On Thu, Jun 9, 2016 at 12:51 PM, Tahir Hafiz <[email protected]> wrote: > How can I get at the logs that have been pushed to the IDS box instead of > having to copy the logs to the IDS box from each individual system? >
If you have the logall option turned on, you can strip the headers from the log messages in /var/ossec/logs/archives/archives.log. Or you can pull the full logs out of the alerts. Maybe something like this can help with that: https://github.com/phirelight/perl-ossec-log-parse > > > On Thursday, 9 June 2016 17:38:35 UTC+1, dan (ddpbsd) wrote: >> >> On Thu, Jun 9, 2016 at 12:36 PM, Tahir Hafiz <[email protected]> wrote: >> > Thanks something like this, with the logtest I take it: >> > cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-logtest -a >> > | >> > grep -A 3 -B 3 "level 5" >> > >> >> I don't think that will give you the results you are looking for. >> ossec-logtest takes log messages as the input, not alerts. >> >> > >> > >> > On Thursday, 9 June 2016 17:30:19 UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Thu, Jun 9, 2016 at 12:11 PM, Tahir Hafiz <[email protected]> >> >> wrote: >> >> > Thanks for that Dan - very useful. >> >> > >> >> > What about output from the following stanza to be whitelisted, what >> >> > <if_group> should be used here in the local_rules.xml, is the group >> >> > to >> >> > be >> >> > whitelisted called syslog,access_control or authentication_failed??: >> >> > >> >> >> >> I think you can use either, but authentication_failed is probably more >> >> precise. You should be able to test the theory with ossec-logtest >> >> though. >> >> >> >> > <group name="syslog,access_control,"> >> >> > <rule id="2501" level="5"> >> >> > <match>FAILED LOGIN |authentication failure|</match> >> >> > <match>Authentication failed for|invalid password for|</match> >> >> > <match>LOGIN FAILURE|auth failure: |authentication error|</match> >> >> > <match>authinternal failed|Failed to authorize|</match> >> >> > <match>Wrong password given for|login failed|Auth: Login >> >> > incorrect</match> >> >> > <group>authentication_failed,</group> >> >> > <description>User authentication failure.</description> >> >> > </rule> >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > On Thursday, 9 June 2016 15:46:21 UTC+1, dan (ddpbsd) wrote: >> >> >> >> >> >> On Thu, Jun 9, 2016 at 10:22 AM, Tahir Hafiz <[email protected]> >> >> >> wrote: >> >> >> > Dear All, >> >> >> > >> >> >> > I currently have a few rules which are very similar, how can I >> >> >> > have >> >> >> > multiple >> >> >> > matches with the same rule: >> >> >> > >> >> >> > <!-- Ignore System Audit of /tmp not being on it's own it's >> >> >> > partition--> >> >> >> > <rule id="100007" level="0"> >> >> >> > <if_sid>510</if_sid> >> >> >> > <match>Robust partition scheme - /tmp is not on its own >> >> >> > partition. >> >> >> > File: /etc/fstab.</match> >> >> >> > <description>Ignore /tmp not being on it's own >> >> >> > partition</description> >> >> >> > <group>rootcheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > >> >> >> > <!-- Ignore System Audit of /opt not being on it's own it's >> >> >> > partition--> >> >> >> > <rule id="100008" level="0"> >> >> >> > <if_sid>510</if_sid> >> >> >> > <match>Robust partition scheme - /opt is not on its own >> >> >> > partition.</match> >> >> >> > <description>Ignore /opt not being on it's own >> >> >> > partition</description> >> >> >> > <group>rootcheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > >> >> >> > >> >> >> > <!-- Ignore System Audit of /var not being on it's own it's >> >> >> > partition--> >> >> >> > <rule id="100009" level="0"> >> >> >> > <if_sid>510</if_sid> >> >> >> > <match>Robust partition scheme - /var is not on its own >> >> >> > partition.</match> >> >> >> > <description>Ignore /var not being on it's own >> >> >> > partition</description> >> >> >> > <group>rootcheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > >> >> >> > >> >> >> > Is there a way to have multiple <match> lines ? >> >> >> > Would something like this work: >> >> >> > >> >> >> > >> >> >> > <rule id="100007" level="0"> >> >> >> > <if_sid>510</if_sid> >> >> >> > <regex>Robust partition scheme - \\\w\w\w is not on its own >> >> >> > partition. >> >> >> > </regex> >> >> >> > <description>Ignore dirs on / not being on their own >> >> >> > partition</description> >> >> >> > <group>rootcheck,</group> >> >> >> > </rule> >> >> >> > >> >> >> > Basically, can I use <regex> matching instead of exact <match> ? >> >> >> > >> >> >> >> >> >> You can breakup matched with the "|" character. >> >> >> <match>thing 1|thing2|thing3</match> >> >> >> >> >> >> > >> >> >> > Thanks >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
