When a rule fired, then this rule doesnt show in alerts.log?
When i put this log in ossec-logtest:
type=SYSCALL msg=audit(1387210570.882:8547): arch=c000003e syscall=2
success=yes exit=6 a0=4161ee a1=2 a2=7fed59c38000 a3=7fff7aa10ec0 items=1
ppid=26163 pid=26225 auid=2009 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=491 comm="useradd" exe="/usr/sbin/useradd"
key="logins"
shows that:
**Phase 1: Completed pre-decoding.
full event: 'type=SYSCALL msg=audit(1387210570.882:8547):
arch=c000003e syscall=2 success=yes exit=6 a0=4161ee a1=2 a2=7fed59c38000
a3=7fff7aa10ec0 items=1 ppid=26163 pid=26225 auid=2009 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=491 comm="useradd"
exe="/usr/sbin/useradd" key="logins"'
hostname: 'LNKI079'
program_name: '(null)'
log: 'type=SYSCALL msg=audit(1387210570.882:8547): arch=c000003e
syscall=2 success=yes exit=6 a0=4161ee a1=2 a2=7fed59c38000 a3=7fff7aa10ec0
items=1 ppid=26163 pid=26225 auid=2009 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts1 ses=491 comm="useradd"
exe="/usr/sbin/useradd" key="logins"'
**Phase 2: Completed decoding.
decoder: 'auditd'
system_name: 'SYSCALL'
id: '8547'
status: 'yes'
action: '/usr/sbin/useradd'
extra_data: 'logins'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2507 - OpenLDAP group.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 100302 - Reglas pertenecientes a VTS 1
Trying rule: 100303 - Reglas pertenecientes a VTS 2
Trying rule: 100311 - Evento que agrupa los logs provenientes de el
demonio AUDITD
*Rule 100311 matched.
**Phase 3: Completed filtering (rules).
Rule id: '100311'
Level: '5'
Description: 'Evento que agrupa los logs provenientes de el demonio
AUDITD'
**Alert to be generated.
this alert, doesn't go to alerts.log?
because i dont see anything.
there is a way to correlate rules decoded as auditd?
Can you help me with this?
El lunes, 16 de diciembre de 2013 16:09:45 UTC-3, dan (ddpbsd) escribió:
>
> On Mon, Dec 16, 2013 at 2:05 PM, Leonel Algaré
> <[email protected]<javascript:>>
> wrote:
> > yes this rule its firing but in alerts.log i dont see nothing. only
> this:
> >
> >
> >
> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> >
>
> There are no actual alerts, just that line repeated over and over?
>
> > Im running ossec v2.5.
> >
>
> That's super old at this point. Upgrading is probably the first thing
> you should try.
>
> > in log_format i have "syslog" is that a problem?
> >
>
> No, that's probably the right format.
>
> > El lunes, 16 de diciembre de 2013 15:55:53 UTC-3, dan (ddpbsd) escribió:
> >>
> >> On Mon, Dec 16, 2013 at 1:50 PM, Leonel Algaré <[email protected]>
> >> wrote:
> >> > Hi dan,
> >> >
> >> > Decoders seems to work,
> >> >
> >> > ossec-logtest example:
> >> >
> >> > type=PATH msg=audit(1387218689.294:9245): item=0
> >> > name="/home/proof/proof/"
> >> > inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0 rdev=00:00
> >> >
> >> > **Phase 1: Completed pre-decoding.
> >> > full event: 'type=PATH msg=audit(1387218689.294:9245): item=0
> >> > name="/home/proof/proof/" inode=475 dev=fd:00 mode=040555 ouid=0
> ogid=0
> >> > rdev=00:00'
> >> > hostname: 'server'
> >> > program_name: '(null)'
> >> > log: 'type=PATH msg=audit(1387218689.294:9245): item=0
> >> > name="/home/proof/prueba/" inode=475 dev=fd:00 mode=040555 ouid=0
> ogid=0
> >> > rdev=00:00'
> >> >
> >> > **Phase 2: Completed decoding.
> >> > decoder: 'auditd'
> >> > action: 'PATH'
> >> > id: '9245'
> >> > extra_data: '/home/proof/proof/'
> >> >
> >> > **Rule debugging:
> >> > Trying rule: 1 - Generic template for all syslog rules.
> >> > *Rule 1 matched.
> >> > *Trying child rules.
> >> > Trying rule: 5500 - Grouping of the pam_unix rules.
> >> > Trying rule: 5700 - SSHD messages grouped.
> >> > Trying rule: 5600 - Grouping for the telnetd rules
> >> > Trying rule: 2100 - NFS rules grouped.
> >> > Trying rule: 2507 - OpenLDAP group.
> >> > Trying rule: 2550 - rshd messages grouped.
> >> > Trying rule: 2701 - Ignoring procmail messages.
> >> > Trying rule: 2800 - Pre-match rule for smartd.
> >> > Trying rule: 5100 - Pre-match rule for kernel messages
> >> > Trying rule: 5200 - Ignoring hpiod for producing useless logs.
