Dan, Are you referring to the "etc/decoder.xml" file? I started looking in there yesterday but didn't get very far due to other issues coming up. I just assumed that the source IP would be a common field that was parsed for general Snare logs.
Thanks, Eric On Tuesday, October 1, 2013 3:00:36 PM UTC-4, dan (ddpbsd) wrote: > > On Tue, Oct 1, 2013 at 2:58 PM, Eric <[email protected] <javascript:>> > wrote: > > Hello, > > > > I am using OSSEC in a server config with no actual agents. I am having > Snare > > logs from my Windows servers sent to /var/log/remotesys.log and having > OSSEC > > monitor that file to trip alerts. This works for the most part but I'm > > having a few issues. The main issue is on rules such as 40112 - Multiple > > authentication failures followed by a success. This works fine when I > test > > it with local SSH on the box as the "Src IP" is parsed out and shown > > correctly when I'm reviewing the logs in OSSEC-wui. But on the Windows > box, > > it isn't showing a Src IP section. I see Level, Rule ID, Location > (server1's > > DNS name -> /var/log/remotesys.log), and user > (192.168.10.10\administrator). > > I would think it could trip the "from same IP" correlation that rule > 40112 > > needs from the location or first part of the user field, but it isn't > > working. Once I remove the from same IP part of the rule I can get it to > > trip on Windows events too. But I have to have that part since I will > have > > hundreds of Windows servers sending logs to the same location. > > > > Thanks for the help. > > Eric > > > > Make sure a usable IP address is decoded. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
