On Wed, Oct 2, 2013 at 10:50 AM, Kaspars Līcis <[email protected]> wrote: > I have created decoder who extracted username and accessed file from windows > file server. After that rule create alarm if specific user access the file. > When I test it everything looks ok, but in live environment ossec do not > create any alert in /var/ossec/logs/alerts/alerts.log > I can’t figure out what can be wrong. > alienvault:/var/ossec/logs/archives# /var/ossec/bin/ossec-logtest > 2013/10/02 17:18:36 ossec-testrule: INFO: Reading local decoder file. > 2013/10/02 17:18:36 ossec-testrule: INFO: Started (pid: 10349). > ossec-testrule: Type one log per line. > > 2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog WinEvtLog: Security:
Did you get this log message from archives.log? If so, there is a header on it that need sto be removed. Everything before the second WinEvtLog should be removed. > AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no user): no > domain: domain.local.ff: An attempt was made to access an object. Subject: > Security ID: S-1-5-21-79331101-1830893244-26564730-29171 Account Name: > specusername Account Domain: mydomain Logon ID: 0x8251cea32 Object: > Object Server: Security Object Type: File Object Name: d:\test\file.txt > Handle ID: 0x4358 Process Information: Process ID: 0x4 Process Name: > Access Request Information: Accesses: %%4416 > Access Mask: 0x1 > > > **Phase 1: Completed pre-decoding. > full event: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog > WinEvtLog: Security: AUDIT_SUCCESS(4663): > Microsoft-Windows-Security-Auditing: (no user): no domain: domain.local.ff: > An attempt was made to access an object. Subject: Security ID: > S-1-5-21-79331101-1830893244-26564730-29171 Account Name: specusername > Account Domain: mydomain Logon ID: 0x8251cea32 Object: Object Server: > Security Object Type: File Object Name: d:\test\file.txt Handle ID: > 0x4358 Process Information: Process ID: 0x4 Process Name: Access > Request Information: Accesses: %%4416 Access > Mask: 0x1' > hostname: 'alienvault' > program_name: '(null)' > log: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog WinEvtLog: > Security: AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no > user): no domain: domain.local.ff: An attempt was made to access an object. > Subject: Security ID: S-1-5-21-79331101-1830893244-26564730-29171 Account > Name: specusername Account Domain: mydomain Logon ID: 0x8251cea32 > Object: Object Server: Security Object Type: File Object Name: > d:\test\file.txt Handle ID: 0x4358 Process Information: Process ID: 0x4 > Process Name: Access Request Information: Accesses: %%4416 > Access Mask: 0x1' > > **Phase 2: Completed decoding. > decoder: 'valdes-mape' > srcuser: 'specusername' > extra_data: 'd:\test\file.txt ' > > **Phase 3: Completed filtering (rules). > Rule id: '700006' > Level: '7' > Description: 'Alert' > **Alert to be generated. > decoder: > <decoder name="valdes-mape"> > <prematch>test</prematch> > </decoder> > <decoder name="valdes-mape-alert"> > <parent>valdes-mape</parent> > <prematch>Name:</prematch> > <regex offset="after_prematch">(\w+) \.+ Name: (\.+)Handle ID:</regex> > <order>srcuser,extra_data</order> > > and rule > > <group name="valdes-mape"> > <rule id="700005" level="0"> > <decoded_as>valdes-mape</decoded_as> > <description>Custom Alert</description> > </rule> > <rule id="700006" level="12"> > <if_sid>700005</if_sid> > <match>specusername</match> > <description>Alert</description> > <!-- <options>alert_by_email</options> --> > </rule> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
