It's fairly busy but nothing insane. I didn't know of OSSEC had some sort of built in alerting/monitoring or statistics where I could see if it's truly missing those files.
On Sunday, February 18, 2018 at 3:15:53 PM UTC-7, dan (ddpbsd) wrote: > > On Fri, Feb 16, 2018 at 4:02 PM, Eric <[email protected] <javascript:>> > wrote: > > I'm using OSSEC in a slightly unconventional manner where I have it > > installed on a centralized syslog server and it's tripping correlations > from > > multiple servers with just one agent. A small snippet of the setup is > below. > > > > ossec-server.domain.com monitoring: > > > > /logs/networking/*.log > > /logs/windows/*.log > > /logs/unix/*.log > > > > Overall this has worked pretty good for a low key correlation system for > > some alerts but I recently added a few more logs to it and I feel like > OSSEC > > is missing some entries now. For example, I see alerts being tripped > > /var/ossec/logs/alerts/alerts.log for some events, but others are not. I > > know for a fact while tailing the alerts.log file, I should have > received > > the alert below as I was also tailing the logs OSSEC was monitoring. > Below > > shows that the format is correct and it's decoding/alerting correctly > when > > running the test. Therefore my only conclusion is OSSEC is potentially > > getting overwhelmed and missing some. Is there a way to check that or > any > > other reason this wouldn't of tripped for me? > > > > It's possible that it got missed. Is the server busy? Is there enough > CPU/RAM? > Is the events per second rate very high? > > > Feb 16 13:04:34 server1 sudo: user_name : command not allowed ; > TTY=pts/0 > > ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root > > > > > > **Phase 1: Completed pre-decoding. > > full event: 'Feb 16 13:04:34 server1 sudo: user_name : command > not > > allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su > > root' > > hostname: 'server1' > > program_name: 'sudo' > > log: ' user_name : command not allowed ; TTY=pts/0 ; > > PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' > > > > **Phase 2: Completed decoding. > > decoder: 'sudo' > > dstuser: 'user_name' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '100012' > > Level: '10' > > Description: 'User attempted to run a command that was not > allowed.' > > **Alert to be generated. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
