[ossec-list] Re: Kerberos KDC krb5kdc.log and OSSEC

Wed, 10 Dec 2014 04:18:11 -0800 


On Saturday, 1 March 2014 21:54:23 UTC+5:30, Michiel van Es wrote:
>
> Hi,
>
> Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if so is 
> willing to share its decoder and local_rules.xml config? (i am not trying 
> to reinvent the wheel here and google has nothing on it expect Vic 
> Hargrave's blog but I can not post on it because of technical issues at 
> this blog).
>
> Regards,
>
> Michiel
>

Hi Michiel,
 
I was trying to do the same and found this query and finally had to do it 
myself. For the benefit of anybody who is going
through this mail group, I'm posting the solution that I had working for me.
I have the following in my /var/ossec/etc/ossec.conf file:
   <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/krb5/kdc.log</location>
   </localfile>
    
   <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/kadmin.log</location>
   </localfile>


Then in /var/ossec/etc/decoder.xml I have added the following:

   <decoder name="krb5">
       <prematch>^krb5kdc</prematch>
   </decoder>

Then I created a new rule file in /var/ossec/rules/kerberos_rules.xml with 
some rules as below:


   <group name="syslog,krb5,">
      <rule id="01900" level="0" noalert="1">
         <decoded_as>krb5</decoded_as>
         <description>Grouping of kerberos rules.</description>
      </rule>
     
      <rule id="01901" level="8">
         <if_sid>01900</if_sid>
         <match>ISSUE:</match>
         <description>Successful Kerberos authetication.</description>
         <group>authentication_success,</group>
      </rule>
      
      <rule id="01902" level="8">
          <if_sid>01900</if_sid>
          <match>UNKNOWN_SERVER:</match>
          <description>Server not found in Kerberos database</description>
          <group>Kerberos ticket request failed</group>
      </rule>     
    </group> 

The rule ID that we assign to these rules need to be within the range being 
allocated for the syslog type which is 01000 to 01999.
The match criteria is as per requirement and one has to choose it.

That's it!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to