Hi,
I am currently working on the PacketFence project which does network access
control.
We are looking into integrating OSSEC with PacketFence in order to isolate
clients based on specific events that happen on the clients.
After installing and testing there are a few issues that i would need help
with.
Setup i have :
- OSSEC server is built from the master on your git repo and uses OSSEC
WebUI
- Linux agent is also built from the master on your git repo
- Windows agent is version 2.7.1 which is available on your website
- Agent is configured using a network and not using the direct ip
address.
1 - Source ip
In order to isolate the client we will always need the source ip that
triggered the violation. Looking into the alerts in the GUI the source ip
is always a part of the log but never the real source ip. Is it a bug with
the GUI or that the source ip will never be populated except when directly
available in the log line ?
2 - Windows event log
OS Version : Windows 7 64-bit
I am getting alerts from our Windows test station. In order to be able to
repeatedly test the integration I tried to add a new rule for the event id
4616 which is the time changed event in the category Security in the event
logs. I wrote a rule directly in the rules/msauth_rules.xml to intercept
that event.
Here is the rule (it's in the windows group)
<rule id="100101" level="8">
<if_sid>18101</if_sid>
<id>^4616$</id>
<description>IF YOU SEE THIS THEN CELEBRATE </description>
<group>system_error,</group>
</rule>
I cannot get the alert to be intercepted. I tested the rule using
ossec-logtest using this line :
WinEvtLog: System: INFORMATION(4616): Test: (no user): no domain:
TESTINGLAPTOP.inverse.local: The system time was changed.
This line triggers the alert successfully but when changing the time on the
client the alert doesn't show up on the OSSEC server but does in the
windows event log. Is there another configuration that i need to add on the
agent ? Also is it possible to see all the log lines that come to the OSSEC
server because that would make debugging easier.
Thank you!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
