I haven't tested it, but I think that trail of numbers at the end of the file will actually be an issue, specially because wildcards doesn't seem to work for location in Windows
On Wed, Jan 27, 2016 at 8:10 AM, Greg Burns <[email protected]> wrote: > Because now the problem is we have new log files created daily. Is this > something OSSEC is not capable of? > > > On Wednesday, January 27, 2016 at 10:43:52 AM UTC-5, Greg Burns wrote: >> >> That worked! I think I was not testing it properly. I used the tail -f as >> you said and added the line with the alert. I really appreciate your help. >> >> I have one more question. Is there anyway to monitor new log files as >> they appear? >> >> This is the naming convention: >> BatchLog_LT_01192016203220 >> >> In the config file could I put something like ? Would that look at all >> files with that name convention? It seems the last 6 numbers may change >> >> <localfile> >> <location>C:\logs\Batch_Log_LT_%m%d%y</location> >> <log_format>syslog</log_format> >> </localfile> >> >> >> On Tuesday, January 26, 2016 at 10:46:06 AM UTC-5, LostInThe Tubez wrote: >>> >>> Great, so we know OSSEC is matching against your custom rule. Next step >>> would be to make sure the alert is showing up in >>> /var/ossec/logs/alerts/alerts.log on the OSSEC manager. Double check you’ve >>> restarted the manager since you made the edit to local_rules.xml. If your >>> OSSEC manager isn’t too busy, I find the easiest way to do a live test of a >>> rule is to tail –f the alerts.log on the server so you can watch as new >>> logs are written to it. Then, on the agent, copy/paste your test log line >>> into C:\logs\BatchLog_LT_01192016203220. After a moment or two, you should >>> see it show up in the tailed alerts.log file on the manager. In that alert >>> entry it will indicate whether an email was generated or not. The header >>> for the alert will look something like this: “** Alert 1453814129.49577: >>> mail - local,syslog,”. “mail” being the keyword you’re looking for. >>> >>> >>> >>> If you see a mail was generated, you know you are dealing with an email >>> delivery problem and not an OSSEC detection problem. >>> >>> >>> >>> >>> >>> *From:* [email protected] [mailto:[email protected]] *On >>> Behalf Of *Greg Burns >>> *Sent:* Tuesday, January 26, 2016 8:28 AM >>> *To:* ossec-list <[email protected]> >>> *Subject:* Re: [ossec-list] Log file not triggering alert >>> >>> >>> >>> Thanks for the response. >>> >>> >>> >>> I ran log test with the following output: >>> >>> >>> >>> ossec-testrule: Type one log per line. >>> >>> >>> >>> 2016-01-20T17:49:19 Error validating xml data against the >>> schema on line 272 >>> >>> Content of element "litleTxnId" is incomplete >>> >>> >>> >>> **Phase 1: Completed pre-decoding. >>> >>> full event: '2016-01-20T17:49:19 Error validating xml >>> data against the schema on line 272' >>> >>> hostname: 'kali' >>> >>> program_name: '(null)' >>> >>> log: '2016-01-20T17:49:19 Error validating xml data >>> against the schema on line 272' >>> >>> >>> >>> **Phase 2: Completed decoding. >>> >>> No decoder matched. >>> >>> >>> >>> **Phase 3: Completed filtering (rules). >>> >>> Rule id: '8888' >>> >>> Level: '12' >>> >>> Description: 'An error was found in an order' >>> >>> **Alert to be generated. >>> >>> >>> >>> >>> On Friday, January 22, 2016 at 7:31:23 PM UTC-5, LostInThe Tubez wrote: >>> >>> Have you run your log entry through ossec-logtest on the server? This >>> will tell you if an alert should be generated or not. It is always possible >>> that another rule is matching first or perhaps your rule isn’t working as >>> expected. There are a couple potential issues with your rule, but I would >>> suggest checking ossec-logtest and reporting back before you get too far >>> into the nitty gritty. >>> >>> >>> >>> You can use %Y, %m, and %d in your filenames to represent the year, >>> month and day, respectively. The file has to exist before the agent starts, >>> otherwise it won’t be monitored. IIRC, wildcards (asterisks) do not work >>> with the Windows agent for some strange reason. >>> >>> >>> >>> >>> >>> *From:* [email protected] [mailto:[email protected]] *On >>> Behalf Of *Greg Burns >>> *Sent:* Friday, January 22, 2016 1:08 PM >>> *To:* ossec-list <[email protected]> >>> *Subject:* [ossec-list] Log file not triggering alert >>> >>> >>> >>> I wrote a rule in OSSEC to send an email alert anytime the following >>> string appears in a log (its a flat log file with no extension): >>> >>> >>> >>> 2016-01-20T17:49:19 Error validating xml data against the >>> schema on line 272 Content of element "litleTxnId" is incomplete >>> >>> >>> >>> the rule should be triggered anytime the word "error validating" appear. >>> Below is the rule: >>> >>> >>> >>> <!-- Syslog errors. --> >>> >>> <group name="syslog,errors,"> >>> >>> <rule id="8888" level="12"> >>> >>> <match>error validating</match> >>> >>> <options>alert_by_email</options> >>> >>> <description>An error was found in an order</description> >>> >>> </rule> >>> >>> >>> >>> >>> >>> For testing purposes placed a log file in C:\logs and set the >>> configuration file to look in that directory- its the fourth one down >>> >>> >>> >>> <ossec_config> >>> >>> >>> >>> <!-- One entry for each file/Event log to monitor. --> >>> >>> <localfile> >>> >>> <location>Application</location> >>> >>> <log_format>eventlog</log_format> >>> >>> </localfile> >>> >>> >>> >>> <localfile> >>> >>> <location>Security</location> >>> >>> <log_format>eventlog</log_format> >>> >>> </localfile> >>> >>> >>> >>> <localfile> >>> >>> <location>System</location> >>> >>> <log_format>eventlog</log_format> >>> >>> </localfile> >>> >>> >>> >>> <localfile> >>> >>> <location>C:\logs\BatchLog_LT_01192016203220</location> >>> >>> <log_format>syslog</log_format> >>> >>> </localfile> >>> >>> >>> >>> However it does not seem to be working. When I go in and restart the >>> agent it appears to successfully analyze the logs except it does not >>> trigger an alert. below is the ossec.log after restarting: >>> >>> >>> >>> 2016/01/22 15:04:28 ossec-agent: INFO: Started (pid: 7268). >>> >>> >>> >>> 2016/01/22 15:04:29 ossec-agent(4102): INFO: Connected to the server ( >>> 10.8.216.157:1514). >>> >>> >>> >>> 2016/01/22 15:04:29 ossec-agent: INFO: System is Vista or newer >>> (Microsoft Windows 7 Business Edition Professional Service Pack 1 (Build >>> 7601) - OSSEC HIDS v2.8.3). >>> >>> >>> >>> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: >>> 'Application'. >>> >>> >>> >>> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: >>> 'Security'. >>> >>> >>> >>> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: >>> 'System'. >>> >>> >>> >>> 2016/01/22 15:04:30 ossec-agent(1950): INFO: Analyzing file: >>> 'C:\logs\BatchLog_LT_01192016203220'. >>> >>> >>> >>> 2016/01/22 15:04:30 ossec-agent: INFO: Started (pid: 7268). >>> >>> >>> >>> Any idea's? Is my config on the agent not right? - Also what if I wanted >>> to look in a specific folder and analyze all logs in that folder? such as >>> <location>C:\logs\Batch*</location> - will this work to view all log files >>> that begin with 'Batch"? >>> >>> >>> >>> Thanks! >>> >>> >>> >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
