On Wed, Jul 25, 2018 at 2:42 PM, mjwoods69 via ossec-list
<[email protected]> wrote:
> Hi
>
> Trying to get alerting implemented on my nas. Unfortunately my work to date
> has failed, in summary I have:
>
> 1. Identified the log message in /var/ossec/logs/archives/archives.log, this
> is sent from nas to ossec via syslog ->
>
> 2018 Jul 25 17:55:58 nas->10.0.0.3 Jul 25 18:48:23 nas qlogd[8736]: conn
> log: Users: admin, Source IP: 10.0.0.54, Computer name: ---, Connection
> type: , Accessed resources: Administration, Action: Login OK
>
archives.log has a meta data header attached: `2018 Jul 25 17:55:58
nas->10.0.0.3 `
Remove this header for the actual log: `Jul 25 14:37:23 nas
qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer
name: ---, Connection type: , Accessed resources: Administration,
Action: Login OK`
Using the non-meta-data-encumbered log message with a modified decoder
gives the following output:
ossec-testrule: Type one log per line.
Jul 25 14:37:23 nas qlogd[8736]: conn log: Users: admin, Source IP:
10.0.0.54, Computer name: ---, Connection type: , Accessed resources:
Administration, Action: Login OK
**Phase 1: Completed pre-decoding.
full event: 'Jul 25 14:37:23 nas qlogd[8736]: conn log: Users:
admin, Source IP: 10.0.0.54, Computer name: ---, Connection type: ,
Accessed resources: Administration, Action: Login OK'
hostname: 'nas'
program_name: 'qlogd'
log: 'conn log: Users: admin, Source IP: 10.0.0.54, Computer
name: ---, Connection type: , Accessed resources: Administration,
Action: Login OK'
**Phase 2: Completed decoding.
decoder: 'qlogd'
dstuser: 'admin'
srcip: '10.0.0.54'
action: 'Login'
**Phase 3: Completed filtering (rules).
Rule id: '100004'
Level: '12'
Description: 'nas user logged in'
**Alert to be generated.
Modified decoder:
<decoder name="qlogd">
<program_name>^qlogd</program_name>
<regex>\.+ Users: (\S+), Source IP: (\d+.\d+.\d+.\d+), \.+ Action:
(\S+)</regex>
<order>user, srcip, action</order>
</decoder>
Next, I restart the ossec processes on the manager, and use `logger`
to test the log:
`echo 'conn log: Users: admin, Source IP: 10.0.0.54, Computer name:
---, Connection type: , Accessed resources: Administration, Action:
Login OK' | logger -t qlogd`
I get the following in `/var/log/messages`:
Jul 27 10:36:40 rossak qlogd: conn log: Users: admin, Source IP:
10.0.0.54, Computer name: ---, Connection type: , Accessed resources:
Administration, Action: Login OK
And the following in `/var/ossec/logs/alerts/alerts.log`:
** Alert 1532702200.100802: mail - syslog,qlogd,
2018 Jul 27 10:36:40 rossak->/var/log/messages
Rule: 100004 (level 12) -> 'nas user logged in'
Src IP: 10.0.0.54
User: admin
Jul 27 10:36:40 rossak qlogd: conn log: Users: admin, Source IP:
10.0.0.54, Computer name: ---, Connection type: , Accessed resources:
Administration, Action: Login OK'
> 2. Constructed a decoder at /var/ossec/etc/local_decoder.xml ->
>
> <decoder name="qlogd">
> <prematch>\S+ qlogd</prematch>
> <regex offset="after_prematch">\.+ Users: (\S+), Source IP:
> (\d+.\d+.\d+.\d+), \.+ Action: (\S+)</regex>
> <order>user, srcip, action</order>
> </decoder>
>
> 3. Constructed a number of rules at /var/ossec/rules/local_rules.xml ->
>
> <group name="syslog,qlogd,">
> <rule id="100002" level="0">
> <decoded_as>qlogd</decoded_as>
> <description>qlogd messages to analyze</description>
> </rule>
> <rule id="100003" level="12">
> <if_sid>100002</if_sid>
> <action>Logout</action>
> <description>nas user logged out</description>
> </rule>
> <rule id="100004" level="12">
> <if_sid>100002</if_sid>
> <action>Login</action>
> <description>nas user logged in</description>
> </rule>
> </group>
>
> 4. Confirmed grammer via /var/ossec/bin/ossec-logtest ->
>
> **Phase 1: Completed pre-decoding.
> full event: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 nas
> qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer name:
> ---, Connection type: , Accessed resources: Administration, Action: Login
> OK'
> hostname: 'pi'
> program_name: '(null)'
> log: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 nas
> qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer name:
> ---, Connection type: , Accessed resources: Administration, Action: Login
> OK'
>
> **Phase 2: Completed decoding.
> decoder: 'qlogd'
> dstuser: 'admin'
> srcip: '10.0.0.54'
> action: 'Login'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '100004'
> Level: '12'
> Description: 'nas user logged in'
> **Alert to be generated.
>
> Unfortunately this does not result in any alerts/emails. Done the usual
> googling & reading of "OSSEC HIDS Host-Based ....." but still cannot figure
> out what i'm doing wrong. Will be super grateful if someone could point out
> what i have done wrong.
>
> Regards
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
