Am Freitag, 11. Juli 2014 15:32:12 UTC+2 schrieb dan (ddpbsd): > > On Fri, Jul 11, 2014 at 9:09 AM, Holger Glaess <[email protected] > <javascript:>> wrote: > > hi > > i configure ossec to receive logging by port 514 / tcp ( syslog / tcp ) > > > > i see the incoming logging by tcp in logs/archives/archives.log > > > > i wrote decoder and rules with test pattern from received line by tcp. > > > > i test it by ossec-logtest -v > > > > until to this point everything works fine and successful but > > > > if i check the alerts/alerts.log for thoose line the is nothing. > > > > > > my config part for the tcp receiver > > > > <connection>syslog</connection> > > <port>514</port> > > <protocol>tcp</protocol> > > <allowed-ips>10.10.179.0/24</allowed-ips> > > <allowed-ips>10.254.0.0/16</allowed-ips> > > <local_ip>10.10.10.219</local_ip> > > </remote> > > > > an example for working rules / decoder > > > > [root@secmon ossec]# bin/ossec-logtest -v > > 2014/07/11 15:03:06 ossec-testrule: INFO: Reading local decoder file. > > 2014/07/11 15:03:06 ossec-testrule: INFO: Started (pid: 1160). > > ossec-testrule: Type one log per line. > > > > 2014 Jul 11 12:57:27 secmon->xx.xx.xxx.xx 2014-07-11 10:56:02 45 > > xxx.xxx.xx.xx 200 TCP_NC_MISS 137536 221 GET http www.wiwo.de / - - - > > www.wiwo.de text/html;charset=utf-8 "Mozilla/5.0 (compatible; PRTG > Network > > Monitor (www.paessler.com); Windows)" OBSERVED Business/Economy - > > xx.xx.xxx.xx SG-HTTP-Service > > > > This looks like a direct copy/paste from archives.log, OSSEC header and > all. >
at point korrekt , but is this reason that the decoded line are not to see at alerts.log ? the ossec-logtest -v output below looks for me , ok Holger > > > > > **Phase 1: Completed pre-decoding. > > full event: '2014 Jul 11 12:57:27 secmon->10.10.179.85 2014-07-11 > > 10:56:02 45 xxx.xxx.xx.xx 200 TCP_NC_MISS 137536 221 GET http > www.wiwo.de / > > - - - www.wiwo.de text/html;charset=utf-8 "Mozilla/5.0 (compatible; > PRTG > > Network Monitor (www.paessler.com); Windows)" OBSERVED Business/Economy > - > > xx.xx.xxx.xx SG-HTTP-Service' > > hostname: 'secmon' > > program_name: '(null)' > > log: '2014 Jul 11 12:57:27 secmon->xx.xx.xx.xx 2014-07-11 > 10:56:02 45 > > xxx.xxx.xx.xx 200 TCP_NC_MISS 137536 221 GET http www.wiwo.de / - - - > > www.wiwo.de text/html;charset=utf-8 "Mozilla/5.0 (compatible; PRTG > Network > > Monitor (www.paessler.com); Windows)" OBSERVED Business/Economy - > > xx.xx.xxx.xx SG-HTTP-Service' > > > > **Phase 2: Completed decoding. > > decoder: 'BlueCoat-Proxy' > > srcip: 'xxx.xxx.xx.xx' > > status: '200' > > action: 'GET' > > proto: 'http' > > url: 'www.wiwo.de' > > extra_data: '/ - - - www.wiwo.de text/html;charset=utf-8 > "Mozilla/5.0 > > (compatible; PRTG Network Monitor (www.paessler.com); Windows)" > OBSERVED > > Business/Economy - xx.xx.xxx.xx' > > > > **Rule debugging: > > Trying rule: 1 - Generic template for all syslog rules. > > *Rule 1 matched. > > *Trying child rules. > > Trying rule: 5500 - Grouping of the pam_unix rules. > > Trying rule: 5700 - SSHD messages grouped. > > Trying rule: 5600 - Grouping for the telnetd rules > > Trying rule: 2100 - NFS rules grouped. > > Trying rule: 2507 - OpenLDAP group. > > Trying rule: 2550 - rshd messages grouped. > > Trying rule: 2701 - Ignoring procmail messages. > > Trying rule: 2800 - Pre-match rule for smartd. > > Trying rule: 5100 - Pre-match rule for kernel messages > > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > > Trying rule: 2830 - Crontab rule group. > > Trying rule: 5300 - Initial grouping for su messages. > > Trying rule: 5400 - Initial group for sudo messages > > Trying rule: 