I'm using OSSEC HIDS 2.7, it is integrated into Alienvault which might explain why the format is a little off. If it is helpful I can provide the format as defined in ossec.conf.
On Monday, March 17, 2014 10:14:14 AM UTC-6, dan (ddpbsd) wrote: > > On Mon, Mar 17, 2014 at 12:00 PM, James Brown > <[email protected]<javascript:>> > wrote: > > I've been trying to use ossec-reportd by issuing the following command: > cat > > Which version of OSSEC? > > > /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f > group > > authentication_success > > > > Unfortunately, the output is simply: > > > > 2014/03/17 09:53:34 ossec-reportd: INFO: Started (pid: 13402). > > 2014/03/17 09:53:40 ossec-reportd: INFO: Report completed and zero > alerts > > post-filter. > > > > However, if I cat out the alerts.log file it looks like this: > > > > I'm not sure where you got this alert from, but it is not in OSSEC's > alert format. > > > AV - Alert - "1395036000" --> RID: "18107"; RL: "3"; RG: > > "windows,authentication_success,"; RC: "Windows Logon Success."; USER: > > "None"; SRCIP: "None"; HOSTNAME: "(**********) **.*.**.***->WinEvtLog"; > > LOCATION: "(*********) **.*.**.***->WinEvtLog"; EVENT: "[INIT]WinEvtLog: > > Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: (no > > user): no domain: ******.***.local: An account was successfully logged > on. > > Subject: Security ID: *-*-*-* Account Name: - > > Account Domain: - Logon ID: 0x0 Logon Type: > > 3 Impersonation Level: %1833 New Logon: Security ID: > > ********************** Account Name: ************* > Account > > Domain: **** Logon ID: *********** Logon GUID: > > {00000000-0000-0000-0000-000000000000} Process Information: > > Process ID: 0x0 Process Name: - Network Information: > > Workstation Name: L2FS266 Source Network Address: 10.1.14.119 > > Source Port: 57548 Detailed Authentication Information: Logon > > Process: NtLmSsp Authentication Package: NTLM Transited > > Services: - Package Name (NTLM only): NTLM V2 Key Length: > 128 > > This event is generated when a logon session is created. It is generated > on > > the computer that was accessed. The subject fields indicate the > account > > on the local system which requested the logon. This is most commonly a > > service such as the Server service, or a local process such as > Winlogon.exe > > or Services.exe. The logon type field indicates the kind of logon > that > > occurred. The most common types are 2 (interactive) and 3 (network). > The > > New Logon fields indicate the account for whom the new logon was > created, > > i.e. the account that was logged on. > > > > Note: I replaced any identifying information (domain, IP Address, etc) > with > > *************. > > > > Clearly running reportd for authentication_success should catch this > event > > correct or am I misunderstanding the filter? The filter I'm most > interested > > in is File Integrity Monitoring in the end, but it would be nice to > > understand more about these filters and what I'm doing wrong. > > > > Any help is greatly appreciated, thank you for your time. > > > > Jimmy > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
