On Wed, Dec 18, 2013 at 6:40 PM, Gustavo Guillermo Perez <[email protected]> wrote: > Hello list, is there any chance to log this on ossec?, this events are being > collected into the same server as ossec resides via rsyslog. > > Trying to log such events, I have nothing registered: > > Syslog events /var/log/syslog : >
It looks like you're watching that file (based on the config below). So what are you looking for? It's possible there are no rules associated with these logs. Try running them through ossec-logtest, see what happens. > Dec 18 16:52:23 10.206.85.11 7815: 41w2d: %LINEPROTO-5-UPDOWN: Line protocol > on Interface FastEthernet0/3, changed state to down > Dec 18 16:52:24 10.206.85.11 7816: 41w2d: %LINK-3-UPDOWN: Interface > FastEthernet0/3, changed state to down > Dec 18 16:52:34 10.206.85.3 214141: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:52:50 10.206.85.3 214142: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:52:51 10.206.85.9 20999: 44w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/1 and port Gi1/0/2 > Dec 18 16:53:05 10.206.85.9 21000: 44w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/1 and port Gi1/0/2 > Dec 18 16:53:05 10.206.85.3 214143: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:53:23 10.206.85.3 214144: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:53:34 10.206.85.3 214145: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/26 and port Gi1/0/27 > Dec 18 16:53:35 10.206.85.9 21001: 44w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/1 and port Gi1/0/2 > Dec 18 16:53:42 10.206.85.9 21002: 44w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/1 and port Gi1/0/2 > Dec 18 16:53:43 10.206.85.10 12676: *Jan 4 02:38:35.502: > %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/15, changed > state to down > Dec 18 16:53:44 10.206.85.10 12677: *Jan 4 02:38:36.500: %LINK-3-UPDOWN: > Interface FastEthernet0/15, changed state to down > Dec 18 16:53:47 10.206.85.10 12678: *Jan 4 02:38:39.335: %LINK-3-UPDOWN: > Interface FastEthernet0/15, changed state to up > Dec 18 16:53:47 10.206.85.10 12679: *Jan 4 02:38:40.342: > %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/15, changed > state to up > Dec 18 16:53:49 10.206.85.10 12680: *Jan 4 02:38:41.458: > %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/15, changed > state to down > Dec 18 16:53:51 10.206.85.10 12681: *Jan 4 02:38:43.462: > %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/15, changed > state to up > Dec 18 16:53:52 10.206.85.3 214146: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:54:10 10.206.85.3 214147: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/26 and port Gi1/0/27 > Dec 18 16:54:20 10.206.85.3 214148: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/26 and port Gi1/0/27 > Dec 18 16:54:37 10.206.85.3 214149: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:54:58 10.206.85.3 214150: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/26 and port Gi1/0/27 > Dec 18 16:55:10 10.206.85.3 214151: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:55:22 10.206.85.3 214152: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:55:49 10.206.85.3 214153: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/26 and port Gi1/0/27 > Dec 18 16:56:18 10.206.85.3 214154: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:56:20 10.206.85.3 214155: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:56:37 10.206.85.3 214156: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:56:49 10.206.85.3 214157: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:57:05 10.206.85.3 214158: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:57:21 10.206.85.3 214159: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:57:37 10.206.85.3 214160: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:57:43 10.206.85.8 28353: 7w2d: %SYS-4-CONFIG_RESOLVE_FAILURE: > System config parse from (tftp://255.255.255.255/network-confg) failed > Dec 18 16:57:53 10.206.85.3 214161: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:58:06 10.206.85.3 214162: 20w1d: %SW_MATM-4-MACFLAP_NOTIF: Host > eee8.1a03.d006 in vlan 1 is flapping between port Gi1/0/27 and port Gi1/0/26 > Dec 18 16:58:11 10.206.85.8 28354: 7w2d: %SYS-4-CONFIG_RESOLVE_FAILURE: > System config parse from (tftp://255.255.255.255/cisconet.cfg) failed > > and here is my ossec.conf > > root@ossec:/var/ossec/etc# cat ossec.conf > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_to>blah</email_to> > <smtp_server>127.0.0.1</smtp_server> > <email_from>ossecm@ossec</email_from> > <!