Hello, trying to get a log file to create an alert so I can generate a
OSSIM (AlienVault) plugin for it. I am sure I am missing something simple,
hoping for some guidance:
*Log file as found in the /var/ossec/logs/archives/archives.log:*
2016 Jul 06 15:52:59 (2012r2) 192.168.10.71->WinEvtLog 2016 Jul 06 15:53:10
WinEvtLog: System: WARNING(20171): RemoteAccess: (no user): no domain:
DC1.schmerbeck.net: Failed to apply IP Security on port VPN0-112 because of
error: A certificate could not be found. Connections that use the L2TP
protocol over IPSec require the installation of a machine certificate, also
known as a computer certificate.. No calls will be accepted to this port.
*Beginning with ossec-logtest, it was hitting on the 1002 rule, so created
a local_decoder:*
<decoder name="windowsdf">
<prematch>^\d+\s\w+\s\d+\s\d+:\d+:\d+\s\S+\s\S+\s</prematch>
<regex
offset="after_prematch">^\d+\s\w+\s\d+\s\d+:\d+:\d+\s(\w+):\s(\w+):\s(\w+)\((\d+)\):\s(\w+):\s</regex>
<order>srcport,srcip,srcuser,id,dstip,action,id,dstport,dstuser,url,status,log</order>
</decoder>
*And some rules:*
root@u1:/var/ossec/rules# cat local_rules.xml
<group name="file,audit,">
<rule id="72000" level="0">
<decoded_as>windowsdf</decoded_as>
</rule>
<rule id="72001" level="12">
<if_sid>72000</if_sid>
<id>20106</id>
<description>Matched on 20106</description>
</rule>
<rule id="72002" level="12">
<if_sid>72000</if_sid>
<id>20171</id>
<description>Matched on 20171</description>
</rule>
</group>
<group name="file,audit,">
<rule id="72003" level="12">
<decoded_as>windowsdf</decoded_as>
<id>20192</id>
<description>Matched on 20192</description>
</rule>
</group>
*And my ossec-logtest ends up looking like this:*root@u1:/var/ossec/rules#
../bin/ossec-logtest < /root/logfile
2016/07/07 08:05:57 ossec-testrule: INFO: Reading local decoder file.
2016/07/07 08:05:57 ossec-testrule: INFO: Started (pid: 8065).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2016 Jul 06 15:52:59 (2012r2) 192.168.10.71->WinEvtLog
2016 Jul 06 15:53:10 WinEvtLog: System: WARNING(20171): RemoteAccess: (no
user): no domain: DC1.schmerbeck.net: Failed to apply IP Security on port
VPN0-112 because of error: A certificate could not be found. Connections
that use the L2TP protocol over IPSec require the installation of a machine
certificate, also known as a computer certificate.. No calls will be
accepted to this port. '
hostname: 'u1'
program_name: '(null)'
log: '2016 Jul 06 15:52:59 (2012r2) 192.168.10.71->WinEvtLog 2016
Jul 06 15:53:10 WinEvtLog: System: WARNING(20171): RemoteAccess: (no user):
no domain: DC1.schmerbeck.net: Failed to apply IP Security on port VPN0-112
because of error: A certificate could not be found. Connections that use
the L2TP protocol over IPSec require the installation of a machine
certificate, also known as a computer certificate.. No calls will be
accepted to this port. '
**Phase 2: Completed decoding.
decoder: 'windowsdf'
srcport: 'WinEvtLog'
srcip: 'System'
srcuser: 'WARNING'
id: '20171'
dstip: 'RemoteAccess'
**Phase 3: Completed filtering (rules).
Rule id: '72002'
Level: '12'
Description: 'Matched on 20171'
**Alert to be generated.
I have attempted this on an AlienVault based build as well as a standalone
OSSEC server, and neither of them push an alert into the alerts.log file.
Help and guidance would be very much appreciated.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
