Hi again, sorry for a delayed reply. I had accidentally installed 2.6 but upgraded to 2.7.1. Still got the same issue though...
Im home but appreciate feedback how to continue troubleshoot the issue... /Daniel On Wed, Apr 2, 2014 at 3:01 PM, dan (ddp) <[email protected]> wrote: > On Wed, Apr 2, 2014 at 8:50 AM, Daniel Kertby <[email protected]> wrote: > > Sorry for the confusion, the # hashes where putted there by me to > masquerade > > hostnames/ip's. > > > > I tried the ossec-logtest now and pasted infro from "NetScreen > device_id=", > > skipped the first part of the info the archives.log file, a bit unsure > what > > should be included. > > > > > ----------------------------------------------------------------------------------------------------------------------------------- > > > > 2014/04/02 01:01:01 ossec-testrule: INFO: Started (pid: 29953). > > ossec-testrule: Type one log per line. > > > > > > NetScreen device_id=<netscreen-device> [Root]system-warning-00518: Admin > > user "theuser" login attempt for Web(https) management (port 47873) from > > <client_ip>:54031 failed. (2014-04-02 00:01:01) > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'NetScreen device_id=<netscreen-device> > > [Root]system-warning-00518: Admin user "<theuser>" login attempt for > > Web(https) management (port 47873) from <client-ip>:54031 failed. > > (2014-04-02 00:01:01)' > > hostname: '<ossec_server>' > > program_name: '(null)' > > log: 'NetScreen device_id=<netscreen-device> > > [Root]system-warning-00518: Admin user "<theuser>" login attempt for > > Web(https) management (port 47873) from <client-ip>:54031 failed. > > (2014-04-02 00:01:01)' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > So it isn't getting decoded properly. The first step in tracking down > the issue is to find out why it isn't being decoded. > It looks like the version of OSSEC in the ancient post you replied to > decoded it. What version of OSSEC are you using? > > > **Phase 3: Completed filtering (rules). > > Rule id: '1002' > > Level: '2' > > Description: 'Unknown problem somewhere in the system.' > > **Alert to be generated. > > > > > > > ----------------------------------------------------------------------------------------------------------------------------------- > > > > > > On Wednesday, April 2, 2014 1:57:53 PM UTC+2, dan (ddpbsd) wrote: > >> > >> > >> On Apr 2, 2014 7:54 AM, "Daniel Kertby" <[email protected]> wrote: > >> > > >> > Hi all, > >> > > >> > Im experience the same issue when trying to setup ossec monitoring > for a > >> > Juniper Netscreen SSG-320M. > >> > Failed web user login is hitting the 1002 rule, info from archives.log > >> > provided below: > >> > > >> > 014 Apr 02 23:59:59 #ossec-hostname# -> #FW_IP# #FW_hostname#: > NetScreen > >> > device_id=#FW_hostname# [Root]system-warning-00518: Admin user > "#username#" > >> > login attempt for Web(https) management (port 47873) from > #client_IP#:54031 > >> > failed. (2014-04-02 23:59:59) > >> > > >> > >> Maybe it's the hashes? > >> Have you tried using ossec-logtest to see how ossec is parsing the log > >> message? > >> > >> > Any help appreciated! > >> > > >> > Regards, > >> > Daniel > >> > > >> > On Thursday, August 16, 2012 2:52:42 PM UTC+2, dan (ddpbsd) wrote: > >> >> > >> >> On Thu, Aug 16, 2012 at 6:48 AM, oorhan <[email protected]> wrote: > >> >> > hi Dan, > >> >> > > >> >> > Thank you for your reply. > >> >> > > >> >> > The original netscreen log message has timestamp. Log is taken from > >> >> > another > >> >> > syslog server. > >> >> > > >> >> > >> >> > >> >> According to your alert.log entry the log message does not have a > >> >> timestamp. > >> >> > >> >> An example of an alert.log entry complete with a timestamp: > >> >> ** Alert 1336394319.2684: - syslog,sudo > >> >> 2012 May 07 08:38:39 arrakis->/var/log/secure > >> >> Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed' > >> >> User: ddp > >> >> 2012-05-07T08:38:38.338172-04:00 arrakis sudo: ddp : TTY=ttyp1 ; > >> >> PWD=/home/ddp ; USER=root ; COMMAND=/sbin/ifconfig em0 down > >> >> > >> >> > >> >> You can enable the logall option to make sure though. > >> >> > >> >> Looking at the sample you gave me though (the one in alerts.log since > >> >> I don't trust the other one), I can see why it isn't decoded as a > >> >> netscreen entry. The decoder thinks the first parts of the log will > >> >> be "NetScreen device_id." In your sample it starts with: "SSG350M: > >> >> NetScreen device_id." So find out why the SSG350M is showing up > >> >> instead of a timestamp and you should be golden. > >> >> > >> >> Otherwise if the log sample you provided is incorrect, post a sample > >> >> from the archives.log so we can try and track this down. > >> >> > >> >> > >> >> > > >> >> > " > >> >> > > >> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen > >> >> > device_id=Juniper111 > >> >> > [Root]system-warning-00518: Admin user "userid" login attempt for > >> >> > Web(http) > >> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 > >> >> > 11:33:36) > >> >> > > >> >> > " > >> >> > > >> >> > Log message on your test was a part of alert.log. > >> >> > > >> >> > here is my Logtest results..but we are still unable to decode it. > Any > >> >> > idea? > >> >> > > >> >> > > >> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen > >> >> > device_id=Juniper111 > >> >> > [Root]system-warning-00518: Admin user "userid" login attempt for > >> >> > Web(http) > >> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 > >> >> > 11:33:36) > >> >> > > >> >> > > >> >> > **Phase 1: Completed pre-decoding. > >> >> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: > NetScreen > >> >> > device_id=Juniper111 [Root]system-warning-00518: Admin user > "userid" > >> >> > login > >> >> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560 > >> >> > failed. > >> >> > (2012-08-15 11:33:36)' > >> >> > hostname: '136.10.247.130' > >> >> > > >> >> > program_name: 'SSG350M' > >> >> > log: 'NetScreen device_id=Juniper111 > >> >> > [Root]system-warning-00518: > >> >> > Admin user "userid" login attempt for Web(http) management (port > >> >> > 20480) from > >> >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' > >> >> > > >> >> > **Phase 2: Completed decoding. > >> >> > decoder: 'netscreenfw' > >> >> > action: 'warning' > >> >> > id: '00518' > >> >> > > >> >> > >> >> Looks like it's being decoded to me. I must be misunderstanding > >> >> something. > >> >> > >> >> > **Phase 3: Completed filtering (rules). > >> >> > Rule id: '4502' > >> >> > Level: '9' > >> >> > Description: 'Netscreen warning message.' > >> >> > **Alert to be generated. > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > 15 Ağustos 2012 Çarşamba 16:20:34 UTC+3 tarihinde dan (ddpbsd) > yazdı: > >> >> >> > >> >> >> On Wed, Aug 15, 2012 at 7:03 AM, Ozgur Orhan <[email protected]> > >> >> >> wrote: > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Hi All, > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > We have issues configuring Ossec server to receive Netscreen > >> >> >> > firewall > >> >> >> > logs. Logs are decoded as syslog not netscreen firewall. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Here are my configuration steps; > >> >> >> > > >> >> >> > First, firewalls are configured sending audit logs via syslog. > >> >> >> > > >> >> >> > We changed ossec.conf file as below to allow syslog; > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > <remote> > >> >> >> > > >> >> >> > <connection>syslog</connection> > >> >> >> > > >> >> >> > <allowed-ips>firewall ip</allowed-ips> > >> >> >> > > >> >> >> > </remote> > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Ossec services restarted without problem. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > I checked with tcpdump that firewall syslog traffic is received > by > >> >> >> > Ossec > >> >> >> > Server. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Here is my sample log. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen > >> >> >> > device_id=Juniper111 > >> >> >> > [Root]system-warning-00518: Admin user "userid" login attempt > for > >> >> >> > Web(http) > >> >> >> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 > >> >> >> > 11:33:36) > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > /var/ossec/bin/ossec-logtest shows logs from netscreen device > >> >> >> > decoded > >> >> >> > properly. