On Fri, Feb 1, 2019 at 3:02 AM Dominik <[email protected]> wrote: > > I have an external device (PRIMUS) which can send syslog-Messages to a > Server. I configured one of my ossec-agents (Kreuzdorn) to receive these > messages and list them in the log-Files e.g. /var/log/syslog and > /var/log/auth.log. These log-Files are analyzed by Ossec on a server > (OSSEC-Server). > > Log messages from PRIMUS arrive at the ossec-Server > (/var/ossec/logs/archive/archive.log) if they appear in auth.log and messages > on Kreuzdorn. Examples from archive.log > > 2019 Jan 31 15:10:44 (Kreuzdorn) 10.33.34.2->/var/log/messages Jan 31 > 14:17:39 PRIMUS Config Process: DMU Event: 2019-01-31 14:17:38 RNG Status: > GOOD (test duration: 4 msecs) > 2019 Jan 31 15:10:44 (Kreuzdorn) 10.33.34.2->/var/log/auth.log Jan 31 > 13:31:02 PRIMUS Controller Process: Logout of Decanus Interface > > Now I'm observing some unexpected behavior > > Unexpected issue 1) > > Messages, that arrive from PRIMUS on Kreuzdorn and are logged to > /var/log/syslog do not appear on the OSSEC-Server in the archive.log. Other > messages (not from PRIMUS) in /var/log/syslog from Kreuzdorn do arrive in > archive.log. > > Any possibility on how to further debug this? I might find a workaround by > logging the messages to a different log-File than syslog
That's really weird. Make sure `/var/log/syslog` is configured in the agent's ossec.conf. I'm not sure if turning on debugging will help, but it might log what is being sent to the server. Poke around in logcollector I guess. You could also try turning on the syslog remoted options on in the ossec server and point the syslog there. > > Unexpeced issue 2) > > I defined a local rule for messages from PRIMUS > > <rule id="100200" level="5"> > <hostname>PRIMUS</hostname> > <description> Message from PRIMUS not further specified</description> > </rule> > > > It works with test_rules: > > ossec-testrule: Type one log per line. > > Jan 31 14:22:22 PRIMUS Controller Process: Logout of Decanus Interface > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 31 14:22:22 PRIMUS Controller Process: Logout of Decanus > Interface' > hostname: 'PRIMUS' > program_name: '(null)' > log: 'Controller Process: Logout of Decanus Interface' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '100200' > Level: '5' > Description: 'Message from PRIMUS not further specified' > **Alert to be generated. > > > However, the Alerts do not appear in /var/ossec/logs/alerts/alerts.log > > Any possibility to further debug this? Or any workaround? > > > I'm running OSSEC on debian stretch using the repository from > > https://updates.atomicorp.com/channels/atomic/debian > > > Greetings > Dominik > > > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