> >> > Trying rule: 100302 - Reglas pertenecientes a VTS 1
> >> > Trying rule: 100303 - Reglas pertenecientes a VTS 2
> >> > Trying rule: 100311 - Evento que agrupa los logs provenientes de
> el
> >> > demonio AUDITD
> >> > *Rule 100311 matched.
> >> > *Trying child rules.
> >> > Trying rule: 100312 - Regla creacion de usuario prueba auditd
> >> >
> >> > **Phase 3: Completed filtering (rules).
> >> > Rule id: '100311'
> >> > Level: '0'
> >> > Description: 'Evento que agrupa los logs provenientes de el
> >> > demonio
> >> > AUDITD'
> >> >
> >> >
> >> > I have an example rule like that:
> >> >
> >> > <rule id="100311" level="5">
> >> > <decoded_as>auditd</decoded_as>
> >> > <description>AUDITD RULES</description>
> >> > </rule>
> >> >
> >> > in ossec.conf i have that:
> >> >
> >> > <localfile>
> >> > <log_format>syslog</log_format>
> >> > <location>/var/log/audit/audit.log</location>
> >> > </localfile>
> >> >
> >> > in alerts.log file:
> >> >
> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log
> >> >
> >> > Only that, why my example rule is not firing?
> >> >
> >>
> >> Because your other 100311 is firing:
> >>
> >> **Phase 3: Completed filtering (rules).
> >> Rule id: '100311'
> >> Level: '0'
> >> Description: 'Evento que agrupa los logs provenientes de el
> >> demonio AUDITD'
> >>
> >>
> >>
> >> >
> >> > El lunes, 16 de diciembre de 2013 15:25:26 UTC-3, dan (ddpbsd)
> escribió:
> >> >>
> >> >> On Mon, Dec 16, 2013 at 12:52 PM, Leonel Algaré <[email protected]>
>
> >> >> wrote:
> >> >> > Hi guys,
> >> >> >
> >> >> >
> >> >> > Can someone tell me how i can create rules based in the auditd
> >> >> > decoders
> >> >> > that
> >> >> > i had wrote?
> >> >> >
> >> >> > My decoders:
> >> >> >
> >> >> > <decoder name="auditd">
> >> >> > <prematch>^type=</prematch>
> >> >> > </decoder>
> >> >> >
> >> >> > <decoder name="auditd-syscall">
> >> >> > <parent>auditd</parent>
> >> >> > <prematch offset="after_parent">^SYSCALL </prematch>
> >> >> > <regex offset="after_parent">^(SYSCALL)
> >> >> >
> >> >> >
> >> >> >
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+arch=\w+\s+syscall=\d+\s+success=(\S+)\s+exit=\S+\s+a0=\w+\s+a1=\w+\s+a2=\w+\s+a3=\w+\s+items=\d+\s+ppid=\d+\s+pid=\d+\s+auid=\d+\s+uid=\d+\s+gid=\d+\s+euid=\d+\s+suid=\d+\s+fsuid=\d+\s+egid=\d+\s+sgid=\d+\s+fsgid=\d+\s+tty=\S+\s+ses=\d+\s+comm="\S+"\s+exe="(\S+)"\s+key="(\w+)"</regex>
>
>
> >> >> > <order>system_name,id,status,action,extra_data</order>
> >> >> > </decoder>
> >> >> >
> >> >> >
> >> >> > <decoder name="auditd-cwd">
> >> >> > <parent>auditd</parent>
> >> >> > <prematch offset="after_parent">^CWD </prematch>
> >> >> > <regex offset="after_parent">^(CWD)
> >> >> >
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+cwd="(\.+)"</regex>
> >> >> > <order>system_name,id,extra_data</order>
> >> >> > </decoder>
> >> >> >
> >> >> > <decoder name="auditd-path">
> >> >> > <parent>auditd</parent>
> >> >> > <prematch offset="after_parent">^PATH </prematch>
> >> >> > <regex offset="after_parent">^(PATH)
> >> >> >
> >> >> >
> >> >> >
> msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+item=\d+\s+name="(\.+)"\s+inode=\d+\s+dev=\S+\s+mode=\d+\s+ouid=\d+\s+ogid=\d+\s+rdev=\S+</regex>
>
>
> >> >> > <order>action,id,extra_data</order>
> >> >> > </decoder>
> >> >> >
> >> >> >
> >> >> >
> >> >> > The multi-log feature in ossec 2.7 for auditd dont work?
> >> >> > Im having problems to correlate rules.
> >> >> >
> >> >> > Sorry for my bad english.
> >> >> >
> >> >>
> >> >>
> >> >> You need to get log samples, and write rules based on those logs.
> Use
> >> >> ossec-logtest to help determine what is going on and for testing.
> >> >>
> >> >> > Regards,
> >> >> >
> >> >> > --
> >> >> >
> >> >> > ---
> >> >> > You received this message because you are subscribed to the Google
> >> >> > Groups
> >> >> > "ossec-list" group.
> >> >> > To unsubscribe from this group and stop receiving emails from it,
> >> >> > send
> >> >> > an
> >> >> > email to [email protected].
> >> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
