There could be lot things that spit out in kerberos logs which might be of interest from ossec perspective, say to create an alert or capture some information for audit pupose. Can use some words or phrases or regular expressions for match.
On Wednesday, 10 December 2014 18:05:45 UTC+5:30, dan (ddpbsd) wrote: > > On Wed, Dec 10, 2014 at 7:13 AM, Sethukumar Ramachandran > <[email protected] <javascript:>> wrote: > > > > > > On Saturday, 1 March 2014 21:54:23 UTC+5:30, Michiel van Es wrote: > >> > >> Hi, > >> > >> Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if so > is > >> willing to share its decoder and local_rules.xml config? (i am not > trying to > >> reinvent the wheel here and google has nothing on it expect Vic > Hargrave's > >> blog but I can not post on it because of technical issues at this > blog). > >> > >> Regards, > >> > >> Michiel > > > > > > Hi Michiel, > > > > I was trying to do the same and found this query and finally had to do > it > > myself. For the benefit of anybody who is going > > through this mail group, I'm posting the solution that I had working for > me. > > I have the following in my /var/ossec/etc/ossec.conf file: > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/krb5/kdc.log</location> > > </localfile> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/kadmin.log</location> > > </localfile> > > > > > > Then in /var/ossec/etc/decoder.xml I have added the following: > > > > <decoder name="krb5"> > > <prematch>^krb5kdc</prematch> > > </decoder> > > > > Then I created a new rule file in /var/ossec/rules/kerberos_rules.xml > with > > some rules as below: > > > > > > <group name="syslog,krb5,"> > > <rule id="01900" level="0" noalert="1"> > > <decoded_as>krb5</decoded_as> > > <description>Grouping of kerberos rules.</description> > > </rule> > > > > <rule id="01901" level="8"> > > <if_sid>01900</if_sid> > > <match>ISSUE:</match> > > <description>Successful Kerberos authetication.</description> > > <group>authentication_success,</group> > > </rule> > > > > <rule id="01902" level="8"> > > <if_sid>01900</if_sid> > > <match>UNKNOWN_SERVER:</match> > > <description>Server not found in Kerberos > database</description> > > <group>Kerberos ticket request failed</group> > > </rule> > > </group> > > > > The rule ID that we assign to these rules need to be within the range > being > > allocated for the syslog type which is 01000 to 01999. > > Why? > > > The match criteria is as per requirement and one has to choose it. > > > > That's it! > > > > If you have some sample logs you can provide, we can add these to the > install. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
