Re: [ossec-list] OSSEC Missing Logs

2018-02-19 Thread Eric 
It's fairly busy but nothing insane. I didn't know of OSSEC had some sort 
of built in alerting/monitoring or statistics where I could see if it's 
truly missing those files.


On Sunday, February 18, 2018 at 3:15:53 PM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, Feb 16, 2018 at 4:02 PM, Eric  
> wrote: 
> > I'm using OSSEC in a slightly unconventional manner where I have it 
> > installed on a centralized syslog server and it's tripping correlations 
> from 
> > multiple servers with just one agent. A small snippet of the setup is 
> below. 
> > 
> > ossec-server.domain.com monitoring: 
> > 
> > /logs/networking/*.log 
> > /logs/windows/*.log 
> > /logs/unix/*.log 
> > 
> > Overall this has worked pretty good for a low key correlation system for 
> > some alerts but I recently added a few more logs to it and I feel like 
> OSSEC 
> > is missing some entries now. For example, I see alerts being tripped 
> > /var/ossec/logs/alerts/alerts.log for some events, but others are not. I 
> > know for a fact while tailing the alerts.log file, I should have 
> received 
> > the alert below as I was also tailing the logs OSSEC was monitoring. 
> Below 
> > shows that the format is correct and it's decoding/alerting correctly 
> when 
> > running the test. Therefore my only conclusion is OSSEC is potentially 
> > getting overwhelmed and missing some. Is there a way to check that or 
> any 
> > other reason this wouldn't of tripped for me? 
> > 
>
> It's possible that it got missed. Is the server busy? Is there enough 
> CPU/RAM? 
> Is the events per second rate very high? 
>
> > Feb 16 13:04:34 server1 sudo:   user_name : command not allowed ; 
> TTY=pts/0 
> > ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >full event: 'Feb 16 13:04:34 server1 sudo:   user_name : command 
> not 
> > allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su 
> > root' 
> >hostname: 'server1' 
> >program_name: 'sudo' 
> >log: '  user_name : command not allowed ; TTY=pts/0 ; 
> > PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root' 
> > 
> > **Phase 2: Completed decoding. 
> >decoder: 'sudo' 
> >dstuser: 'user_name' 
> > 
> > **Phase 3: Completed filtering (rules). 
> >Rule id: '100012' 
> >Level: '10' 
> >Description: 'User attempted to run a command that was not 
> allowed.' 
> > **Alert to be generated. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Missing Logs

2018-02-18 Thread dan (ddp) 
On Fri, Feb 16, 2018 at 4:02 PM, Eric  wrote:
> I'm using OSSEC in a slightly unconventional manner where I have it
> installed on a centralized syslog server and it's tripping correlations from
> multiple servers with just one agent. A small snippet of the setup is below.
>
> ossec-server.domain.com monitoring:
>
> /logs/networking/*.log
> /logs/windows/*.log
> /logs/unix/*.log
>
> Overall this has worked pretty good for a low key correlation system for
> some alerts but I recently added a few more logs to it and I feel like OSSEC
> is missing some entries now. For example, I see alerts being tripped
> /var/ossec/logs/alerts/alerts.log for some events, but others are not. I
> know for a fact while tailing the alerts.log file, I should have received
> the alert below as I was also tailing the logs OSSEC was monitoring. Below
> shows that the format is correct and it's decoding/alerting correctly when
> running the test. Therefore my only conclusion is OSSEC is potentially
> getting overwhelmed and missing some. Is there a way to check that or any
> other reason this wouldn't of tripped for me?
>

It's possible that it got missed. Is the server busy? Is there enough CPU/RAM?
Is the events per second rate very high?

> Feb 16 13:04:34 server1 sudo:   user_name : command not allowed ; TTY=pts/0
> ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root
>
>
> **Phase 1: Completed pre-decoding.
>full event: 'Feb 16 13:04:34 server1 sudo:   user_name : command not
> allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su
> root'
>hostname: 'server1'
>program_name: 'sudo'
>log: '  user_name : command not allowed ; TTY=pts/0 ;
> PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root'
>
> **Phase 2: Completed decoding.
>decoder: 'sudo'
>dstuser: 'user_name'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '100012'
>Level: '10'
>Description: 'User attempted to run a command that was not allowed.'
> **Alert to be generated.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.