On Mon, Dec 16, 2013 at 3:05 PM, Leonel Algaré <[email protected]> wrote: >> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> > > There are no actual alerts, just that line repeated over and over? > > > THAT LINE repeated over and over. >
Never seen that before. Can you provide your ossec.conf? > El lunes, 16 de diciembre de 2013 16:38:06 UTC-3, dan (ddpbsd) escribió: >> >> On Mon, Dec 16, 2013 at 2:30 PM, Leonel Algaré <[email protected]> >> wrote: >> > When a rule fired, then this rule doesnt show in alerts.log? >> > >> > When i put this log in ossec-logtest: >> > >> > type=SYSCALL msg=audit(1387210570.882:8547): arch=c000003e syscall=2 >> > success=yes exit=6 a0=4161ee a1=2 a2=7fed59c38000 a3=7fff7aa10ec0 >> > items=1 >> > ppid=26163 pid=26225 auid=2009 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > sgid=0 fsgid=0 tty=pts1 ses=491 comm="useradd" exe="/usr/sbin/useradd" >> > key="logins" >> > >> > shows that: >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'type=SYSCALL msg=audit(1387210570.882:8547): >> > arch=c000003e syscall=2 success=yes exit=6 a0=4161ee a1=2 >> > a2=7fed59c38000 >> > a3=7fff7aa10ec0 items=1 ppid=26163 pid=26225 auid=2009 uid=0 gid=0 >> > euid=0 >> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=491 comm="useradd" >> > exe="/usr/sbin/useradd" key="logins"' >> > hostname: 'LNKI079' >> > program_name: '(null)' >> > log: 'type=SYSCALL msg=audit(1387210570.882:8547): arch=c000003e >> > syscall=2 success=yes exit=6 a0=4161ee a1=2 a2=7fed59c38000 >> > a3=7fff7aa10ec0 >> > items=1 ppid=26163 pid=26225 auid=2009 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> > egid=0 sgid=0 fsgid=0 tty=pts1 ses=491 comm="useradd" >> > exe="/usr/sbin/useradd" key="logins"' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'auditd' >> > system_name: 'SYSCALL' >> > id: '8547' >> > status: 'yes' >> > action: '/usr/sbin/useradd' >> > extra_data: 'logins' >> > >> > **Rule debugging: >> > Trying rule: 1 - Generic template for all syslog rules. >> > *Rule 1 matched. >> > *Trying child rules. >> > Trying rule: 5500 - Grouping of the pam_unix rules. >> > Trying rule: 5700 - SSHD messages grouped. >> > Trying rule: 5600 - Grouping for the telnetd rules >> > Trying rule: 2100 - NFS rules grouped. >> > Trying rule: 2507 - OpenLDAP group. >> > Trying rule: 2550 - rshd messages grouped. >> > Trying rule: 2701 - Ignoring procmail messages. >> > Trying rule: 2800 - Pre-match rule for smartd. >> > Trying rule: 5100 - Pre-match rule for kernel messages >> > Trying rule: 5200 - Ignoring hpiod for producing useless logs. >> > Trying rule: 100302 - Reglas pertenecientes a VTS 1 >> > Trying rule: 100303 - Reglas pertenecientes a VTS 2 >> > Trying rule: 100311 - Evento que agrupa los logs provenientes de el >> > demonio AUDITD >> > *Rule 100311 matched. >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '100311' >> > Level: '5' >> > Description: 'Evento que agrupa los logs provenientes de el >> > demonio >> > AUDITD' >> > **Alert to be generated. >> > >> > >> > this alert, doesn't go to alerts.log? >> > because i dont see anything. >> > >> >> ossec-logtest does not add entries to alerts.log. >> >> > there is a way to correlate rules decoded as auditd? >> > Can you help me with this? >> > >> >> What kind of correlation do you want to do? >> >> > >> > El lunes, 16 de diciembre de 2013 16:09:45 UTC-3, dan (ddpbsd) escribió: >> >> >> >> On Mon, Dec 16, 2013 at 2:05 PM, Leonel Algaré <[email protected]> >> >> wrote: >> >> > yes this rule its firing but in alerts.log i dont see nothing. only >> >> > this: >> >> > >> >> > >> >> > >> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> >> > 2013 Dec 16 16:30:21 (LNKI371) 172.16.0.61->/var/log/audit/audit.log >> >> > >> >> >> >> There are no actual