9100 - PPTPD messages grouped > > Trying rule: 9200 - Squid syslog messages grouped > > Trying rule: 2900 - Dpkg (Debian Package) log. > > Trying rule: 2930 - Yum logs. > > Trying rule: 2931 - Yum logs. > > Trying rule: 7200 - Grouping of the arpwatch rules. > > Trying rule: 7300 - Grouping of Symantec AV rules. > > Trying rule: 7400 - Grouping of Symantec Web Security rules. > > Trying rule: 4300 - Grouping of PIX rules > > Trying rule: 12100 - Grouping of the named rules > > Trying rule: 13100 - Grouping for the smbd rules. > > Trying rule: 13106 - (null) > > Trying rule: 11400 - Grouping for the vsftpd rules. > > Trying rule: 11300 - Grouping for the pure-ftpd rules. > > Trying rule: 11310 - Rule grouping for pure ftpd transfers. > > Trying rule: 11200 - Grouping for the proftpd rules. > > Trying rule: 11500 - Grouping for the Microsoft ftp rules. > > Trying rule: 11100 - Grouping for the ftpd rules. > > Trying rule: 9300 - Grouping for the Horde imp rules. > > Trying rule: 9400 - Roundcube messages groupe.d > > Trying rule: 9500 - Wordpress messages grouped. > > Trying rule: 9600 - cimserver messages grouped. > > Trying rule: 9900 - Grouping for the vpopmail rules. > > Trying rule: 9800 - Grouping for the vm-pop3d rules. > > Trying rule: 3900 - Grouping for the courier rules. > > Trying rule: 30100 - Apache messages grouped. > > Trying rule: 31300 - Nginx messages grouped. > > Trying rule: 31404 - PHP Warning message. > > Trying rule: 31405 - PHP Fatal error. > > Trying rule: 31406 - PHP Parse error. > > Trying rule: 50100 - MySQL messages grouped. > > Trying rule: 50500 - PostgreSQL messages grouped. > > Trying rule: 4700 - Grouping of Cisco IOS rules. > > Trying rule: 4500 - Grouping for the Netscreen Firewall rules > > Trying rule: 4800 - SonicWall messages grouped. > > Trying rule: 3300 - Grouping of the postfix reject rules. > > Trying rule: 3320 - Grouping of the postfix rules. > > Trying rule: 3390 - Grouping of the clamsmtpd rules. > > Trying rule: 3100 - Grouping of the sendmail rules. > > Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules. > > Trying rule: 3600 - Grouping of the imapd rules. > > Trying rule: 3700 - Grouping of mailscanner rules. > > Trying rule: 9700 - Dovecot Messages Grouped. > > Trying rule: 3800 - Grouping of Exchange rules. > > Trying rule: 14100 - Grouping of racoon rules. > > Trying rule: 14200 - Grouping of Cisco VPN concentrator rules > > Trying rule: 3500 - Grouping for the spamd rules > > Trying rule: 7600 - Grouping of Trend OSCE rules. > > Trying rule: 31200 - Grouping of Zeus rules. > > Trying rule: 6100 - Solaris BSM Auditing messages grouped. > > Trying rule: 19100 - VMWare messages grouped. > > Trying rule: 19101 - VMWare ESX syslog messages grouped. > > Trying rule: 6300 - Grouping for the MS-DHCP rules. > > Trying rule: 6350 - Grouping for the MS-DHCP rules. > > Trying rule: 6200 - Asterisk messages grouped. > > Trying rule: 600 - Active Response Messages Grouped > > Trying rule: 193100 - AccessLog Bluecoat Proxy rules > > *Rule 193100 matched. > > *Trying child rules. > > Trying rule: 193101 - Bluecoat AccessLog > > *Rule 193101 matched. > > *Trying child rules. > > Trying rule: 193200 - Bluecoat Category Buisness/Economy > > *Rule 193200 matched. > > > > **Phase 3: Completed filtering (rules). > > Rule id: '193200' > > Level: '5' > > Description: 'Bluecoat Category Buisness/Economy' > > **Alert to be generated. > > > > > > but the is no entry in alerts.log > > > > the level for the rule are 5 . > > > > all other things that i receive by udp is working as expected. > > > > Holger > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
