck: INFO: Starting rootcheck scan. > 2013/09/07 19:56:47 ossec-rootcheck: INFO: Ending rootcheck scan. > > The rootcheck runs by itself is it automatically? > Looks like it. > > NExt I went into alerts.log. So will all this be alerted via email or only > some alerts? > Some alerts will trigger emails, some will not. You can customize a lot of that. > Saw this. > > ** Alert 1378572677.0: - syslog,sshd,authentication_success, > 2013 Sep 08 00:51:17 capture->/var/log/secure > Rule: 5715 (level 3) -> 'SSHD authentication success.' > Src IP: 60.50.38.78 > User: root > Sep 8 00:51:17 capture sshd[11987]: Accepted password for root from > **.**.**.78 port 3516 ssh2 > > ** Alert 1378572679.290: - pam,syslog,authentication_success, > 2013 Sep 08 00:51:19 capture->/var/log/secure > Rule: 5501 (level 3) -> 'Login session opened.' > Sep 8 00:51:17 capture sshd[11987]: pam_unix(sshd:session): session opened > for user root by (uid=0) > > ** Alert 1378572745.548: - syslog,sshd,authentication_success, > 2013 Sep 08 00:52:25 capture->/var/log/secure > Rule: 5715 (level 3) -> 'SSHD authentication success.' > Src IP: 60.50.38.78 > User: root > Sep 8 00:52:24 capture sshd[11985]: Accepted password for root from > **.**.**.78 port 3512 ssh2 > > ** Alert 1378572745.840: - pam,syslog,authentication_success, > 2013 Sep 08 00:52:25 capture->/var/log/secure > Rule: 5501 (level 3) -> 'Login session opened.' > Sep 8 00:52:25 capture sshd[11985]: pam_unix(sshd:session): session opened > for user root by (uid=0) > > > Another thing this process zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest > basically what are we going to look out from here? > That will provide some alerts. In fact, the "-a" flag to ossec-logtest should provide alerts very similar to what is in alerts.log. Other than that, this question is too broad for me to answer. > > > > > On Friday, September 6, 2013 11:14:40 PM UTC+8, dan (ddpbsd) wrote: >> >> On Fri, Sep 6, 2013 at 4:51 AM, frwa onto <[email protected]> wrote: >> > Dear Dan, >> > I know your option you gave is just for single file. I >> > Want to >> > do the whole of /var/log how to go about with that which I think that >> > is >> > what ossec-logtest does right. >> > I know neither of this does now work.. >> > cat /var/log | /var/ossec/bin/ossec-logtest > /usr/local/ossetest.txt >> > 2>&1 >> > cat: /var/log: Is a directory >> > [root@capture var]# zcat /var/log | /var/ossec/bin/ossec-logtest > >> > /usr/local/ossetest.txt 2>&1 >> > gzip: /var/log is a directory -- ignored >> > >> >> You're running this on a linux or unix-like system, use the tools >> available. >> zcat /var/log/*.gz | /var/ossec/bin/ossec-logtest >> >> >> > How to confirm that syscheck is running. Normally where and what are the >> > logfiles of ossec for us to to view or look?. Thank you. Sorry very new >> > to >> > this tool. >> > >> >> /var/ossec/logs/ossec.log contains information like when syscheck runs. >> /var/ossec/logs/alerts/alerts.log has alert information. >> >> >> > On Thursday, September 5, 2013 9:25:13 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> On Wed, Sep 4, 2013 at 1:54 PM, frwa onto <[email protected]> wrote: >> >> > Dear Dan, >> >> > For ossec-logtest I just ran like this ./ossec-logtest? >> >> > How >> >> >> >> The easiest way is to pipe the log file through logtest: >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest >> >> >> >> Use zcat if the logfile is compressed. If you want to redirect the >> >> output to a file, use this: >> >> cat /path/to/logfile | /var/ossec/bin/ossec-logtest > /path/to/file >> >> 2>&1 >> >> >> >> >> >> > about the syscheck how to run it? What will both of this script >> >> > eventually >> >> >> >> By default, syscheck will run when OSSEC starts. >> >> >> >> > be doing? Do I need to run the rootcheck ? >> >> > >> >> >> >> Same as syscheck I believe. >> >> >> >> > On Wednesday, September 4, 2013 9:38:07 PM UTC+8, dan (ddpbsd) wrote: >> >> >> >> >> >> On Tue, Sep 3, 2013 at 12:36 AM, frwa onto <[email protected]> >> >> >> wrote: >> >> >> > Hi All, >> >> >> > I just rebuild and install ossec on my centos 6.4 machine. >> >> >> > So >> >> >> > what >> >> >> > is the next step be done as this is any existing machine and I >> >> >> > want >> >> >> > to >> >> >> > check >> >> >> > for any previous intrusion? I also want to get alerts on updates >> >> >> > on >> >> >> > my >> >> >> > local >> >> >> > files or any new files created? I am sorry very new to it. >> >> >> > >> >> >> >> >> >> You can use ossec-logtest to check old log files, and syscheck has a >> >> >> default configuration that can cover most needs. If you have custom >> >> >> locations that must be monitored, you should add them to the >> >> >> ossec.conf in the syscheck section. >> >> >> >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
