On Wed, Oct 2, 2013 at 10:50 AM, Kaspars Līcis <[email protected]> wrote:
> I have created decoder who extracted username and accessed file from windows
> file server. After that rule create alarm if specific user access the file.
> When I test it everything looks ok, but in live environment ossec do not
> create any alert in /var/ossec/logs/alerts/alerts.log
> I can’t figure out what can be wrong.
> alienvault:/var/ossec/logs/archives# /var/ossec/bin/ossec-logtest
> 2013/10/02 17:18:36 ossec-testrule: INFO: Reading local decoder file.
> 2013/10/02 17:18:36 ossec-testrule: INFO: Started (pid: 10349).
> ossec-testrule: Type one log per line.
>
> 2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog WinEvtLog: Security:


Did you get this log message from archives.log? If so, there is a
header on it that need sto be removed. Everything before the second
WinEvtLog should be removed.


> AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no user): no
> domain: domain.local.ff: An attempt was made to access an object. Subject:
> Security ID:  S-1-5-21-79331101-1830893244-26564730-29171  Account Name:
> specusername  Account Domain:  mydomain  Logon ID:  0x8251cea32  Object:
> Object Server: Security  Object Type: File  Object Name: d:\test\file.txt
> Handle ID: 0x4358  Process Information:  Process ID: 0x4  Process Name:
> Access Request Information:  Accesses: %%4416
> Access Mask: 0x1
>
>
> **Phase 1: Completed pre-decoding.
>        full event: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog
> WinEvtLog: Security: AUDIT_SUCCESS(4663):
> Microsoft-Windows-Security-Auditing: (no user): no domain: domain.local.ff:
> An attempt was made to access an object. Subject:  Security ID:
> S-1-5-21-79331101-1830893244-26564730-29171  Account Name:  specusername
> Account Domain:  mydomain  Logon ID:  0x8251cea32  Object:  Object Server:
> Security  Object Type: File  Object Name: d:\test\file.txt  Handle ID:
> 0x4358  Process Information:  Process ID: 0x4  Process Name:   Access
> Request Information:  Accesses: %%4416                              Access
> Mask: 0x1'
>        hostname: 'alienvault'
>        program_name: '(null)'
>        log: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog WinEvtLog:
> Security: AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no
> user): no domain: domain.local.ff: An attempt was made to access an object.
> Subject:  Security ID:  S-1-5-21-79331101-1830893244-26564730-29171  Account
> Name:  specusername  Account Domain:  mydomain  Logon ID:  0x8251cea32
> Object:  Object Server: Security  Object Type: File  Object Name:
> d:\test\file.txt  Handle ID: 0x4358  Process Information:  Process ID: 0x4
> Process Name:   Access Request Information:  Accesses: %%4416
> Access Mask: 0x1'
>
> **Phase 2: Completed decoding.
>        decoder: 'valdes-mape'
>        srcuser: 'specusername'
>        extra_data: 'd:\test\file.txt  '
>
> **Phase 3: Completed filtering (rules).
>        Rule id: '700006'
>        Level: '7'
>        Description: 'Alert'
> **Alert to be generated.
> decoder:
> <decoder name="valdes-mape">
> <prematch>test</prematch>
> </decoder>
> <decoder name="valdes-mape-alert">
> <parent>valdes-mape</parent>
> <prematch>Name:</prematch>
> <regex offset="after_prematch">(\w+) \.+ Name: (\.+)Handle ID:</regex>
> <order>srcuser,extra_data</order>
>
> and rule
>
> <group name="valdes-mape">
> <rule id="700005" level="0">
> <decoded_as>valdes-mape</decoded_as>
> <description>Custom Alert</description>
> </rule>
> <rule id="700006" level="12">
> <if_sid>700005</if_sid>
> <match>specusername</match>
> <description>Alert</description>
> <!-- <options>alert_by_email</options> -->
> </rule>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to