I dont use any additional application which can use to filter, I want to do simple alarm in ossec when somebody create group for example or add user to group on linux
W dniu czwartek, 9 lipca 2015 17:20:34 UTC+2 użytkownik dan (ddpbsd) napisał: > > > On Jul 9, 2015 11:17 AM, "repquota" <[email protected] <javascript:>> > wrote: > > > > Dan I understand but it is possible to remove this header ? > > > > There is nonway for OSSEC to not include this header without modifying the > source. Perhaps whatever application you're feeding the archives.log file > into can filter it out? > > > W dniu czwartek, 9 lipca 2015 17:06:02 UTC+2 użytkownik dan (ddpbsd) > napisał: > >> > >> > >> On Jul 9, 2015 10:52 AM, "repquota" <[email protected]> wrote: > >> > > >> > Hi, > >> > I have a problem with log format in ossec server. My configuration is > simple, I have a ossec agent on my linux PC which sends syslog massages to > ossec server. Configuration on ossec agent below: > >> > > >> > <ossec_config> > >> > > >> > <client> > >> > > >> > <server-ip>172.30.1.22</server-ip> > >> > > >> > </client> > >> > > >> > <syslog_output> > >> > > >> > <server>172.30.1.22</server> > >> > > >> > <port>514</port> > >> > > >> > </syslog_output> > >> > > >> > <localfile> > >> > > >> > <log_format>syslog</log_format> > >> > > >> > <location>/var/log/messages</location> > >> > > >> > </localfile> > >> > > >> > <localfile> > >> > > >> > <log_format>syslog</log_format> > >> > > >> > <location>/var/log/auth.log</location> > >> > > >> > </localfile> > >> > > >> > <localfile> > >> > > >> > <log_format>syslog</log_format> > >> > > >> > <location>/var/log/mail.log</location> > >> > > >> > </localfile> > >> > > >> > <localfile> > >> > > >> > <log_format>syslog</log_format> > >> > > >> > <location>/var/log/audit/audit.log</location> > >> > > >> > </localfile> > >> > > >> > </ossec_config> > >> > > >> > > >> > on ossec server is: > >> > > >> > > >> > <remote> > >> > > >> > <connection>syslog</connection> > >> > > >> > <allowed-ips>172.30.1.0/24</allowed-ips> > >> > > >> > <local_ip>172.30.1.22</local_ip> > >> > > >> > <port>514</port> > >> > > >> > <protocol>udp</protocol> > >> > > >> > </remote> > >> > > >> > > >> > > >> > and my log format in archive.log is: > >> > > >> > > >> > 2015 Jul 09 15:57:07 (proxy) 172.30.1.74->/var/log/auth.log Jul 9 > 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011 > >> > > >> > > >> > where 172.30.1.74 is my Linux PC > >> > > >> > > >> > and here I had a problem with decoder, because i create my own custom > which is not working. > >> > > >> > > >> > Here is my template: > >> > > >> > > >> > <decoder name="usermod"> > >> > > >> > <prematch>\.*usermod</prematch> > >> > > >> > </decoder> > >> > > >> > > >> > when I testing by /var/ossec/bin/ossec-logtest > >> > I have something like this: > >> > > >> > ossec-testrule: Type one log per line. > >> > > >> > 2015 Jul 09 15:57:07 (pciproxy) 172.30.1.74->/var/log/auth.log Jul 9 > 15:57:07 proxy usermod[13639]: new group: name=test, GID=1011 > >> > > >> > > >> > **Phase 1: Completed pre-decoding. > >> > full event: '2015 Jul 09 15:57:07 (pciproxy) > 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new > group: name=test, GID=1011' > >> > hostname: 'pciossec' > >> > program_name: '(null)' > >> > log: '2015 Jul 09 15:57:07 (pciproxy) > 172.30.1.74->/var/log/auth.log Jul 9 15:57:07 proxy usermod[13639]: new > group: name=test, GID=1011' > >> > > >> > **Phase 2: Completed decoding. > >> > No decoder matched. > >> > > >> > > >> > > >> > but when I paste only "Jul 9 15:57:07 proxy usermod[13639]: new > group: name=test, GID=1011" everything working properly > >> > > >> > Jul 9 15:57:07 proxy usermod[13639]: new group: name=dupa, GID=1011 > >> > > >> > > >> > **Phase 1: Completed pre-decoding. > >> > full event: 'Jul 9 15:57:07 proxy usermod[13639]: new group: > name=dupa, GID=1011' > >> > hostname: 'proxy' > >> > program_name: 'usermod' > >> > log: 'new group: name=dupa, GID=1011' > >> > > >> > **Phase 2: Completed decoding. > >> > No decoder matched. > >> > > >> > **Phase 3: Completed filtering (rules). > >> > Rule id: '5901' > >> > Level: '8' > >> > Description: 'New group added to the system' > >> > **Alert to be generated. > >> > > >> > someone had a problem with that? > >> > > >> > > >> > >> The log message that OSSEC looks at for analysis is the one without the > extra header (everything before Jul). So the second logtest attempt is the > one closest to reality. > >> > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
