yes this rule its firing but in alerts.log i dont see nothing. only this:
2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log Im running ossec v2.5. in log_format i have "syslog" is that a problem? El lunes, 16 de diciembre de 2013 15:55:53 UTC-3, dan (ddpbsd) escribió: > > On Mon, Dec 16, 2013 at 1:50 PM, Leonel Algaré > <[email protected]<javascript:>> > wrote: > > Hi dan, > > > > Decoders seems to work, > > > > ossec-logtest example: > > > > type=PATH msg=audit(1387218689.294:9245): item=0 > name="/home/proof/proof/" > > inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0 rdev=00:00 > > > > **Phase 1: Completed pre-decoding. > > full event: 'type=PATH msg=audit(1387218689.294:9245): item=0 > > name="/home/proof/proof/" inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0 > > rdev=00:00' > > hostname: 'server' > > program_name: '(null)' > > log: 'type=PATH msg=audit(1387218689.294:9245): item=0 > > name="/home/proof/prueba/" inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0 > > rdev=00:00' > > > > **Phase 2: Completed decoding. > > decoder: 'auditd' > > action: 'PATH' > > id: '9245' > > extra_data: '/home/proof/proof/' > > > > **Rule debugging: > > Trying rule: 1 - Generic template for all syslog rules. > > *Rule 1 matched. > > *Trying child rules. > > Trying rule: 5500 - Grouping of the pam_unix rules. > > Trying rule: 5700 - SSHD messages grouped. > > Trying rule: 5600 - Grouping for the telnetd rules > > Trying rule: 2100 - NFS rules grouped. > > Trying rule: 2507 - OpenLDAP group. > > Trying rule: 2550 - rshd messages grouped. > > Trying rule: 2701 - Ignoring procmail messages. > > Trying rule: 2800 - Pre-match rule for smartd. > > Trying rule: 5100 - Pre-match rule for kernel messages > > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > > Trying rule: 100302 - Reglas pertenecientes a VTS 1 > > Trying rule: 100303 - Reglas pertenecientes a VTS 2 > > Trying rule: 100311 - Evento que agrupa los logs provenientes de el > > demonio AUDITD > > *Rule 100311 matched. > > *Trying child rules. > > Trying rule: 100312 - Regla creacion de usuario prueba auditd > > > > **Phase 3: Completed filtering (rules). > > Rule id: '100311' > > Level: '0' > > Description: 'Evento que agrupa los logs provenientes de el > demonio > > AUDITD' > > > > > > I have an example rule like that: > > > > <rule id="100311" level="5"> > > <decoded_as>auditd</decoded_as> > > <description>AUDITD RULES</description> > > </rule> > > > > in ossec.conf i have that: > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/audit/audit.log</location> > > </localfile> > > > > in alerts.log file: > > > > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log > > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log > > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log > > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log > > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log > > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log > > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log > > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log > > > > Only that, why my example rule is not firing? > > > > Because your other 100311 is firing: > > **Phase 3: Completed filtering (rules). > Rule id: '100311' > Level: '0' > Description: 'Evento que agrupa los logs provenientes de el > demonio AUDITD' > > > > > > > El lunes, 16 de diciembre de 2013 15:25:26 UTC-3, dan (ddpbsd) escribió: > >> > >> On Mon, Dec 16, 2013 at 12:52 PM, Leonel Algaré <[email protected]> > >> wrote: > >> > Hi guys, > >> > > >> > > >> > Can someone tell me how i can create rules based in the auditd > decoders > >> > that > >> > i had wrote? > >> > > >> > My decoders: > >> > > >> > <decoder name="auditd"> > >> > <prematch>^type=</prematch> > >> > </decoder> > >> > > >> > <decoder name="auditd-syscall"> > >> > <parent>auditd</parent> > >> > <prematch offset="after_parent">^SYSCALL </prematch> > >> > <regex offset="after_parent">^(SYSCALL) > >> > > >> > > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+arch=\w+\s+syscall=\d+\s+success=(\S+)\s+exit=\S+\s+a0=\w+\s+a1=\w+\s+a2=\w+\s+a3=\w+\s+items=\d+\s+ppid=\d+\s+pid=\d+\s+auid=\d+\s+uid=\d+\s+gid=\d+\s+euid=\d+\s+suid=\d+\s+fsuid=\d+\s+egid=\d+\s+sgid=\d+\s+fsgid=\d+\s+tty=\S+\s+ses=\d+\s+comm="\S+"\s+exe="(\S+)"\s+key="(\w+)"</regex> > > > >> > <order>system_name,id,status,action,extra_data</order> > >> > </decoder> > >> > > >> > > >> > <decoder name="auditd-cwd"> > >> > <parent>auditd</parent> > >> > <prematch offset="after_parent">^CWD </prematch> > >> > <regex offset="after_parent">^(CWD) > >> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+cwd="(\.+)"</regex> > >> > <order>system_name,id,extra_data</order> > >> > </decoder> > >> > > >> > <decoder name="auditd-path"> > >> > <parent>auditd</parent> > >> > <prematch offset="after_parent">^PATH </prematch> > >> > <regex offset="after_parent">^(PATH) > >> > > >> > > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+item=\d+\s+name="(\.+)"\s+inode=\d+\s+dev=\S+\s+mode=\d+\s+ouid=\d+\s+ogid=\d+\s+rdev=\S+</regex> > > > >> > <order>action,id,extra_data</order> > >> > </decoder> > >> > > >> > > >> > > >> > The multi-log feature in ossec 2.7 for auditd dont work? > >> > Im having problems to correlate rules. > >> > > >> > Sorry for my bad english. > >> > > >> > >> > >> You need to get log samples, and write rules based on those logs. Use > >> ossec-logtest to help determine what is going on and for testing. > >> > >> > Regards, > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
