Thank you Dan! On Thursday, July 7, 2016 at 8:43:07 AM UTC-5, dan (ddpbsd) wrote: > > On Thu, Jul 7, 2016 at 9:10 AM, <[email protected] <javascript:>> > wrote: > > Hello, trying to get a log file to create an alert so I can generate a > OSSIM > > (AlienVault) plugin for it. I am sure I am missing something simple, > hoping > > for some guidance: > > > > Log file as found in the /var/ossec/logs/archives/archives.log: > > 2016 Jul 06 15:52:59 (2012r2) 192.168.10.71->WinEvtLog 2016 Jul 06 > 15:53:10 > > WinEvtLog: System: WARNING(20171): RemoteAccess: (no user): no domain: > > DC1.schmerbeck.net: Failed to apply IP Security on port VPN0-112 > because of > > error: A certificate could not be found. Connections that use the L2TP > > protocol over IPSec require the installation of a machine certificate, > also > > known as a computer certificate.. No calls will be accepted to this > port. > > > > Beginning with ossec-logtest, it was hitting on the 1002 rule, so > created a > > local_decoder: > > <decoder name="windowsdf"> > > <prematch>^\d+\s\w+\s\d+\s\d+:\d+:\d+\s\S+\s\S+\s</prematch> > > <regex > > > offset="after_prematch">^\d+\s\w+\s\d+\s\d+:\d+:\d+\s(\w+):\s(\w+):\s(\w+)\((\d+)\):\s(\w+):\s</regex> > > > > > > > <order>srcport,srcip,srcuser,id,dstip,action,id,dstport,dstuser,url,status,log</order> > > > > </decoder> > > > > And some rules: > > root@u1:/var/ossec/rules# cat local_rules.xml > > <group name="file,audit,"> > > <rule id="72000" level="0"> > > <decoded_as>windowsdf</decoded_as> > > </rule> > > > > <rule id="72001" level="12"> > > <if_sid>72000</if_sid> > > <id>20106</id> > > <description>Matched on 20106</description> > > </rule> > > > > <rule id="72002" level="12"> > > <if_sid>72000</if_sid> > > <id>20171</id> > > <description>Matched on 20171</description> > > </rule> > > > > </group> > > > > <group name="file,audit,"> > > <rule id="72003" level="12"> > > <decoded_as>windowsdf</decoded_as> > > <id>20192</id> > > <description>Matched on 20192</description> > > </rule> > > </group> > > > > And my ossec-logtest ends up looking like this: > > root@u1:/var/ossec/rules# ../bin/ossec-logtest < /root/logfile > > 2016/07/07 08:05:57 ossec-testrule: INFO: Reading local decoder file. > > 2016/07/07 08:05:57 ossec-testrule: INFO: Started (pid: 8065). > > ossec-testrule: Type one log per line. > > > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2016 Jul 06 15:52:59 (2012r2) > 192.168.10.71->WinEvtLog > > This is a header added for archives.log, it's not part of the event > passed to analysisd. > Using the following should be what you test against: > 2016 Jul 06 15:53:10 WinEvtLog: System: WARNING(20171): RemoteAccess: > (no user): no domain: DC1.schmerbeck.net: Failed to apply IP Security > on port VPN0-112 because of error: A certificate could not be found. > Connections that use the L2TP protocol over IPSec require the > installation of a machine certificate, also known as a computer > certificate.. No calls will be accepted to this port. > > This pull request might make messing with this easier: > https://github.com/ossec/ossec-hids/pull/880 > > > > 2016 Jul 06 15:53:10 WinEvtLog: System: WARNING(20171): RemoteAccess: > (no > > user): no domain: DC1.schmerbeck.net: Failed to apply IP Security on > port > > VPN0-112 because of error: A certificate could not be found. > Connections > > that use the L2TP protocol over IPSec require the installation of a > machine > > certificate, also known as a computer certificate.. No calls will be > > accepted to this port. ' > > hostname: 'u1' > > program_name: '(null)' > > log: '2016 Jul 06 15:52:59 (2012r2) 192.168.10.71->WinEvtLog 2016 > Jul > > 06 15:53:10 WinEvtLog: System: WARNING(20171): RemoteAccess: (no user): > no > > domain: DC1.schmerbeck.net: Failed to apply IP Security on port > VPN0-112 > > because of error: A certificate could not be found. Connections that > use > > the L2TP protocol over IPSec require the installation of a machine > > certificate, also known as a computer certificate.. No calls will be > > accepted to this port. ' > > > > **Phase 2: Completed decoding. > > decoder: 'windowsdf' > > srcport: 'WinEvtLog' > > srcip: 'System' > > srcuser: 'WARNING' > > id: '20171' > > dstip: 'RemoteAccess' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '72002' > > Level: '12' > > Description: 'Matched on 20171' > > **Alert to be generated. > > > > I have attempted this on an AlienVault based build as well as a > standalone > > OSSEC server, and neither of them push an alert into the alerts.log > file. > > Help and guidance would be very much appreciated. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
