Thx, this fix my problem On Wednesday, 2 October 2013 18:06:45 UTC+3, dan (ddpbsd) wrote: > > On Wed, Oct 2, 2013 at 10:50 AM, Kaspars Līcis > <[email protected]<javascript:>> > wrote: > > I have created decoder who extracted username and accessed file from > windows > > file server. After that rule create alarm if specific user access the > file. > > When I test it everything looks ok, but in live environment ossec do not > > create any alert in /var/ossec/logs/alerts/alerts.log > > I can’t figure out what can be wrong. > > alienvault:/var/ossec/logs/archives# /var/ossec/bin/ossec-logtest > > 2013/10/02 17:18:36 ossec-testrule: INFO: Reading local decoder file. > > 2013/10/02 17:18:36 ossec-testrule: INFO: Started (pid: 10349). > > ossec-testrule: Type one log per line. > > > > 2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog WinEvtLog: > Security: > > > Did you get this log message from archives.log? If so, there is a > header on it that need sto be removed. Everything before the second > WinEvtLog should be removed. > > > > AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no user): no > > domain: domain.local.ff: An attempt was made to access an object. > Subject: > > Security ID: S-1-5-21-79331101-1830893244-26564730-29171 Account Name: > > specusername Account Domain: mydomain Logon ID: 0x8251cea32 Object: > > Object Server: Security Object Type: File Object Name: > d:\test\file.txt > > Handle ID: 0x4358 Process Information: Process ID: 0x4 Process Name: > > Access Request Information: Accesses: %%4416 > > Access Mask: 0x1 > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog > > WinEvtLog: Security: AUDIT_SUCCESS(4663): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > domain.local.ff: > > An attempt was made to access an object. Subject: Security ID: > > S-1-5-21-79331101-1830893244-26564730-29171 Account Name: specusername > > Account Domain: mydomain Logon ID: 0x8251cea32 Object: Object > Server: > > Security Object Type: File Object Name: d:\test\file.txt Handle ID: > > 0x4358 Process Information: Process ID: 0x4 Process Name: Access > > Request Information: Accesses: %%4416 > Access > > Mask: 0x1' > > hostname: 'alienvault' > > program_name: '(null)' > > log: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog > WinEvtLog: > > Security: AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no > > user): no domain: domain.local.ff: An attempt was made to access an > object. > > Subject: Security ID: S-1-5-21-79331101-1830893244-26564730-29171 > Account > > Name: specusername Account Domain: mydomain Logon ID: 0x8251cea32 > > Object: Object Server: Security Object Type: File Object Name: > > d:\test\file.txt Handle ID: 0x4358 Process Information: Process ID: > 0x4 > > Process Name: Access Request Information: Accesses: %%4416 > > Access Mask: 0x1' > > > > **Phase 2: Completed decoding. > > decoder: 'valdes-mape' > > srcuser: 'specusername' > > extra_data: 'd:\test\file.txt ' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '700006' > > Level: '7' > > Description: 'Alert' > > **Alert to be generated. > > decoder: > > <decoder name="valdes-mape"> > > <prematch>test</prematch> > > </decoder> > > <decoder name="valdes-mape-alert"> > > <parent>valdes-mape</parent> > > <prematch>Name:</prematch> > > <regex offset="after_prematch">(\w+) \.+ Name: (\.+)Handle ID:</regex> > > <order>srcuser,extra_data</order> > > > > and rule > > > > <group name="valdes-mape"> > > <rule id="700005" level="0"> > > <decoded_as>valdes-mape</decoded_as> > > <description>Custom Alert</description> > > </rule> > > <rule id="700006" level="12"> > > <if_sid>700005</if_sid> > > <match>specusername</match> > > <description>Alert</description> > > <!-- <options>alert_by_email</options> --> > > </rule> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
