On Mon, Mar 17, 2014 at 12:36 PM, James Brown <[email protected]> wrote: > I'm using OSSEC HIDS 2.7, it is integrated into Alienvault which might > explain why the format is a little off. If it is helpful I can provide the > format as defined in ossec.conf. >
I'm not sure how that would help me. If the alert isn't in the proper format, ossec-reportd won't know how to decode it. > On Monday, March 17, 2014 10:14:14 AM UTC-6, dan (ddpbsd) wrote: >> >> On Mon, Mar 17, 2014 at 12:00 PM, James Brown <[email protected]> wrote: >> > I've been trying to use ossec-reportd by issuing the following command: >> > cat >> >> Which version of OSSEC? >> >> > /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f >> > group >> > authentication_success >> > >> > Unfortunately, the output is simply: >> > >> > 2014/03/17 09:53:34 ossec-reportd: INFO: Started (pid: 13402). >> > 2014/03/17 09:53:40 ossec-reportd: INFO: Report completed and zero >> > alerts >> > post-filter. >> > >> > However, if I cat out the alerts.log file it looks like this: >> > >> >> I'm not sure where you got this alert from, but it is not in OSSEC's >> alert format. >> >> > AV - Alert - "1395036000" --> RID: "18107"; RL: "3"; RG: >> > "windows,authentication_success,"; RC: "Windows Logon Success."; USER: >> > "None"; SRCIP: "None"; HOSTNAME: "(**********) **.*.**.***->WinEvtLog"; >> > LOCATION: "(*********) **.*.**.***->WinEvtLog"; EVENT: "[INIT]WinEvtLog: >> > Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: (no >> > user): no domain: ******.***.local: An account was successfully logged >> > on. >> > Subject: Security ID: *-*-*-* Account Name: - >> > Account Domain: - Logon ID: 0x0 Logon Type: >> > 3 Impersonation Level: %1833 New Logon: Security ID: >> > ********************** Account Name: ************* >> > Account >> > Domain: **** Logon ID: *********** Logon GUID: >> > {00000000-0000-0000-0000-000000000000} Process Information: >> > Process ID: 0x0 Process Name: - Network Information: >> > Workstation Name: L2FS266 Source Network Address: 10.1.14.119 >> > Source Port: 57548 Detailed Authentication Information: Logon >> > Process: NtLmSsp Authentication Package: NTLM Transited >> > Services: - Package Name (NTLM only): NTLM V2 Key Length: >> > 128 >> > This event is generated when a logon session is created. It is generated >> > on >> > the computer that was accessed. The subject fields indicate the >> > account >> > on the local system which requested the logon. This is most commonly a >> > service such as the Server service, or a local process such as >> > Winlogon.exe >> > or Services.exe. The logon type field indicates the kind of logon >> > that >> > occurred. The most common types are 2 (interactive) and 3 (network). >> > The >> > New Logon fields indicate the account for whom the new logon was >> > created, >> > i.e. the account that was logged on. >> > >> > Note: I replaced any identifying information (domain, IP Address, etc) >> > with >> > *************. >> > >> > Clearly running reportd for authentication_success should catch this >> > event >> > correct or am I misunderstanding the filter? The filter I'm most >> > interested >> > in is File Integrity Monitoring in the end, but it would be nice to >> > understand more about these filters and what I'm doing wrong. >> > >> > Any help is greatly appreciated, thank you for your time. >> > >> > Jimmy >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
