Hi Ed,
A couple things that might help here. When you enable logall, you’ll want to
look inside archives.log, not alerts.log. Assuming this wasn’t a typo, here’s a
few things that might help with your problem:
If you go look at your msauth_rules.xml file, you’ll note that OSSEC receives
INFORMATION and WARNING events as level 0 alerts, meaning they aren’t retained.
To change this, add the following to your local_rules.xml file and restart
OSSEC services:
<!-- change level on warning level logs so they are retained -->
<rule id="18101" level="1" overwrite=”yes”>
<if_sid>18100</if_sid>
<status>^INFORMATION</status>
<description>Windows informational event.</description>
</rule>
<!-- change level on warning level logs so they are retained -->
<rule id="18102" level="5" overwrite="yes">
<if_sid>18100</if_sid>
<status>^WARNING</status>
<description>Windows warning event.</description>
</rule>
Retaining all warning logs is a reasonable approach, but retaining
informational logs in a large deployment will get rather noisy rather quickly.
You might just consider creating another custom rule looking for exactly what
you want:
<rule id="100001" level="3">
<if_sid>18101</if_sid>
<id>^4$</id>
<match>The backup operation has finished successfully</match>
<description>A backup has completed successfully.</description>
<options>alert_by_email</options>
</rule>
<rule id="100002" level="10">
<if_sid>18103</if_sid>
<id>^5$</id>
<match>backup</match>
<description>A backup has failed. Please
investigate.</description>
</rule>
In addition, I don’t believe OSSEC recognizes CRITICAL events. These are for
things like unclean reboots.
<rule id="100003" level="7">
<if_sid>18100</if_sid>
<status>^CRITICAL</status>
<description>Windows critical event</description>
<info>NOTE: you can’t analyze logs written before OSSEC starts unless you
are using eventchannel to monitor the system logs</info>
<group>system_error,</group>
</rule>
From: [email protected] [mailto:[email protected]] On
Behalf Of Ed Davison
Sent: Wednesday, March 1, 2017 3:40 PM
To: ossec-list <[email protected]>
Subject: [ossec-list] OSSEC IDS on Windows only sending Error logs
I have OSSEC 2.8.3 installed on a Windows 2012R2 server and have added an
eventchannel localfile option to gather logs from "Microsoft-Windows-Backup"
log. No errors on startup.
On the OSSIM side, I have logall enabled and am checking alerts.log file and
can ONLY see Error logs being forwarded, not Information or Warning logs. I
need these latter as that is where the successful and successful with warning
errors are logged as well as a backup was configured or cancelled.
How can I get ALL of the logs for all log severities sent to OSSIM using 2.8.3
OSSEC for Windows and eventchannel?
Thanks in advance.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]
<mailto:[email protected]> .
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
