I have an external device (PRIMUS) which can send syslog-Messages to a Server. I configured one of my ossec-agents (Kreuzdorn) to receive these messages and list them in the log-Files e.g. /var/log/syslog and /var/log/auth.log. These log-Files are analyzed by Ossec on a server (OSSEC-Server).
Log messages from PRIMUS arrive at the ossec-Server (/var/ossec/logs/archive/archive.log) if they appear in auth.log and messages on Kreuzdorn. Examples from archive.log 2019 Jan 31 15:10:44 (Kreuzdorn) 10.33.34.2->/var/log/messages Jan 31 14:17:39 PRIMUS Config Process: DMU Event: 2019-01-31 14:17:38 RNG Status: GOOD (test duration: 4 msecs) 2019 Jan 31 15:10:44 (Kreuzdorn) 10.33.34.2->/var/log/auth.log Jan 31 13:31:02 PRIMUS Controller Process: Logout of Decanus Interface Now I'm observing some unexpected behavior Unexpected issue 1) Messages, that arrive from PRIMUS on Kreuzdorn and are logged to /var/log/syslog do not appear on the OSSEC-Server in the archive.log. Other messages (not from PRIMUS) in /var/log/syslog from Kreuzdorn do arrive in archive.log. Any possibility on how to further debug this? I might find a workaround by logging the messages to a different log-File than syslog Unexpeced issue 2) I defined a local rule for messages from PRIMUS <rule id="100200" level="5"> <hostname>PRIMUS</hostname> <description> Message from PRIMUS not further specified</description> </rule> It works with test_rules: ossec-testrule: Type one log per line. Jan 31 14:22:22 PRIMUS Controller Process: Logout of Decanus Interface **Phase 1: Completed pre-decoding. full event: 'Jan 31 14:22:22 PRIMUS Controller Process: Logout of Decanus Interface' hostname: 'PRIMUS' program_name: '(null)' log: 'Controller Process: Logout of Decanus Interface' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '100200' Level: '5' Description: 'Message from PRIMUS not further specified' **Alert to be generated. However, the Alerts do not appear in /var/ossec/logs/alerts/alerts.log Any possibility to further debug this? Or any workaround? I'm running OSSEC on debian stretch using the repository from https://updates.atomicorp.com/channels/atomic/debian Greetings Dominik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