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > **Phase 1: Completed pre-decoding. > >> >> >> > > >> >> >> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: > >> >> >> > NetScreen > >> >> >> > device_id=Juniper111 [Root]system-warning-00518: Admin user > >> >> >> > "userid" > >> >> >> > login > >> >> >> > attempt for Web(http) management (port 20480) from > 1.1.1.1:22560 > >> >> >> > failed. > >> >> >> > (2012-08-15 11:33:36)' > >> >> >> > > >> >> >> > hostname: '1.1.1.1' > >> >> >> > > >> >> >> > program_name: 'SSG350M' > >> >> >> > > >> >> >> > log: 'NetScreen device_id=Juniper111 > >> >> >> > [Root]system-warning-00518: > >> >> >> > Admin user "userid" login attempt for Web(http) management (port > >> >> >> > 20480) > >> >> >> > from > >> >> >> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)' > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > **Phase 2: Completed decoding. > >> >> >> > > >> >> >> > decoder: 'netscreenfw' > >> >> >> > > >> >> >> > action: 'warning' > >> >> >> > > >> >> >> > id: '00518' > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > **Phase 3: Completed filtering (rules). > >> >> >> > > >> >> >> > Rule id: '4502' > >> >> >> > > >> >> >> > Level: '9' > >> >> >> > > >> >> >> > Description: 'Netscreen warning message.' > >> >> >> > > >> >> >> > **Alert to be generated. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > No logs/alerts occured on /var/ossec/logs/firewall/firewall.log. > >> >> >> > > >> >> >> > I checked /var/ossec/logs/alerts/alerts.log and a log about > syslog > >> >> >> > process. It seems log is decoded as syslog. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > ** Alert 1345026945.197836: - > >> >> >> > syslog,access_control,authentication_failed, > >> >> >> > > >> >> >> > 2012 Aug 15 13:35:45 logyon->1.1.1.1 > >> >> >> > > >> >> >> > Rule: 2501 (level 5) -> 'User authentication failure.' > >> >> >> > > >> >> >> > SSG350M: NetScreen device_id=Juniper111 > >> >> >> > [Root]system-warning-00518: ADM: > >> >> >> > Local admin authentication failed for login name userid: invalid > >> >> >> > password > >> >> >> > (2012-08-15 14:39:22) > >> >> >> > > >> >> >> > >> >> >> It looks like the log message sent to OSSEC is different than the > >> >> >> log > >> >> >> message you tested above. This log message doesn't have the > >> >> >> timestamp > >> >> >> at the beginning. > >> >> >> > >> >> >> **Phase 1: Completed pre-decoding. > >> >> >> full event: 'SSG350M: NetScreen device_id=Juniper111 > >> >> >> [Root]system-warning-00518: ADM: Local admin authentication failed > >> >> >> for > >> >> >> login name userid: invalid password (2012-08-15 14:39:22)' > >> >> >> hostname: 'arrakis' > >> >> >> program_name: '(null)' > >> >> >> log: 'SSG350M: NetScreen device_id=Juniper111 > >> >> >> [Root]system-warning-00518: ADM: Local admin authentication failed > >> >> >> for > >> >> >> login name userid: invalid password (2012-08-15 14:39:22)' > >> >> >> > >> >> >> **Phase 2: Completed decoding. > >> >> >> No decoder matched. > >> >> >> > >> >> >> **Phase 3: Completed filtering (rules). > >> >> >> Rule id: '2501' > >> >> >> Level: '5' > >> >> >> Description: 'User authentication failure.' > >> >> >> **Alert to be generated. > >> >> >> > >> >> >> > >> >> >> > > >> >> >> > > >> >> >> > I couldn't find what I am missing. Any help would be greatly > >> >> >> > appreciated.. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Regards, > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Ozgur > >> >> >> > > >> >> >> > Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun > >> >> >> > dosyalar > >> >> >> > sadece gondericisi tarafindan almasi amaclanan yetkili kisinin > >> >> >> > kullanimi > >> >> >> > icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla > >> >> >> > ulasmissa, > >> >> >> > icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili > >> >> >> > e-postayi > >> >> >> > mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz. > >> >> >> > > >> >> >> > The information in this message and/or attachments is intended > >> >> >> > solely > >> >> >> > for > >> >> >> > the attention and use of the named addressee and may be > >> >> >> > confidential. If > >> >> >> > you > >> >> >> > are not the intended recipient, you are hereby notified that you > >> >> >> > have > >> >> >> > received this transmittal in error and that any use of it is > >> >> >> > strictly > >> >> >> > prohibited. In such a case please delete this message and kindly > >> >> >> > notify > >> >> >> > the > >> >> >> > sender accordingly. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an email to [email protected]. > >> > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/IwCVDT6cuN8/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
