It's fairly busy but nothing insane. I didn't know of OSSEC had some sort
of built in alerting/monitoring or statistics where I could see if it's
truly missing those files.
On Sunday, February 18, 2018 at 3:15:53 PM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, Feb 16, 2018 at 4:02 PM, Eric
> wrote:
> > I'm using OSSEC in a slightly unconventional manner where I have it
> > installed on a centralized syslog server and it's tripping correlations
> from
> > multiple servers with just one agent. A small snippet of the setup is
> below.
> >
> > ossec-server.domain.com monitoring:
> >
> > /logs/networking/*.log
> > /logs/windows/*.log
> > /logs/unix/*.log
> >
> > Overall this has worked pretty good for a low key correlation system for
> > some alerts but I recently added a few more logs to it and I feel like
> OSSEC
> > is missing some entries now. For example, I see alerts being tripped
> > /var/ossec/logs/alerts/alerts.log for some events, but others are not. I
> > know for a fact while tailing the alerts.log file, I should have
> received
> > the alert below as I was also tailing the logs OSSEC was monitoring.
> Below
> > shows that the format is correct and it's decoding/alerting correctly
> when
> > running the test. Therefore my only conclusion is OSSEC is potentially
> > getting overwhelmed and missing some. Is there a way to check that or
> any
> > other reason this wouldn't of tripped for me?
> >
>
> It's possible that it got missed. Is the server busy? Is there enough
> CPU/RAM?
> Is the events per second rate very high?
>
> > Feb 16 13:04:34 server1 sudo: user_name : command not allowed ;
> TTY=pts/0
> > ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root
> >
> >
> > **Phase 1: Completed pre-decoding.
> >full event: 'Feb 16 13:04:34 server1 sudo: user_name : command
> not
> > allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su
> > root'
> >hostname: 'server1'
> >program_name: 'sudo'
> >log: ' user_name : command not allowed ; TTY=pts/0 ;
> > PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root'
> >
> > **Phase 2: Completed decoding.
> >decoder: 'sudo'
> >dstuser: 'user_name'
> >
> > **Phase 3: Completed filtering (rules).
> >Rule id: '100012'
> >Level: '10'
> >Description: 'User attempted to run a command that was not
> allowed.'
> > **Alert to be generated.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.