On Mar 24, 2014 8:45 AM, "Julien Semaan" <[email protected]> wrote: > > Hi, > > I am currently working on the PacketFence project which does network access control. > > We are looking into integrating OSSEC with PacketFence in order to isolate clients based on specific events that happen on the clients. > > After installing and testing there are a few issues that i would need help with. > > Setup i have : > - OSSEC server is built from the master on your git repo and uses OSSEC WebUI > - Linux agent is also built from the master on your git repo > - Windows agent is version 2.7.1 which is available on your website > - Agent is configured using a network and not using the direct ip address. > > 1 - Source ip > In order to isolate the client we will always need the source ip that triggered the violation. Looking into the alerts in the GUI the source ip is always a part of the log but never the real source ip. Is it a bug with the GUI or that the source ip will never be populated except when directly available in the log line ? >
Can you provide an example? This doesn't make any sense. > 2 - Windows event log > OS Version : Windows 7 64-bit > I am getting alerts from our Windows test station. In order to be able to repeatedly test the integration I tried to add a new rule for the event id 4616 which is the time changed event in the category Security in the event logs. I wrote a rule directly in the rules/msauth_rules.xml to intercept that event. > > Here is the rule (it's in the windows group) > <rule id="100101" level="8"> > <if_sid>18101</if_sid> > <id>^4616$</id> > <description>IF YOU SEE THIS THEN CELEBRATE </description> > <group>system_error,</group> > </rule> > > I cannot get the alert to be intercepted. I tested the rule using ossec-logtest using this line : > WinEvtLog: System: INFORMATION(4616): Test: (no user): no domain: TESTINGLAPTOP.inverse.local: The system time was changed. > > This line triggers the alert successfully but when changing the time on the client the alert doesn't show up on the OSSEC server but does in the windows event log. Is there another configuration that i need to add on the agent ? Also is it possible to see all the log lines that come to the OSSEC server because that would make debugging easier. Did you restart the ossed processes on the manager after adding the rule? You can turn on the log all option on the manager to see all logs being passed to ossec. > > Thank you! > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