alerts, just that line repeated over and over? >> >> >> >> > Im running ossec v2.5. >> >> > >> >> >> >> That's super old at this point. Upgrading is probably the first thing >> >> you should try. >> >> >> >> > in log_format i have "syslog" is that a problem? >> >> > >> >> >> >> No, that's probably the right format. >> >> >> >> > El lunes, 16 de diciembre de 2013 15:55:53 UTC-3, dan (ddpbsd) >> >> > escribió: >> >> >> >> >> >> On Mon, Dec 16, 2013 at 1:50 PM, Leonel Algaré <[email protected]> >> >> >> wrote: >> >> >> > Hi dan, >> >> >> > >> >> >> > Decoders seems to work, >> >> >> > >> >> >> > ossec-logtest example: >> >> >> > >> >> >> > type=PATH msg=audit(1387218689.294:9245): item=0 >> >> >> > name="/home/proof/proof/" >> >> >> > inode=475 dev=fd:00 mode=040555 ouid=0 ogid=0 rdev=00:00 >> >> >> > >> >> >> > **Phase 1: Completed pre-decoding. >> >> >> > full event: 'type=PATH msg=audit(1387218689.294:9245): >> >> >> > item=0 >> >> >> > name="/home/proof/proof/" inode=475 dev=fd:00 mode=040555 ouid=0 >> >> >> > ogid=0 >> >> >> > rdev=00:00' >> >> >> > hostname: 'server' >> >> >> > program_name: '(null)' >> >> >> > log: 'type=PATH msg=audit(1387218689.294:9245): item=0 >> >> >> > name="/home/proof/prueba/" inode=475 dev=fd:00 mode=040555 ouid=0 >> >> >> > ogid=0 >> >> >> > rdev=00:00' >> >> >> > >> >> >> > **Phase 2: Completed decoding. >> >> >> > decoder: 'auditd' >> >> >> > action: 'PATH' >> >> >> > id: '9245' >> >> >> > extra_data: '/home/proof/proof/' >> >> >> > >> >> >> > **Rule debugging: >> >> >> > Trying rule: 1 - Generic template for all syslog rules. >> >> >> > *Rule 1 matched. >> >> >> > *Trying child rules. >> >> >> > Trying rule: 5500 - Grouping of the pam_unix rules. >> >> >> > Trying rule: 5700 - SSHD messages grouped. >> >> >> > Trying rule: 5600 - Grouping for the telnetd rules >> >> >> > Trying rule: 2100 - NFS rules grouped. >> >> >> > Trying rule: 2507 - OpenLDAP group. >> >> >> > Trying rule: 2550 - rshd messages grouped. >> >> >> > Trying rule: 2701 - Ignoring procmail messages. >> >> >> > Trying rule: 2800 - Pre-match rule for smartd. >> >> >> > Trying rule: 5100 - Pre-match rule for kernel messages >> >> >> > Trying rule: 5200 - Ignoring hpiod for producing useless logs. >> >> >> > Trying rule: 100302 - Reglas pertenecientes a VTS 1 >> >> >> > Trying rule: 100303 - Reglas pertenecientes a VTS 2 >> >> >> > Trying rule: 100311 - Evento que agrupa los logs provenientes >> >> >> > de >> >> >> > el >> >> >> > demonio AUDITD >> >> >> > *Rule 100311 matched. >> >> >> > *Trying child rules. >> >> >> > Trying rule: 100312 - Regla creacion de usuario prueba auditd >> >> >> > >> >> >> > **Phase 3: Completed filtering (rules). >> >> >> > Rule id: '100311' >> >> >> > Level: '0' >> >> >> > Description: 'Evento que agrupa los logs provenientes de el >> >> >> > demonio >> >> >> > AUDITD' >> >> >> > >> >> >> > >> >> >> > I have an example rule like that: >> >> >> > >> >> >> > <rule id="100311" level="5"> >> >> >> > <decoded_as>auditd</decoded_as> >> >> >> > <description>AUDITD RULES</description> >> >> >> > </rule> >> >> >> > >> >> >> > in ossec.conf i have that: >> >> >> > >> >> >> > <localfile> >> >> >> > <log_format>syslog</log_format> >> >> >> > <location>/var/log/audit/audit.log</location> >> >> >> > </localfile> >> >> >> > >> >> >> > in alerts.log file: >> >> >> > >> >> >> > 2013 Dec 16 16:30:21 (LNKI371) >> >> >> > 172.16.0.61->/var/log/audit/audit.log >> >> >> > 2013 Dec 16 16:30:21 (LNKI371) >> >> >> > 172.16.0.61->/var/log/audit/audit.log >> >> >> > 2013 Dec 16 16:30:21 (LNKI371) >> >> >> > 172.16.0.61->/var/log/audit/audit.log >> >> >> > 2013 Dec 16 16:30:21 (LNKI371) >> >> >> > 172.16.0.61->/var/log/audit/audit.log >> >> >> > 2013 Dec 16 16:30:21 (LNKI371) >> >> >> > 