Not sure if this helps but there are more spaces in the alert log, between the word error and the : then in the decoder you posted.
Chris Hughes Layer8 Consulting (240)460-7283 On Jun 11, 2014, at 6:09 AM, PlaySeb59 <[email protected]> wrote: > Thanks for your help. A restart not resolve the problem. > > I have install on a virtual machine Monit and Ossec in order to test it on an > other system > but nothing change and I have the same problem. > > I'll let you know if I find a solution. > > Le mardi 10 juin 2014 17:27:13 UTC+2, dan (ddpbsd) a écrit : > On Tue, Jun 10, 2014 at 11:01 AM, PlaySeb59 <[email protected]> wrote: > > My English is bad, sorry. When I trigger an event (for example, when an > > hacker try to get acces to the WUI of monit), it generate this line in the > > monit.log file: > > [CEST Jun 10 16:40:41] error : Warning: Client '80.70.20.10' supplied > > wrong password for user 'root' accessing monit httpd > > > > I can see in alerts.log: > > ** Alert 1402411242.25253: mail - syslog,errors, > > 2014 Jun 10 16:40:42 debian ->/home/log/monit.log > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > [CEST Jun 10 16:40:41] error : Warning: Client '80.70.20.10' supplied > > wrong password for user 'root' accessing monit httpd > > > > ossec-analysisd process don't use my decoder ? > > > > If it works with ossec-logtest, it should work with analysisd. I don't > know what else the issue could be off hand. Make sure the processes > are restarted properly? (stop them, make sure they're stopped, start > them back up) > > > Le mardi 10 juin 2014 16:33:32 UTC+2, dan (ddpbsd) a écrit : > >> > >> On Tue, Jun 10, 2014 at 9:03 AM, PlaySeb59 <[email protected]> wrote: > >> > Thanks for your help Dan. > >> > Yes, I have already restarted Ossec. (I work on a local installation) > >> > And yes, I use the same log in the bin/ossec-logtest tool as the log on > >> > the > >> > screenshot. That's why I don't understand. > >> > > >> > >> ossec-logtest does not log the output to the alerts.log, so there are > >> no new alerts from the old log message. > >> If you want to see another alert in the wui, you have to trigger it. > >> Try echoing the log message to a monitored logfile to see if that > >> triggers it. > >> > >> > Le mardi 10 juin 2014 14:14:48 UTC+2, dan (ddpbsd) a écrit : > >> >> > >> >> On Tue, Jun 10, 2014 at 7:44 AM, PlaySeb59 <[email protected]> wrote: > >> >> > Hello guys, > >> >> > > >> >> > I have a problem to add a log. > >> >> > To make more secure my monit httpd interface, I want to add new rules > >> >> > in > >> >> > order to block brute-force attacks. > >> >> > > >> >> > I use these logs: > >> >> > > >> >> > [CEST Jun 10 11:54:17] error : Warning: Client '80.70.20.10' supplied > >> >> > unknown user 'monit' accessing monit httpd > >> >> > [CEST Jun 10 11:47:13] error : Warning: Client '80.70.20.10' supplied > >> >> > wrong > >> >> > password for user 'root' accessing monit httpd > >> >> > > >> >> > So, I made this decoder in etc/local_decoder.xml: > >> >> > > >> >> > <decoder name="monit"> > >> >> > <prematch>error : Warning: </prematch> > >> >> > <regex offset="after_prematch">Client '(\d+.\d+.\d+.\d+)'</regex> > >> >> > <order>srcip</order> > >> >> > </decoder> > >> >> > > >> >> > And these rules in rules/local_rules.xml: > >> >> > > >> >> > <rule id="100010" level="0"> > >> >> > <decoded_as>monit</decoded_as> > >> >> > <description>Monit messages grouped.</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="100004" level="5"> > >> >> > <if_sid>100010</if_sid> > >> >> > <match>supplied wrong password for user</match> > >> >> > <description>Monit: User authentication failed.</description> > >> >> > <group>authentication_failed,monit</group> > >> >> > </rule> > >> >> > > >> >> > <rule id="100011" level="5"> > >> >> > <if_sid>100010</if_sid> > >> >> > <match>supplied unknown user</match> > >> >> > <description>Monit: Attempt to login using a non-existent > >> >> > user.</description> > >> >> > <group>authentication_failed,monit</group> > >> >> > </rule> > >> >> > > >> >> > <rule id="100005" level="10" frequency="4" timeframe="600"> > >> >> > <if_matched_group>monit</if_matched_group> > >> >> > <same_source_ip /> > >> >> > <description>Monit: 6 alerts from the same IP</description> > >> >> > <description> in the last 10 minutes.</description> > >> >> > <group>authentication_failures,</group> > >> >> > </rule> > >> >> > > >> >> > And when I try my rules with bin/ossec-logtest, it's working fine: > >> >> > > >> >> > # bin/ossec-logtest > >> >> > 2014/06/10 13:09:04 ossec-testrule: INFO: Reading local decoder file. > >> >> > 2014/06/10 13:09:04 ossec-testrule: INFO: Started (pid: 12616). > >> >> > ossec-testrule: Type one log per line. > >> >> > > >> >> > [CEST Jun 10 11:54:17] error : Warning: Client '80.70.20.10' supplied > >> >> > unknown user 'monit' accessing monit httpd > >> >> > > >> >> > > >> >> > **Phase 1: Completed pre-decoding. > >> >> > full event: '[CEST Jun 10 11:54:17] error : Warning: Client > >> >> > '80.70.20.10' supplied unknown user 'monit' accessing monit httpd' > >> >> > hostname: 'ns358990' > >> >> > program_name: '(null)' > >> >> > log: '[CEST Jun 10 11:54:17] error : Warning: Client > >> >> > '80.70.20.10' > >> >> > supplied unknown user 'monit' accessing monit httpd' > >> >> > > >> >> > **Phase 2: Completed decoding. > >> >> > decoder: 'monit' > >> >> > srcip: '80.70.20.10' > >> >> > > >> >> > **Phase 3: Completed filtering (rules). > >> >> > Rule id: '100011' > >> >> > Level: '5' > >> >> > Description: 'Monit: Attempt to login using a non-existent > >> >> > user.' > >> >> > **Alert to be generated. > >> >> > > >> >> > Why I have not the same alert on OSSEC wui when I try to test my > >> >> > rules? > >> >> > > >> >> > >> >> Did you restart the OSSEC processes on the manager? Did you receive > >> >> log messages that should trigger your rules after restarting the > >> >> processes? > >> >> > >> >> > Greetings, > >> >> > > >> >> > Seb > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
