Just as an FYI, after posting this I thought about my setup a bit and I've
now got logstash consuming the alerts.log directly. I'll see if this works
a bit better; at first glance it seems to. I've attached my logstash.conf.
On Wednesday, February 5, 2014 2:14:36 PM UTC, Chris H wrote:
>
> Hi. I'm trying this setup, after seeing the blog post on ossec.netrecently,
> and regularly exceeding the 500mb limit on Splunk free. I'm
> sending alerts level 3+ to logstash and 5+ to splunk still. I spent a
> while tweaking the logstash.conf to work with spunk format syslog output,
> as it includes the groups. Was going to share when it was fully working,
> but...
>
> Not all the logs are going into logstash (or at least not going in to
> elasticsearch.)
>
> For example, we just had a bunch of alerts from our anti-virus server. In
> the space of 30 seconds we had 29 events from one workstation:
>
> ** Alert 1391605348.1873086525: - trend_micro,osce,virus
> 2014 Feb 05 13:02:28 (AV01) 172.19.2.2->WinEvtLog
> Rule: 110003 (level 5) -> 'Virus detected and Quarantined'
> WinEvtLog: Application: WARNING(500): Trend Micro OfficeScan Server:
> SYSTEM: NT AUTHORITY: AV01.domain.co.uk: Virus/Malware: TROJ_SPNR.14AR14
> Computer: D13800 Domain: Client pcs and laptops File: C:\Documents and
> Settings\bob.smith\Local Settings\Temp\tmp0de3e9e7.exe Date/Time:
> 05/02/2014 13:02:21 Result: Quarantine
>
> The only difference was the timestamp and the filename. All 29 events
> went into Splunk, but only 1 made it into elasticsearch (not the first
> event, either.) Could this be because of the syslog size limit? There are
> a lot more events going into logstash because of the lower alert threshold.
> How does OSSEC group alerts when sending them by syslog?
>
> Thanks.
>
> On Monday, January 27, 2014 1:36:19 PM UTC, dan (ddpbsd) wrote:
>>
>> On Mon, Jan 27, 2014 at 8:16 AM, Michiel van Es <[email protected]>
>> wrote:
>> > Hi,
>> >
>> > Is anyone using OSSEC => syslog => Logstash => Kibana for their setup?
>> > We found out that the netstat -tan diff ran by syscheck gives only the
>> first
>> > line of the diff:
>> >
>> > <132>Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: 533
>> -
>> > Listened ports status (netstat)
>> >
>> > changed (new port opened or closed).; Location:
>> local-machine-001->netstat
>> > -tan |grep LISTEN |grep -v 127.0.0.1 | sort; ossec: output:
>> >
>> > 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort' and it does not
>> show
>> > the diff output (the 2 netstat -tan outputs).
>> >
>> > Does anyone else has this issue and if so, how did you fix it with
>> > (r)syslog?
>> > OSSEC 2.7.1 on Red Hat 6 64 bit (Atomic repo) and OSSEC and
>> Logstash/Kibana
>> > run on 2 seperate machines.
>> >
>>
>> I haven't looked into this really, but I think the syslog output is
>> limited to 1024(?)k (an old syslog limit). diffs wouldn't really
>> transfer via syslog very well anyways, so I'm not sure they'd be worth
>> it.