172.16.0.61->/var/log/audit/audit.log >> >> >> > 2013 Dec 16 16:30:21 (LNKI371) >> >> >> > 172.16.0.61->/var/log/audit/audit.log >> >> >> > 2013 Dec 16 16:30:21 (LNKI371) >> >> >> > 172.16.0.61->/var/log/audit/audit.log >> >> >> > 2013 Dec 16 16:30:21 (LNKI371) >> >> >> > 172.16.0.61->/var/log/audit/audit.log >> >> >> > >> >> >> > Only that, why my example rule is not firing? >> >> >> > >> >> >> >> >> >> Because your other 100311 is firing: >> >> >> >> >> >> **Phase 3: Completed filtering (rules). >> >> >> Rule id: '100311' >> >> >> Level: '0' >> >> >> Description: 'Evento que agrupa los logs provenientes de el >> >> >> demonio AUDITD' >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > El lunes, 16 de diciembre de 2013 15:25:26 UTC-3, dan (ddpbsd) >> >> >> > escribió: >> >> >> >> >> >> >> >> On Mon, Dec 16, 2013 at 12:52 PM, Leonel Algaré >> >> >> >> <[email protected]> >> >> >> >> wrote: >> >> >> >> > Hi guys, >> >> >> >> > >> >> >> >> > >> >> >> >> > Can someone tell me how i can create rules based in the auditd >> >> >> >> > decoders >> >> >> >> > that >> >> >> >> > i had wrote? >> >> >> >> > >> >> >> >> > My decoders: >> >> >> >> > >> >> >> >> > <decoder name="auditd"> >> >> >> >> > <prematch>^type=</prematch> >> >> >> >> > </decoder> >> >> >> >> > >> >> >> >> > <decoder name="auditd-syscall"> >> >> >> >> > <parent>auditd</parent> >> >> >> >> > <prematch offset="after_parent">^SYSCALL </prematch> >> >> >> >> > <regex offset="after_parent">^(SYSCALL) >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+arch=\w+\s+syscall=\d+\s+success=(\S+)\s+exit=\S+\s+a0=\w+\s+a1=\w+\s+a2=\w+\s+a3=\w+\s+items=\d+\s+ppid=\d+\s+pid=\d+\s+auid=\d+\s+uid=\d+\s+gid=\d+\s+euid=\d+\s+suid=\d+\s+fsuid=\d+\s+egid=\d+\s+sgid=\d+\s+fsgid=\d+\s+tty=\S+\s+ses=\d+\s+comm="\S+"\s+exe="(\S+)"\s+key="(\w+)"</regex> >> >> >> >> > <order>system_name,id,status,action,extra_data</order> >> >> >> >> > </decoder> >> >> >> >> > >> >> >> >> > >> >> >> >> > <decoder name="auditd-cwd"> >> >> >> >> > <parent>auditd</parent> >> >> >> >> > <prematch offset="after_parent">^CWD </prematch> >> >> >> >> > <regex offset="after_parent">^(CWD) >> >> >> >> > >> >> >> >> > >> >> >> >> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+cwd="(\.+)"</regex> >> >> >> >> > <order>system_name,id,extra_data</order> >> >> >> >> > </decoder> >> >> >> >> > >> >> >> >> > <decoder name="auditd-path"> >> >> >> >> > <parent>auditd</parent> >> >> >> >> > <prematch offset="after_parent">^PATH </prematch> >> >> >> >> > <regex offset="after_parent">^(PATH) >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):\s+item=\d+\s+name="(\.+)"\s+inode=\d+\s+dev=\S+\s+mode=\d+\s+ouid=\d+\s+ogid=\d+\s+rdev=\S+</regex> >> >> >> >> > <order>action,id,extra_data</order> >> >> >> >> > </decoder> >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > The multi-log feature in ossec 2.7 for auditd dont work? >> >> >> >> > Im having problems to correlate rules. >> >> >> >> > >> >> >> >> > Sorry for my bad english. >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> You need to get log samples, and write rules based on those logs. >> >> >> >> Use >> >> >> >> ossec-logtest to help determine what is going on and for testing. >> >> >> >> >> >> >> >> > Regards, >> >> >> >> > >> >> >> >> > -- >> >> >> >> > >> >> >> >> > --- >> >> >> >> > You received this message because you are subscribed to the >> >> >> >> > Google >> >> >> >> > Groups >> >> >> >> > "ossec-list" group. >> >> >> >> > To unsubscribe from this group and stop receiving emails from >> >> >> >> > it, >> >> >> >> > send >> >> >> >> > an >> >> >> >> > email to [email protected]. >> >> >> >> > For more options, visit >> >> >> >> > https://groups.google.com/groups/opt_out. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
