Hi Tom,
first of all, you need a decoder to capture the events. It seems that there
is no a common part in the logs, so I suggest you to add a tag at the
beginning of the log. Examples:
local_decoder.xml:
<decoder name="tom_decoder">
<prematch>^TomTag: </prematch>
</decoder>
<decoder name="tom_decoder-log1">
<parent>tom_decoder</parent>
<prematch>updated</prematch>
<regex offset="after_parent">User '(\S+)' updated by '(\S+)</regex>
<order>srcuser,dstuser</order>
</decoder>
<decoder name="tom_decoder-log2">
<parent>tom_decoder</parent>
<prematch offset="after_parent">^Stream</prematch>
<regex offset="after_parent">Stream with name '(\S+)' added by user
'(\S+)</regex>
<order>url,user</order>
</decoder>
local_rules.xml:
<group name="tom_group,">
<rule id="10002" level="0">
<decoded_as>tom_decoder</decoded_as>
<description>Tom: messages grouped</description>
</rule>
<rule id="10003" level="0">
<if_sid>10002</if_sid>
<match>updated</match>
<description>Tom: Updated event</description>
</rule>
<rule id="10004" level="0">
<if_sid>10002</if_sid>
<match>added</match>
<description>Tom: Added event</description>
</rule>
</group>
ossec-logtest:
TomTag: User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin
**Phase 1: Completed pre-decoding.
full event: 'TomTag: User 'AIPTEST\some.user' updated by
'AIPTEST\qssadmin'
hostname: 'LinMV'
program_name: '(null)'
log: 'TomTag: User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin'
**Phase 2: Completed decoding.
decoder: 'tom_decoder'
srcuser: 'AIPTEST\some.user'
dstuser: 'AIPTEST\qssadmin'
**Phase 3: Completed filtering (rules).
Rule id: '10003'
Level: '0'
Description: 'Tom: Updated event'
TomTag: Stream with name 'Test' added by user 'AIPTEST\qssadmin
**Phase 1: Completed pre-decoding.
full event: 'TomTag: Stream with name 'Test' added by user
'AIPTEST\qssadmin'
hostname: 'LinMV'
program_name: '(null)'
log: 'TomTag: Stream with name 'Test' added by user
'AIPTEST\qssadmin'
**Phase 2: Completed decoding.
decoder: 'tom_decoder'
url: 'Test'
dstuser: 'AIPTEST\qssadmin'
**Phase 3: Completed filtering (rules).
Rule id: '10004'
Level: '0'
Description: 'Tom: Added event'
Regards.
On Friday, June 24, 2016 at 6:18:40 AM UTC+2, Tom ONeil wrote:
>
>
>
> On Thursday, June 23, 2016 at 6:01:00 AM UTC-5, dan (ddpbsd) wrote:
>>
>> On Wed, Jun 22, 2016 at 9:11 PM, Tom ONeil <[email protected]>
>> wrote:
>> > Sorry for the slow response, finally slept for a decent length.
>> >
>> >
>> >
>> > We are getting everything from the Windows Event logs by default just
>> fine
>> > where they should be.
>> >
>> > Logall is grabbing everything else into archives.
>> >
>>
>> Ok, so Windows event logs aren't an issue.
>>
>> >
>> >
>> > What I need is the contents of the mentioned text files into,
>> especially
>>
>>
>> But you are not getting the log events from the text file in your
>> archives.log?
>> If that's true: Is the configuration snippet you included in your
>> original email present on the agents? Did you restart the OSSEC
>> service after making that change to the config file?
>> Are there any mentions of the log file in the agent's ossec.log file?
>>
>> > changes in role or configuration and the user that made them.
>> >
>>
>> Are these bits of information included in the logs inside that text file?
>>
>> >
>> >
>> > What I cannot get a handle on is why they don't show up at all.
>> >
>> > I have read the docs, and tried to modify local_rules.xml to grab all
>> the
>> > content from those and it fails config check with not enough
>> explanations as
>> > to why.
>> >
>> >
>> >
>> > <group name="QlikSense Roles">
>> >
>> > <rule id="100001" level="7">
>> >
>> > <srcip>192.168.2.10</srcip>
>> >
>> > <description>Example of rule that will grab role
>> changes</description>
>> >
>> > <description>Role Change from IP 192.168.2.10</description>
>> >
>> > </rule>
>> >
>>
>> This rule doesn't do very much. It looks for any log message that has
>> decoded the IP "192.168.2.10" from its content.
>> It is not looking at logs from that IP address, just logs caused by
>> that IP address.
>> You also have 2 descriptions, and nothing really limiting what log
>> events this rule would apply to.
>> If you could provide a log sample, it'd be a lot easier to help you
>> create a rule.
>>
>>
>> >
>> > On Wednesday, June 22, 2016 at 7:34:21 AM UTC-5, dan (ddpbsd) wrote:
>> >>
>> >> On Wed, Jun 22, 2016 at 7:42 AM, Tom ONeil <[email protected]>
>> wrote:
>> >> > Just trying to get a simple configuration to pickup the text log
>> files
>> >> > from
>> >> > a Windows 2012R2 server.
>> >> > Been over every doc, reinstalled, worked all night and ZIP.
>> >> > Blood running in my eyes from smashing forehead on keyboard.
>> >> >
>> >> > I have everything going to logall just to see if it's working but I
>> am
>> >> > lost
>> >> > on how to setup the XXXX_rules.xml files
>> >> > Is there some examples or clearer docs on this anywhere?
>> >> >
>> >>
>> >> So what is working?
>> >> Are the logs being shipped to the OSSEC server?
>> >>
>> >> There are plenty of examples of rules in /var/ossec/rules. I believe
>> >> there is a page in the documentation on writing rules (and decoders)
>> >> as well.
>> >> What are you having trouble with specifically?
>> >>
>> >> > Simple config snippet
>> >> >
>> >>
>> >> This is on the Windows agent in its ossec.conf, correct?
>> >>
>> >> > <!-- One entry for each file/Event log to monitor. -->
>> >> > <localfile>
>> >> >
>> >> >
>> >> >
>> >> >
>> <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditActivity_Repository.txt</location>
>>
>>
>> >> >
>> >> > <log_format>syslog</log_format>
>> >> >
>> >> > </localfile>
>> >> >
>> >> > <localfile>
>> >> >
>> >> >
>> >> >
>> >> >
>> <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditSecurity_Repository.txt</location>
>>
>>
>> >> >
>> >> > <log_format>syslog</log_format>
>> >> >
>> >> > </localfile>
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> send
>> >> > an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>
>
> We are getting everything in archives with logall.
> The entries I want to catch are
>
> User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin (from one logfile)
> Stream with name 'Test' added by user 'AIPTEST\qssadmin (from another
> logfile)
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
