> Src IP: ministrator I'm confused. It looks like the information for "src ip" isn't getting into the Ossec message properly -- that is, it is getting the string "ministrator" when you want the source IP address.
Doesn't Ossec agent watch the Windows log? If the information is not in the Windows log, it won't get into the Ossec log. If the information is there in the Windows event log, but is not making it into the Ossec messages, wouldn't that mean that the rule isn't properly parsing the IP address out of the event log? On Mon, Mar 24, 2014 at 11:21 AM, Julien Semaan <[email protected]>wrote: > Ok this answer my question. I taught maybe ossec would get the source ip > from the socket it receives the logs from but if it's only information is > the agent ip (which is useless when using a network) and that the source ip > needs to be decoded in the log line then we can't use it since the log > lines from windows do not contain that information. > > Thank you very much for your help ! > > Le lundi 24 mars 2014 11:00:28 UTC-4, dan (ddpbsd) a écrit : > >> On Mon, Mar 24, 2014 at 10:18 AM, Julien Semaan <[email protected]> >> wrote: >> > We'll probably have to wait for the deployment of the event channel >> module >> > for a part of the detection. >> > >> > I updated the web ui to 0.8 and instead of writing a part of the log in >> the >> > srcip, the field is simply empty. >> > >> > I need to have the source ip to integrate with our system. If it's not >> in >> > the ui does it mean that i can't get it ? >> > >> >> Not at all. I don't use the UI, so it's tough to say what's happening >> there. >> >> You can use the ossec-logtest utility to see if the source IP is being >> decoded. Looking at the screen shot you sent previously, only 1 of the >> log messages appears to have an IP address in it (I could have missed >> others in the logs), and it is decoded just fine. Not all alerts will >> have a source IP. >> >> If a log message contains a source IP, and it isn't decoded properly, >> you can always adjust the decoders to handle it. Heck, you can post to >> the list and I'll help. Or open an issue and I'll help (others too). >> We all want the log messages to decoder better than they currently >> are. >> >> > Thank you ! >> > >> > Le lundi 24 mars 2014 09:58:58 UTC-4, dan (ddpbsd) a écrit : >> >> >> >> On Mon, Mar 24, 2014 at 9:40 AM, Julien Semaan <[email protected]> >> wrote: >> >> > For point 1 : >> >> > Agent is configured using network 172.20.20.0/24 in order to >> support >> >> > DHCP. >> >> > >> >> > When looking in the ossec web ui i get these alerts : >> >> > 2014 Mar 24 09:23:03 Rule Id: 18149 level: 3 >> >> > Location: (hello) 172.20.20.0->WinEvtLog >> >> > Src IP: ministrator >> >> >> >> Sounds like you're using 0.3. Don't do that. 0.8 has this (and other >> >> stuff fixed). >> >> >> >> > Windows User Logoff. >> >> > >> >> > The source ip is simply a part of the log and not the ip. Since i'm >> >> > using a >> >> > network for the agent configuration i can't see where we could grab >> the >> >> > source ip to call an external script. >> >> > >> >> > I also included a printscreen of the ossec ui >> >> > >> >> > For point 2 : >> >> > I activated the logall option and the changed time event with id >> 4616 is >> >> > not >> >> > sent to the ossec manager. >> >> > >> >> > I am guessing the event i'm looking for is part of the newer windows >> >> > logs >> >> > (Windows Vista +). >> >> > >> >> >> >> Eventchannel (maybe?) is "supported" in the new code. Not entirely >> >> sure it's 100% yet though (I try not to worry about Windows). >> >> >> >> > Thank you ! >> >> > >> >> > Le lundi 24 mars 2014 08:48:57 UTC-4, dan (ddpbsd) a écrit : >> >> >> >> >> >> >> >> >> On Mar 24, 2014 8:45 AM, "Julien Semaan" <[email protected]> >> wrote: >> >> >> > >> >> >> > Hi, >> >> >> > >> >> >> > I am currently working on the PacketFence project which does >> network >> >> >> > access control. >> >> >> > >> >> >> > We are looking into integrating OSSEC with PacketFence in order >> to >> >> >> > isolate clients based on specific events that happen on the >> clients. >> >> >> > >> >> >> > After installing and testing there are a few issues that i would >> need >> >> >> > help with. >> >> >> > >> >> >> > Setup i have : >> >> >> > - OSSEC server is built from the master on your git repo and uses >> >> >> > OSSEC >> >> >> > WebUI >> >> >> > - Linux agent is also built from the master on your git repo >> >> >> > - Windows agent is version 2.7.1 which is available on your >> website >> >> >> > - Agent is configured using a network and not using the direct >> ip >> >> >> > address. >> >> >> > >> >> >> > 1 - Source ip >> >> >> > In order to isolate the client we will always need the source ip >> that >> >> >> > triggered the violation. Looking into the alerts in the GUI the >> >> >> > source ip is >> >> >> > always a part of the log but never the real source ip. Is it a >> bug >> >> >> > with the >> >> >> > GUI or that the source ip will never be populated except when >> >> >> > directly >> >> >> > available in the log line ? >> >> >> > >> >> >> >> >> >> Can you provide an example? This doesn't make any sense. >> >> >> >> >> >> > 2 - Windows event log >> >> >> > OS Version : Windows 7 64-bit >> >> >> > I am getting alerts from our Windows test station. In order to be >> >> >> > able >> >> >> > to repeatedly test the integration I tried to add a new rule for >> the >> >> >> > event >> >> >> > id 4616 which is the time changed event in the category Security >> in >> >> >> > the >> >> >> > event logs. I wrote a rule directly in the rules/msauth_rules.xml >> to >> >> >> > intercept that event. >> >> >> > >> >> >> > Here is the rule (it's in the windows group) >> >> >> > <rule id="100101" level="8"> >> >> >> > <if_sid>18101</if_sid> >> >> >> > <id>^4616$</id> >> >> >> > <description>IF YOU SEE THIS THEN CELEBRATE </description> >> >> >> > <group>system_error,</group> >> >> >> > </rule> >> >> >> > >> >> >> > I cannot get the alert to be intercepted. I tested the rule using >> >> >> > ossec-logtest using this line : >> >> >> > WinEvtLog: System: INFORMATION(4616): Test: (no user): no domain: >> >> >> > TESTINGLAPTOP.inverse.local: The system time was changed. >> >> >> > >> >> >> > This line triggers the alert successfully but when changing the >> time >> >> >> > on >> >> >> > the client the alert doesn't show up on the OSSEC server but does >> in >> >> >> > the >> >> >> > windows event log. Is there another configuration that i need to >> add >> >> >> > on the >> >> >> > agent ? Also is it possible to see all the log lines that come to >> the >> >> >> > OSSEC >> >> >> > server because that would make debugging easier. >> >> >> Did you restart the ossed processes on the manager after adding the >> >> >> rule? >> >> >> You can turn on the log all option on the manager to see all logs >> being >> >> >> passed to ossec. >> >> >> >> >> >> > >> >> >> > Thank you! >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the >> Google >> >> >> > Groups "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an email to [email protected]. >> >> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
