On Fri, Dec 12, 2014 at 7:15 AM, Sethukumar Ramachandran <[email protected]> wrote: > There could be lot things that spit out in kerberos logs which might be of > interest from ossec perspective, say to create an alert or capture some > information for audit pupose. Can use some words or phrases or regular > expressions for match. > > On Wednesday, 10 December 2014 18:05:45 UTC+5:30, dan (ddpbsd) wrote: >> >> On Wed, Dec 10, 2014 at 7:13 AM, Sethukumar Ramachandran >> <[email protected]> wrote: >> > >> > >> > On Saturday, 1 March 2014 21:54:23 UTC+5:30, Michiel van Es wrote: >> >> >> >> Hi, >> >> >> >> Has anyone added the Kerberos 5 krb5kdc.log logfile to OSSEC and if so >> >> is >> >> willing to share its decoder and local_rules.xml config? (i am not >> >> trying to >> >> reinvent the wheel here and google has nothing on it expect Vic >> >> Hargrave's >> >> blog but I can not post on it because of technical issues at this >> >> blog). >> >> >> >> Regards, >> >> >> >> Michiel >> > >> > >> > Hi Michiel, >> > >> > I was trying to do the same and found this query and finally had to do >> > it >> > myself. For the benefit of anybody who is going >> > through this mail group, I'm posting the solution that I had working for >> > me. >> > I have the following in my /var/ossec/etc/ossec.conf file: >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/var/log/krb5/kdc.log</location> >> > </localfile> >> > >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/var/log/kadmin.log</location> >> > </localfile> >> > >> > >> > Then in /var/ossec/etc/decoder.xml I have added the following: >> > >> > <decoder name="krb5"> >> > <prematch>^krb5kdc</prematch> >> > </decoder> >> > >> > Then I created a new rule file in /var/ossec/rules/kerberos_rules.xml >> > with >> > some rules as below: >> > >> > >> > <group name="syslog,krb5,"> >> > <rule id="01900" level="0" noalert="1"> >> > <decoded_as>krb5</decoded_as> >> > <description>Grouping of kerberos rules.</description> >> > </rule> >> > >> > <rule id="01901" level="8"> >> > <if_sid>01900</if_sid> >> > <match>ISSUE:</match> >> > <description>Successful Kerberos authetication.</description> >> > <group>authentication_success,</group> >> > </rule> >> > >> > <rule id="01902" level="8"> >> > <if_sid>01900</if_sid> >> > <match>UNKNOWN_SERVER:</match> >> > <description>Server not found in Kerberos >> > database</description> >> > <group>Kerberos ticket request failed</group> >> > </rule> >> > </group> >> > >> > The rule ID that we assign to these rules need to be within the range >> > being >> > allocated for the syslog type which is 01000 to 01999. >> >> Why? >>
I actually was vurious why you had to use those IDs. And actually why you started them with a 0. Still hoping for log samples. :) >> > The match criteria is as per requirement and one has to choose it. >> > >> > That's it! >> > >> >> If you have some sample logs you can provide, we can add these to the >> install. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
