On Thu, Jul 7, 2016 at 9:10 AM, <[email protected]> wrote: > Hello, trying to get a log file to create an alert so I can generate a OSSIM > (AlienVault) plugin for it. I am sure I am missing something simple, hoping > for some guidance: > > Log file as found in the /var/ossec/logs/archives/archives.log: > 2016 Jul 06 15:52:59 (2012r2) 192.168.10.71->WinEvtLog 2016 Jul 06 15:53:10 > WinEvtLog: System: WARNING(20171): RemoteAccess: (no user): no domain: > DC1.schmerbeck.net: Failed to apply IP Security on port VPN0-112 because of > error: A certificate could not be found. Connections that use the L2TP > protocol over IPSec require the installation of a machine certificate, also > known as a computer certificate.. No calls will be accepted to this port. > > Beginning with ossec-logtest, it was hitting on the 1002 rule, so created a > local_decoder: > <decoder name="windowsdf"> > <prematch>^\d+\s\w+\s\d+\s\d+:\d+:\d+\s\S+\s\S+\s</prematch> > <regex > offset="after_prematch">^\d+\s\w+\s\d+\s\d+:\d+:\d+\s(\w+):\s(\w+):\s(\w+)\((\d+)\):\s(\w+):\s</regex> > > <order>srcport,srcip,srcuser,id,dstip,action,id,dstport,dstuser,url,status,log</order> > </decoder> > > And some rules: > root@u1:/var/ossec/rules# cat local_rules.xml > <group name="file,audit,"> > <rule id="72000" level="0"> > <decoded_as>windowsdf</decoded_as> > </rule> > > <rule id="72001" level="12"> > <if_sid>72000</if_sid> > <id>20106</id> > <description>Matched on 20106</description> > </rule> > > <rule id="72002" level="12"> > <if_sid>72000</if_sid> > <id>20171</id> > <description>Matched on 20171</description> > </rule> > > </group> > > <group name="file,audit,"> > <rule id="72003" level="12"> > <decoded_as>windowsdf</decoded_as> > <id>20192</id> > <description>Matched on 20192</description> > </rule> > </group> > > And my ossec-logtest ends up looking like this: > root@u1:/var/ossec/rules# ../bin/ossec-logtest < /root/logfile > 2016/07/07 08:05:57 ossec-testrule: INFO: Reading local decoder file. > 2016/07/07 08:05:57 ossec-testrule: INFO: Started (pid: 8065). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: '2016 Jul 06 15:52:59 (2012r2) 192.168.10.71->WinEvtLog
This is a header added for archives.log, it's not part of the event passed to analysisd. Using the following should be what you test against: 2016 Jul 06 15:53:10 WinEvtLog: System: WARNING(20171): RemoteAccess: (no user): no domain: DC1.schmerbeck.net: Failed to apply IP Security on port VPN0-112 because of error: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.. No calls will be accepted to this port. This pull request might make messing with this easier: https://github.com/ossec/ossec-hids/pull/880 > 2016 Jul 06 15:53:10 WinEvtLog: System: WARNING(20171): RemoteAccess: (no > user): no domain: DC1.schmerbeck.net: Failed to apply IP Security on port > VPN0-112 because of error: A certificate could not be found. Connections > that use the L2TP protocol over IPSec require the installation of a machine > certificate, also known as a computer certificate.. No calls will be > accepted to this port. ' > hostname: 'u1' > program_name: '(null)' > log: '2016 Jul 06 15:52:59 (2012r2) 192.168.10.71->WinEvtLog 2016 Jul > 06 15:53:10 WinEvtLog: System: WARNING(20171): RemoteAccess: (no user): no > domain: DC1.schmerbeck.net: Failed to apply IP Security on port VPN0-112 > because of error: A certificate could not be found. Connections that use > the L2TP protocol over IPSec require the installation of a machine > certificate, also known as a computer certificate.. No calls will be > accepted to this port. ' > > **Phase 2: Completed decoding. > decoder: 'windowsdf' > srcport: 'WinEvtLog' > srcip: 'System' > srcuser: 'WARNING' > id: '20171' > dstip: 'RemoteAccess' > > **Phase 3: Completed filtering (rules). > Rule id: '72002' > Level: '12' > Description: 'Matched on 20171' > **Alert to be generated. > > I have attempted this on an AlienVault based build as well as a standalone > OSSEC server, and neither of them push an alert into the alerts.log file. > Help and guidance would be very much appreciated. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
