On Wed, Dec 10, 2014 at 7:13 AM, Sethukumar Ramachandran <[email protected]> wrote: > > > On Saturday, 1 March 2014 21:54:23 UTC+5:30, Michiel van Es wrote: >> >> Hi, >> >> Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if so is >> willing to share its decoder and local_rules.xml config? (i am not trying to >> reinvent the wheel here and google has nothing on it expect Vic Hargrave's >> blog but I can not post on it because of technical issues at this blog). >> >> Regards, >> >> Michiel > > > Hi Michiel, > > I was trying to do the same and found this query and finally had to do it > myself. For the benefit of anybody who is going > through this mail group, I'm posting the solution that I had working for me. > I have the following in my /var/ossec/etc/ossec.conf file: > <localfile> > <log_format>syslog</log_format> > <location>/var/log/krb5/kdc.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/kadmin.log</location> > </localfile> > > > Then in /var/ossec/etc/decoder.xml I have added the following: > > <decoder name="krb5"> > <prematch>^krb5kdc</prematch> > </decoder> > > Then I created a new rule file in /var/ossec/rules/kerberos_rules.xml with > some rules as below: > > > <group name="syslog,krb5,"> > <rule id="01900" level="0" noalert="1"> > <decoded_as>krb5</decoded_as> > <description>Grouping of kerberos rules.</description> > </rule> > > <rule id="01901" level="8"> > <if_sid>01900</if_sid> > <match>ISSUE:</match> > <description>Successful Kerberos authetication.</description> > <group>authentication_success,</group> > </rule> > > <rule id="01902" level="8"> > <if_sid>01900</if_sid> > <match>UNKNOWN_SERVER:</match> > <description>Server not found in Kerberos database</description> > <group>Kerberos ticket request failed</group> > </rule> > </group> > > The rule ID that we assign to these rules need to be within the range being > allocated for the syslog type which is 01000 to 01999.
Why? > The match criteria is as per requirement and one has to choose it. > > That's it! > If you have some sample logs you can provide, we can add these to the install. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
