It's fairly busy but nothing insane. I didn't know of OSSEC had some sort 
of built in alerting/monitoring or statistics where I could see if it's 
truly missing those files.


On Sunday, February 18, 2018 at 3:15:53 PM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, Feb 16, 2018 at 4:02 PM, Eric <eric.l...@gmail.com <javascript:>> 
> wrote: 
> > I'm using OSSEC in a slightly unconventional manner where I have it 
> > installed on a centralized syslog server and it's tripping correlations 
> from 
> > multiple servers with just one agent. A small snippet of the setup is 
> below. 
> > 
> > ossec-server.domain.com monitoring: 
> > 
> > /logs/networking/*.log 
> > /logs/windows/*.log 
> > /logs/unix/*.log 
> > 
> > Overall this has worked pretty good for a low key correlation system for 
> > some alerts but I recently added a few more logs to it and I feel like 
> OSSEC 
> > is missing some entries now. For example, I see alerts being tripped 
> > /var/ossec/logs/alerts/alerts.log for some events, but others are not. I 
> > know for a fact while tailing the alerts.log file, I should have 
> received 
> > the alert below as I was also tailing the logs OSSEC was monitoring. 
> Below 
> > shows that the format is correct and it's decoding/alerting correctly 
> when 
> > running the test. Therefore my only conclusion is OSSEC is potentially 
> > getting overwhelmed and missing some. Is there a way to check that or 
> any 
> > other reason this wouldn't of tripped for me? 
> > 
>
> It's possible that it got missed. Is the server busy? Is there enough 
> CPU/RAM? 
> Is the events per second rate very high? 
>
> > Feb 16 13:04:34 server1 sudo:   user_name : command not allowed ; 
> TTY=pts/0 
> > ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >        full event: 'Feb 16 13:04:34 server1 sudo:   user_name : command 
> not 
> > allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su 
> > root' 
> >        hostname: 'server1' 
> >        program_name: 'sudo' 
> >        log: '  user_name : command not allowed ; TTY=pts/0 ; 
> > PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' 
> > 
> > **Phase 2: Completed decoding. 
> >        decoder: 'sudo' 
> >        dstuser: 'user_name' 
> > 
> > **Phase 3: Completed filtering (rules). 
> >        Rule id: '100012' 
> >        Level: '10' 
> >        Description: 'User attempted to run a command that was not 
> allowed.' 
> > **Alert to be generated. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to