Re: [ossec-list] OSSEC Missing Logs
It's fairly busy but nothing insane. I didn't know of OSSEC had some sort of built in alerting/monitoring or statistics where I could see if it's truly missing those files. On Sunday, February 18, 2018 at 3:15:53 PM UTC-7, dan (ddpbsd) wrote: > > On Fri, Feb 16, 2018 at 4:02 PM, Eric> wrote: > > I'm using OSSEC in a slightly unconventional manner where I have it > > installed on a centralized syslog server and it's tripping correlations > from > > multiple servers with just one agent. A small snippet of the setup is > below. > > > > ossec-server.domain.com monitoring: > > > > /logs/networking/*.log > > /logs/windows/*.log > > /logs/unix/*.log > > > > Overall this has worked pretty good for a low key correlation system for > > some alerts but I recently added a few more logs to it and I feel like > OSSEC > > is missing some entries now. For example, I see alerts being tripped > > /var/ossec/logs/alerts/alerts.log for some events, but others are not. I > > know for a fact while tailing the alerts.log file, I should have > received > > the alert below as I was also tailing the logs OSSEC was monitoring. > Below > > shows that the format is correct and it's decoding/alerting correctly > when > > running the test. Therefore my only conclusion is OSSEC is potentially > > getting overwhelmed and missing some. Is there a way to check that or > any > > other reason this wouldn't of tripped for me? > > > > It's possible that it got missed. Is the server busy? Is there enough > CPU/RAM? > Is the events per second rate very high? > > > Feb 16 13:04:34 server1 sudo: user_name : command not allowed ; > TTY=pts/0 > > ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root > > > > > > **Phase 1: Completed pre-decoding. > >full event: 'Feb 16 13:04:34 server1 sudo: user_name : command > not > > allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su > > root' > >hostname: 'server1' > >program_name: 'sudo' > >log: ' user_name : command not allowed ; TTY=pts/0 ; > > PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' > > > > **Phase 2: Completed decoding. > >decoder: 'sudo' > >dstuser: 'user_name' > > > > **Phase 3: Completed filtering (rules). > >Rule id: '100012' > >Level: '10' > >Description: 'User attempted to run a command that was not > allowed.' > > **Alert to be generated. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC Missing Logs
On Fri, Feb 16, 2018 at 4:02 PM, Ericwrote: > I'm using OSSEC in a slightly unconventional manner where I have it > installed on a centralized syslog server and it's tripping correlations from > multiple servers with just one agent. A small snippet of the setup is below. > > ossec-server.domain.com monitoring: > > /logs/networking/*.log > /logs/windows/*.log > /logs/unix/*.log > > Overall this has worked pretty good for a low key correlation system for > some alerts but I recently added a few more logs to it and I feel like OSSEC > is missing some entries now. For example, I see alerts being tripped > /var/ossec/logs/alerts/alerts.log for some events, but others are not. I > know for a fact while tailing the alerts.log file, I should have received > the alert below as I was also tailing the logs OSSEC was monitoring. Below > shows that the format is correct and it's decoding/alerting correctly when > running the test. Therefore my only conclusion is OSSEC is potentially > getting overwhelmed and missing some. Is there a way to check that or any > other reason this wouldn't of tripped for me? > It's possible that it got missed. Is the server busy? Is there enough CPU/RAM? Is the events per second rate very high? > Feb 16 13:04:34 server1 sudo: user_name : command not allowed ; TTY=pts/0 > ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root > > > **Phase 1: Completed pre-decoding. >full event: 'Feb 16 13:04:34 server1 sudo: user_name : command not > allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su > root' >hostname: 'server1' >program_name: 'sudo' >log: ' user_name : command not allowed ; TTY=pts/0 ; > PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' > > **Phase 2: Completed decoding. >decoder: 'sudo' >dstuser: 'user_name' > > **Phase 3: Completed filtering (rules). >Rule id: '100012' >Level: '10' >Description: 'User attempted to run a command that was not allowed.' > **Alert to be generated. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC Missing Logs
I'm using OSSEC in a slightly unconventional manner where I have it installed on a centralized syslog server and it's tripping correlations from multiple servers with just one agent. A small snippet of the setup is below. ossec-server.domain.com monitoring: - /logs/networking/*.log - /logs/windows/*.log - /logs/unix/*.log Overall this has worked pretty good for a low key correlation system for some alerts but I recently added a few more logs to it and I feel like OSSEC is missing some entries now. For example, I see alerts being tripped /var/ossec/logs/alerts/alerts.log for some events, but others are not. I know for a fact while tailing the alerts.log file, I should have received the alert below as I was also tailing the logs OSSEC was monitoring. Below shows that the format is correct and it's decoding/alerting correctly when running the test. Therefore my only conclusion is OSSEC is potentially getting overwhelmed and missing some. Is there a way to check that or any other reason this wouldn't of tripped for me? Feb 16 13:04:34 server1 sudo: user_name : command not allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root **Phase 1: Completed pre-decoding. full event: 'Feb 16 13:04:34 server1 sudo: user_name : command not allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' hostname: 'server1' program_name: 'sudo' log: ' user_name : command not allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' **Phase 2: Completed decoding. decoder: 'sudo' dstuser: 'user_name' **Phase 3: Completed filtering (rules). Rule id: '100012' Level: '10' Description: 'User attempted to run a command that was not allowed.' **Alert to be generated. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.