Thx, this fix my problem

On Wednesday, 2 October 2013 18:06:45 UTC+3, dan (ddpbsd) wrote:
>
> On Wed, Oct 2, 2013 at 10:50 AM, Kaspars Līcis 
> <[email protected]<javascript:>> 
> wrote: 
> > I have created decoder who extracted username and accessed file from 
> windows 
> > file server. After that rule create alarm if specific user access the 
> file. 
> > When I test it everything looks ok, but in live environment ossec do not 
> > create any alert in /var/ossec/logs/alerts/alerts.log 
> > I can’t figure out what can be wrong. 
> > alienvault:/var/ossec/logs/archives# /var/ossec/bin/ossec-logtest 
> > 2013/10/02 17:18:36 ossec-testrule: INFO: Reading local decoder file. 
> > 2013/10/02 17:18:36 ossec-testrule: INFO: Started (pid: 10349). 
> > ossec-testrule: Type one log per line. 
> > 
> > 2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog WinEvtLog: 
> Security: 
>
>
> Did you get this log message from archives.log? If so, there is a 
> header on it that need sto be removed. Everything before the second 
> WinEvtLog should be removed. 
>
>
> > AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no user): no 
> > domain: domain.local.ff: An attempt was made to access an object. 
> Subject: 
> > Security ID:  S-1-5-21-79331101-1830893244-26564730-29171  Account Name: 
> > specusername  Account Domain:  mydomain  Logon ID:  0x8251cea32  Object: 
> > Object Server: Security  Object Type: File  Object Name: 
> d:\test\file.txt 
> > Handle ID: 0x4358  Process Information:  Process ID: 0x4  Process Name: 
> > Access Request Information:  Accesses: %%4416 
> > Access Mask: 0x1 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >        full event: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog 
> > WinEvtLog: Security: AUDIT_SUCCESS(4663): 
> > Microsoft-Windows-Security-Auditing: (no user): no domain: 
> domain.local.ff: 
> > An attempt was made to access an object. Subject:  Security ID: 
> > S-1-5-21-79331101-1830893244-26564730-29171  Account Name:  specusername 
> > Account Domain:  mydomain  Logon ID:  0x8251cea32  Object:  Object 
> Server: 
> > Security  Object Type: File  Object Name: d:\test\file.txt  Handle ID: 
> > 0x4358  Process Information:  Process ID: 0x4  Process Name:   Access 
> > Request Information:  Accesses: %%4416                             
>  Access 
> > Mask: 0x1' 
> >        hostname: 'alienvault' 
> >        program_name: '(null)' 
> >        log: '2013 Oct 02 15:57:06 (LL-FILE) 99.21.2.12->WinEvtLog 
> WinEvtLog: 
> > Security: AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no 
> > user): no domain: domain.local.ff: An attempt was made to access an 
> object. 
> > Subject:  Security ID:  S-1-5-21-79331101-1830893244-26564730-29171 
>  Account 
> > Name:  specusername  Account Domain:  mydomain  Logon ID:  0x8251cea32 
> > Object:  Object Server: Security  Object Type: File  Object Name: 
> > d:\test\file.txt  Handle ID: 0x4358  Process Information:  Process ID: 
> 0x4 
> > Process Name:   Access Request Information:  Accesses: %%4416 
> > Access Mask: 0x1' 
> > 
> > **Phase 2: Completed decoding. 
> >        decoder: 'valdes-mape' 
> >        srcuser: 'specusername' 
> >        extra_data: 'd:\test\file.txt  ' 
> > 
> > **Phase 3: Completed filtering (rules). 
> >        Rule id: '700006' 
> >        Level: '7' 
> >        Description: 'Alert' 
> > **Alert to be generated. 
> > decoder: 
> > <decoder name="valdes-mape"> 
> > <prematch>test</prematch> 
> > </decoder> 
> > <decoder name="valdes-mape-alert"> 
> > <parent>valdes-mape</parent> 
> > <prematch>Name:</prematch> 
> > <regex offset="after_prematch">(\w+) \.+ Name: (\.+)Handle ID:</regex> 
> > <order>srcuser,extra_data</order> 
> > 
> > and rule 
> > 
> > <group name="valdes-mape"> 
> > <rule id="700005" level="0"> 
> > <decoded_as>valdes-mape</decoded_as> 
> > <description>Custom Alert</description> 
> > </rule> 
> > <rule id="700006" level="12"> 
> > <if_sid>700005</if_sid> 
> > <match>specusername</match> 
> > <description>Alert</description> 
> > <!-- <options>alert_by_email</options> --> 
> > </rule> 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to [email protected] <javascript:>. 
> > For more options, visit https://groups.google.com/groups/opt_out. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to