-- <logall>yes</logall> --> > </global> > > <rules> > <include>rules_config.xml</include> > <include>pam_rules.xml</include> > <include>sshd_rules.xml</include> > <include>telnetd_rules.xml</include> > <include>syslog_rules.xml</include> > <include>arpwatch_rules.xml</include> > <include>symantec-av_rules.xml</include> > <include>symantec-ws_rules.xml</include> > <include>pix_rules.xml</include> > <include>named_rules.xml</include> > <include>smbd_rules.xml</include> > <include>vsftpd_rules.xml</include> > <!-- <include>pure-ftpd_rules.xml</include> --> > <include>proftpd_rules.xml</include> > <include>ms_ftpd_rules.xml</include> > <include>ftpd_rules.xml</include> > <include>hordeimp_rules.xml</include> > <include>roundcube_rules.xml</include> > <include>wordpress_rules.xml</include> > <include>cimserver_rules.xml</include> > <include>vpopmail_rules.xml</include> > <include>vmpop3d_rules.xml</include> > <include>courier_rules.xml</include> > <include>web_rules.xml</include> > <include>web_appsec_rules.xml</include> > <include>apache_rules.xml</include> > <include>nginx_rules.xml</include> > <include>php_rules.xml</include> > <include>mysql_rules.xml</include> > <include>postgresql_rules.xml</include> > <include>ids_rules.xml</include> > <include>squid_rules.xml</include> > <include>firewall_rules.xml</include> > <include>cisco-ios_rules.xml</include> > <include>netscreenfw_rules.xml</include> > <include>sonicwall_rules.xml</include> > <include>postfix_rules.xml</include> > <include>sendmail_rules.xml</include> > <include>imapd_rules.xml</include> > <include>mailscanner_rules.xml</include> > <include>dovecot_rules.xml</include> > <include>ms-exchange_rules.xml</include> > <include>racoon_rules.xml</include> > <include>vpn_concentrator_rules.xml</include> > <include>spamd_rules.xml</include> > <include>msauth_rules.xml</include> > <include>mcafee_av_rules.xml</include> > <include>trend-osce_rules.xml</include> > <include>ms-se_rules.xml</include> > <!-- <include>policy_rules.xml</include> --> > <include>zeus_rules.xml</include> > <include>solaris_bsm_rules.xml</include> > <include>vmware_rules.xml</include> > <include>ms_dhcp_rules.xml</include> > <include>asterisk_rules.xml</include> > <include>ossec_rules.xml</include> > <include>attack_rules.xml</include> > <include>openbsd_rules.xml</include> > <include>clam_av_rules.xml</include> > <include>bro-ids_rules.xml</include> > <include>dropbear_rules.xml</include> > <include>local_rules.xml</include> > </rules> > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>79200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> > </rootcheck> > > <global> > <white_list>127.0.0.1</white_list> > <white_list>^localhost.localdomain$</white_list> > <white_list>10.206.85.26</white_list> > <white_list>10.206.85.25</white_list> > </global> > > <remote> > <connection>syslog</connection> > </remote> > > <remote> > <connection>secure</connection> > </remote> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>disable-account</name> > <executable>disable-account.sh</executable> > <expect>user</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > > <command> > <name>route-null</name> > <executable>route-null.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <!-- Files to monitor (localfiles) --> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/auth.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/syslog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/mail.info</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/dpkg.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/apache2/error.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/apache2/access.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/urlsnarf/urlsnarf.log</location> > </localfile> > > <localfile> > <log_format>command</log_format> > <command>df -h</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>last -n 5</command> > </localfile> > </ossec_config> > > Best regards in advance. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
