[ossec-list] ossec-logtest and kibana outputs are different

Mon, 06 Jan 2020 03:10:12 -0800 

I'm trying to decode syslog messages sent by pfsence

The log received in archives.log is the following :

*2020 Jan 05 22:02:05 LAN-HIDS->192.168.85.40 Jan  5 21:02:05 php-fpm[338]: 
/index.php: webConfigurator authentication error for user 'admin' from: 
192.168.85.1*


The alert shown in kibana is the following :


[image: kibana.png]

I created a custom decoder in local_decoder.xml


<decoder name="pfsense">

     <prematch>\.+ php-fpm</prematch>

</decoder>

 

<decoder name="pfsense-auth-error">

  <parent>pfsense</parent>

  <regex>^(\d+.\d+.\d+.\d+) \.+ webConfigurator authentication error \.+ 
user '(\w+)' from: (\d+.\d+.\d+.\d+)</regex>

  <order>srcip, user, dstip</order>

</decoder>


I created a custom rule in local_rules.xml


<group name="local, windows, syslog, ">

  <!--

  Pfsense authentication error

  -->

  <rule id="100040" level="6">

<if_sid>2501</if_sid>

<decoded_as>pfsense</decoded_as>

<description>Pfsense authentication error</description>

<options>no_full_log</options>

</rule>

</group> 


The output from ossec-test is the following :


**Phase 1: Completed pre-decoding.

       full event: '192.168.85.40 Jan  5 21:02:05 php-fpm[338]: /index.php: 
webConfigurator authentication error for user 'admin' from: 192.168.85.1'

       timestamp: '(null)'

       hostname: 'LAN-HIDS'

       program_name: '(null)'

       log: '192.168.85.40 Jan  5 21:02:05 php-fpm[338]: /index.php: 
webConfigurator authentication error for user 'admin' from: 192.168.85.1'


**Phase 2: Completed decoding.

       decoder: 'pfsense'

       srcip: '192.168.85.40'

       dstuser: 'admin'

       dstip: '192.168.85.1'


**Phase 3: Completed filtering (rules).

       Rule id: '100040'

       Level: '6'

       Description: 'Pfsense authentication error'

**Alert to be generated.


The alert generated in kibana still shows rule id 2501 and not 100040


[image: Capture.JPG]




Any suggestions ?



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/5aca1f7e-0367-46cc-8067-fd881a495008%40googlegroups.com.

Reply via email to