Bhaskar, Since you are looking to forward a log file which is local on
the Windows ossec client & not on the Sophos EM server, you can just use
<localfile> attribute as cited below from ossec documentation. Change the
location & name as needed.
<localfile>
<location>C:\Windows\app\log-%y-%m-%d.log</location>
<log_format>syslog</log_format></localfile>
On Sat, Jul 21, 2018 at 1:09 AM, Bhaskar Patel <[email protected]>
wrote:
> Hi all,
>
> i have trouble as below.
>
> how can i incert sophos log(form windows OSSEC client) in to ossec server
> archive log with using syslog.
>
> could anyone will help my above issue.
>
>
>
>
>
> On Fri, Jul 20, 2018 at 11:27 PM, <[email protected]> wrote:
>
>> Hello,
>>
>> I am trying a very basic active response which would terminate a
>> powershell process when it is created on a host (Windows 10) machine.
>>
>> I have a standalone SO configuration, with 3 OSSEC agents (V2.9)
>> connected, all Windows machines.
>>
>> I have verified that the script shutdown_powershell.cmd works,
>> independent of OSSEC active response.
>>
>> My ossec.conf file looks like this:
>>
>> <command>
>> <name>shutdown_powershell</name>
>> <executable>shutdown_powershell.cmd</executable>
>> <expect></expect>
>> </command>
>>
>> <active-response>
>> <command>shutdown_powershell</command>
>> <rules_id>100051</rules_id>
>> <location>defined-agent</location>
>> <agent_id>003</agent_id>
>> </active-response>
>>
>> I have verified that my rule 100051 (powershell_process_creation) works,
>> it populates in Sguil every time I open Powershell on any agent.
>>
>> I have restarted OSSEC on my server and agent several times and opening
>> Powershell on agent 003. I have recieved varying error messages in my agent
>> log:
>>
>> SET 1)
>>
>> 2018/07/17 15:35:33 ossec-execd: INFO: Active response command not
>> present: 'active-response/bin/restart-ossec.sh'. Not using it on this
>> system.
>>
>> 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not
>> present: 'active-response/bin/host-deny.sh'. Not using it on this system.
>>
>> 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not
>> present: 'active-response/bin/firewall-drop.sh'. Not using it on this
>> system.
>>
>> 2018/07/17 15:35:34 ossec-execd: INFO: Active response command not
>> present: 'active-response/bin/shutdown_powershell.cmd'. Not using it on
>> this system.
>>
>> SET 2)
>>
>> 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not
>> present: 'active-response/bin/restart-ossec.sh'. Not using it on this
>> system.
>>
>> 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not
>> present: 'active-response/bin/host-deny.sh'. Not using it on this system.
>>
>> 2018/07/17 16:40:50 ossec-execd: INFO: Active response command not
>> present: 'active-response/bin/firewall-drop.sh'. Not using it on this
>> system.
>>
>> SET 3)
>>
>> 2018/07/18 10:37:31 ossec-execd: ERROR: Unable to create active response
>> process.
>>
>> 2018/07/18 10:43:45 ossec-execd: ERROR: Unable to create active response
>> process.
>>
>> 2018/07/18 11:08:55 ossec-execd: ERROR: Unable to create active response
>> process.
>>
>> I seem to be having less and less success every time. Each set
>> corresponds to a time when I have opened Powershell, so the rule is
>> definitely working and my ossec.conf seems to have configured the active
>> response correctly, but ultimately the script is not running.
>>
>> Question:
>>
>> 1) For active response... do I need to place the active response script
>> in the folder C:\Program Files (x86)\ossec-agent\active-response\bin on
>> the host machine or in /var/ossec/active-response/bin on the server
>> machine? I have tried placing it in both. OSSEC documentation seems unclear
>> on this point
>>
>> Thanks,
>>
>> Clark
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
>
>
>
> Regard's
>
> BHASKAR PATEL
> +919998031132
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
