[ossec-list] Re: Treat Multiple Files as One

Wed, 28 Jun 2017 10:05:39 -0700 

Hi Eric,

Right now, I believe OSSEC is only able to correlate multiple failed logins 
> if they all happen to show up on only 1 of the log files


That is not correct. The rules are based on the content of a log, not in 
the source.

Pay attention to the following rules:

  <rule id="5700" level="0" noalert="1">
    <decoded_as>sshd</decoded_as>
    <description>SSHD messages grouped.</description>
  </rule>

   <rule id="5710" level="5">
    <if_sid>5700</if_sid>
    *<match>illegal user|invalid user</match>*
    <description>sshd: Attempt to login using a non-existent user
</description>
    <group>
invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,
</group>
  </rule>

It is looking for the strings: "illegal user" or "invalid user" in a ssh 
log. When is a ssh log? If it is decoded as ssh: 

<decoder name="sshd">
  <program_name>^sshd</program_name>
</decoder>

...


Usually, there are no checks for the source of an event.

I hope it helps.
Regards.

On Tuesday, June 27, 2017 at 5:47:05 PM UTC+2, Eric wrote:
>
> I'm using OSSEC in a slightly untraditional way as a sudo SIEM. I have it 
> running on 1 server and it's parsing through logs that are coming from 
> multiple sources and then alerting me on what is going on. Overall this has 
> worked fine but now I'm needing to spread out the load and the logs are 
> being written to multiple files. Is there a way to tell OSSEC to treat 5 
> separate log files as the same source? 
>
> The use case I have is file1.log, file2.log, file3.log, file4.log, and 
> file5.log are all load balanced across a F5 VIP. So if you have fave 
> multiple failed logins from user1 on server1, those failed logins could 
> show up in any 5 of the log files. Right now, I believe OSSEC is only able 
> to correlate multiple failed logins if they all happen to show up on only 1 
> of the log files.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to