On Mon, Mar 24, 2014 at 9:40 AM, Julien Semaan <[email protected]> wrote: > For point 1 : > Agent is configured using network 172.20.20.0/24 in order to support DHCP. > > When looking in the ossec web ui i get these alerts : > 2014 Mar 24 09:23:03 Rule Id: 18149 level: 3 > Location: (hello) 172.20.20.0->WinEvtLog > Src IP: ministrator
Sounds like you're using 0.3. Don't do that. 0.8 has this (and other stuff fixed). > Windows User Logoff. > > The source ip is simply a part of the log and not the ip. Since i'm using a > network for the agent configuration i can't see where we could grab the > source ip to call an external script. > > I also included a printscreen of the ossec ui > > For point 2 : > I activated the logall option and the changed time event with id 4616 is not > sent to the ossec manager. > > I am guessing the event i'm looking for is part of the newer windows logs > (Windows Vista +). > Eventchannel (maybe?) is "supported" in the new code. Not entirely sure it's 100% yet though (I try not to worry about Windows). > Thank you ! > > Le lundi 24 mars 2014 08:48:57 UTC-4, dan (ddpbsd) a écrit : >> >> >> On Mar 24, 2014 8:45 AM, "Julien Semaan" <[email protected]> wrote: >> > >> > Hi, >> > >> > I am currently working on the PacketFence project which does network >> > access control. >> > >> > We are looking into integrating OSSEC with PacketFence in order to >> > isolate clients based on specific events that happen on the clients. >> > >> > After installing and testing there are a few issues that i would need >> > help with. >> > >> > Setup i have : >> > - OSSEC server is built from the master on your git repo and uses OSSEC >> > WebUI >> > - Linux agent is also built from the master on your git repo >> > - Windows agent is version 2.7.1 which is available on your website >> > - Agent is configured using a network and not using the direct ip >> > address. >> > >> > 1 - Source ip >> > In order to isolate the client we will always need the source ip that >> > triggered the violation. Looking into the alerts in the GUI the source ip >> > is >> > always a part of the log but never the real source ip. Is it a bug with the >> > GUI or that the source ip will never be populated except when directly >> > available in the log line ? >> > >> >> Can you provide an example? This doesn't make any sense. >> >> > 2 - Windows event log >> > OS Version : Windows 7 64-bit >> > I am getting alerts from our Windows test station. In order to be able >> > to repeatedly test the integration I tried to add a new rule for the event >> > id 4616 which is the time changed event in the category Security in the >> > event logs. I wrote a rule directly in the rules/msauth_rules.xml to >> > intercept that event. >> > >> > Here is the rule (it's in the windows group) >> > <rule id="100101" level="8"> >> > <if_sid>18101</if_sid> >> > <id>^4616$</id> >> > <description>IF YOU SEE THIS THEN CELEBRATE </description> >> > <group>system_error,</group> >> > </rule> >> > >> > I cannot get the alert to be intercepted. I tested the rule using >> > ossec-logtest using this line : >> > WinEvtLog: System: INFORMATION(4616): Test: (no user): no domain: >> > TESTINGLAPTOP.inverse.local: The system time was changed. >> > >> > This line triggers the alert successfully but when changing the time on >> > the client the alert doesn't show up on the OSSEC server but does in the >> > windows event log. Is there another configuration that i need to add on the >> > agent ? Also is it possible to see all the log lines that come to the OSSEC >> > server because that would make debugging easier. >> Did you restart the ossed processes on the manager after adding the rule? >> You can turn on the log all option on the manager to see all logs being >> passed to ossec. >> >> > >> > Thank you! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
