Hi, 

I am currently working on the PacketFence project which does network access 
control. 

We are looking into integrating OSSEC with PacketFence in order to isolate 
clients based on specific events that happen on the clients. 

After installing and testing there are a few issues that i would need help 
with. 

Setup i have : 
- OSSEC server is built from the master on your git repo and uses OSSEC 
WebUI 
- Linux agent is also built from the master on your git repo 
- Windows agent is version 2.7.1 which is available on your website 
  - Agent is configured using a network and not using the direct ip 
address. 

1 - Source ip 
In order to isolate the client we will always need the source ip that 
triggered the violation. Looking into the alerts in the GUI the source ip 
is always a part of the log but never the real source ip. Is it a bug with 
the GUI or that the source ip will never be populated except when directly 
available in the log line ? 

2 - Windows event log 
OS Version : Windows 7 64-bit 
I am getting alerts from our Windows test station. In order to be able to 
repeatedly test the integration I tried to add a new rule for the event id 
4616 which is the time changed event in the category Security in the event 
logs. I wrote a rule directly in the rules/msauth_rules.xml to intercept 
that event. 

Here is the rule (it's in the windows group) 
<rule id="100101" level="8"> 
    <if_sid>18101</if_sid> 
    <id>^4616$</id> 
    <description>IF YOU SEE THIS THEN CELEBRATE </description> 
    <group>system_error,</group> 
</rule> 

I cannot get the alert to be intercepted. I tested the rule using 
ossec-logtest using this line : 
WinEvtLog: System: INFORMATION(4616): Test: (no user): no domain: 
TESTINGLAPTOP.inverse.local: The system time was changed. 

This line triggers the alert successfully but when changing the time on the 
client the alert doesn't show up on the OSSEC server but does in the 
windows event log. Is there another configuration that i need to add on the 
agent ? Also is it possible to see all the log lines that come to the OSSEC 
server because that would make debugging easier. 

Thank you! 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to