>>
>> > Michiel
>> >
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
input {
file {
path => "/logs/ossec/logs/alerts/alerts.log"
type => "ossec_alerts"
}
}
filter {
if [type] == "ossec_alerts" {
multiline {
pattern => "^** Alert"
what => "previous"
negate => "true"
}
grok {
match => { "message" => "\nRule: (?<Rule>\d+) \(level
(?<Alert_Level>\d+)\) \-> '(%{DATA:Description})'\n" }
}
grok {
match => { "message" => "\n(?<event_timestamp>%{YEAR} +%{MONTH}
+%{MONTHDAY} %{TIME}) \((?<reporting_host>.*?)\)
(?<reporting_ip>\d+\.\d+\.\d+\.\d+)->(?<reporting_source>.*?)\n" }
}
grok {
match => { "message" => "\n(?<event_timestamp>%{YEAR} +%{MONTH}
+%{MONTHDAY} %{TIME}) (?<reporting_host>[^\(\)]+)->(?<reporting_source>.*?)\n" }
}
date {
match => [ "event_timestamp", "YYYY MMM dd HH:mm:ss" ]
target => "@timestamp"
}
# groups
grok {
match => { "message" => "^\*\* Alert .* - +(%{DATA:OSSEC_Groups}),?\n" }
}
# details
grok {
match => { "message" => "\n(?<Details>[^\n]+)\n$" }
}
mutate {
add_field => [ "logstash_host", "%{host}" ]
add_field => [ "OSSEC_Group", "%{OSSEC_Groups}" ]
split => [ "OSSEC_Group", "," ]
strip => [ "OSSEC_Group" ]
remove_field => [ "syslog_hostname", "syslog_message", "syslog_pid",
"message", "@version", "type", "host" ]
add_tag => [ "ossec" ]
}
}
if "ossec" in [tags] {
if [Details] =~ /^WinEvtLog/ {
grok {
match => { "Details" =>
"(?<Event_Status>AUDIT_\w+)\((?<Event_ID>\d+)\)" }
}
grok {
match => { "Details" => "User Name:\s+(?<User_Account>[^\$]*?)\s+" }
}
grok {
match => { "Details" => "User Name:\s+(?<Computer_Account>.*?)\$\s+" }
}
grok {
match => { "Details" => "Address: %{IP:src_ip}" }
}
}
if "cisco_ios" in [OSSEC_Group] {
grok {
match => { "Details" => "\%(?<Cisco_Event>\w+-\d-\w+):
%{GREEDYDATA:Message}" }
}
grok {
match => { "message" => " from %{IP:src_ip} " }
}
grok {
match => { "Details" => "src_ip=\"%{IP:src_ip}\"" }
}
grok {
match => { "Details" => "acct=\"%{USERNAME:User_Account}\"" }
}
grok {
match => { "message" => "Group = %{GREEDYDATA:VPN_Group}, Username =
%{USERNAME:User_Account}, IP = %{IP:src_ip}" }
}
}
if "activesync" in [OSSEC_Group] {
grok {
match => { "Details" => "Microsoft-Server-ActiveSync .* (?<Port>\d+)
(.+\\)?(?<User_Account>.*?) %{IP:src_ip} %{DATA:Device_Type}/.+? (?<Status>\d+)
\d+ \d+$" }
}
}
if [Details] =~ /CISCO-LWAPP-AP-MIB/ {
grok {
match => { "Details" => "CISCO-LWAPP-AP-MIB::cLApRogueApMacAddress.\d =
(?<BSSID>\w+:\w+:\w+:\w+:\w+:\w+),.*CISCO-LWAPP-AP-MIB::cLApRogueApSsid.\d =
(?<SSID>.*?),.*CISCO-LWAPP-AP-MIB::cLApName.\d = (?<Identifying_AP>.*?)," }
}
}
if [Description] =~ /DNS lookup/ {
grok {
match => { "Details" => "PACKET .* Rcv %{IP:src_ip}.*\]
(.{0,4}\s+)?\(\d+\)(?<domain>.*)\(\d\)$" }
}
mutate {
gsub => [ "domain", "\(\d+\)", "." ]
}
}
if "osce" in [OSSEC_Group] {
grok {
match => { "Details" => "Virus/Malware: %{WORD:Virus} +Computer:
%{DATA:src} .* File: %{DATA:File} +Date/Time:.* Result: %{GREEDYDATA:Status}" }
}
}
if [Rule] == "105402" {
grok {
match => { "Details" => "sudo:
%{USERNAME:User_Account}.*USER=%{USERNAME:Target_Account}.*COMMAND=%{GREEDYDATA:Command}"
}
}
}
if [Rule] == "6309" {
grok {
match => { "Details" => "%{IP:src_ip},.*,(?<MAC>[A-F0-9]{12})," }
}
}
if "proxy" in [OSSEC_Group] {
grok {
match => { "Details" =>
"%{IP:src_ip}\t(\w+\\)?%{USERNAME:User_Account}\t%{DATA:User_Agent}\t[0-9\-]+\t[0-9:]+\t.*?\t.*?\t(?<Remote_Host>.*?)\t%{IP:Remote_IP}\t%{INT:Remote_Port}\t[\d\-]+\t[\d\-]+\t[\d\-]+\t%{DATA:Protocol}\t.+?\t(?<URI>.*?)\t.+\t%{INT:Remote_Status}\t%{DATA:Proxy_Rule}\t.+\t.+\t.+\t.+\t(?<Status>.+)$"
}
}
}
}
}
output {
#stdout {
# codec => rubydebug
#}
elasticsearch {
host => "127.0.0.1"
}
}
