The alert format has been customized by AlienVault so ossec-reportd cannot parse it anymore. You should use AlienVault tools instead.
On Monday, March 17, 2014 9:44:43 AM UTC-7, dan (ddpbsd) wrote: > > On Mon, Mar 17, 2014 at 12:36 PM, James Brown > <[email protected]<javascript:>> > wrote: > > I'm using OSSEC HIDS 2.7, it is integrated into Alienvault which might > > explain why the format is a little off. If it is helpful I can provide > the > > format as defined in ossec.conf. > > > > I'm not sure how that would help me. If the alert isn't in the proper > format, ossec-reportd won't know how to decode it. > > > On Monday, March 17, 2014 10:14:14 AM UTC-6, dan (ddpbsd) wrote: > >> > >> On Mon, Mar 17, 2014 at 12:00 PM, James Brown <[email protected]> > wrote: > >> > I've been trying to use ossec-reportd by issuing the following > command: > >> > cat > >> > >> Which version of OSSEC? > >> > >> > /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f > >> > group > >> > authentication_success > >> > > >> > Unfortunately, the output is simply: > >> > > >> > 2014/03/17 09:53:34 ossec-reportd: INFO: Started (pid: 13402). > >> > 2014/03/17 09:53:40 ossec-reportd: INFO: Report completed and zero > >> > alerts > >> > post-filter. > >> > > >> > However, if I cat out the alerts.log file it looks like this: > >> > > >> > >> I'm not sure where you got this alert from, but it is not in OSSEC's > >> alert format. > >> > >> > AV - Alert - "1395036000" --> RID: "18107"; RL: "3"; RG: > >> > "windows,authentication_success,"; RC: "Windows Logon Success."; > USER: > >> > "None"; SRCIP: "None"; HOSTNAME: "(**********) > **.*.**.***->WinEvtLog"; > >> > LOCATION: "(*********) **.*.**.***->WinEvtLog"; EVENT: > "[INIT]WinEvtLog: > >> > Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: > (no > >> > user): no domain: ******.***.local: An account was successfully > logged > >> > on. > >> > Subject: Security ID: *-*-*-* Account Name: - > >> > Account Domain: - Logon ID: 0x0 Logon Type: > >> > 3 Impersonation Level: %1833 New Logon: Security ID: > >> > ********************** Account Name: ************* > >> > Account > >> > Domain: **** Logon ID: *********** Logon GUID: > >> > {00000000-0000-0000-0000-000000000000} Process Information: > >> > Process ID: 0x0 Process Name: - Network Information: > >> > Workstation Name: L2FS266 Source Network Address: 10.1.14.119 > >> > Source Port: 57548 Detailed Authentication Information: Logon > >> > Process: NtLmSsp Authentication Package: NTLM Transited > >> > Services: - Package Name (NTLM only): NTLM V2 Key Length: > >> > 128 > >> > This event is generated when a logon session is created. It is > generated > >> > on > >> > the computer that was accessed. The subject fields indicate the > >> > account > >> > on the local system which requested the logon. This is most commonly > a > >> > service such as the Server service, or a local process such as > >> > Winlogon.exe > >> > or Services.exe. The logon type field indicates the kind of logon > >> > that > >> > occurred. The most common types are 2 (interactive) and 3 (network). > >> > The > >> > New Logon fields indicate the account for whom the new logon was > >> > created, > >> > i.e. the account that was logged on. > >> > > >> > Note: I replaced any identifying information (domain, IP Address, > etc) > >> > with > >> > *************. > >> > > >> > Clearly running reportd for authentication_success should catch this > >> > event > >> > correct or am I misunderstanding the filter? The filter I'm most > >> > interested > >> > in is File Integrity Monitoring in the end, but it would be nice to > >> > understand more about these filters and what I'm doing wrong. > >> > > >> > Any help is greatly appreciated, thank you for your time. > >> > > >> > Jimmy > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
