Haha, yes i do :)!!
> Do you have this log file in the box?
>
> C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log
>
> thanks,
>
> On Thu, May 28, 2009 at 11:36 AM, Derek J. Morris
> <dmor...@digitalmorris.com> wrote:
>> Made that change and still getting error in log on that server:
>>
>> INFO: Analyzing event log: 'Application'.
>>
>> 2009/05/28 10:45:42 ossec-agent(1951): INFO: Analyzing event log: 'Security'.
>>
>> 2009/05/28 10:45:54 ossec-agent(1951): INFO: Analyzing event log: 'System'.
>>
>> 2009/05/28 10:45:54 ossec-agent(1952): INFO: Monitoring variable log file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.
>>
>> 2009/05/28 10:45:54 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.
>>
>> 2009/05/28 10:45:54 ossec-agent(1950): INFO: Analyzing file:
>> 'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.
>>
>> 2009/05/28 10:45:54 ossec-agent: INFO: Started (pid: 4088).
>>
>>
>>> Hi Derek,
>>>
>>> You don't need all of that. Just use the strftime format:
>>>
>>> <localfile>
>>> <location>C:\WINDOWS\system32\dhcp\DhcpSrvLog-%a.log</location>
<log_format>syslog</log_format>
>>> </localfile>
>>>
>>> Thanks,
>>>
>>> --
>>> Daniel B. Cid
>>> dcid ( at ) ossec.net
>>>
>>> On Wed, May 27, 2009 at 2:11 PM, Derek J. Morris
>>> <dmor...@digitalmorris.com> wrote:
>>>> Here is a clip of the ossec.conf on that server:
>>>>
>>>> <localfile>
>>>> <location>System</location>
>>>> <log_format>eventlog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sat.log</location>
<log_format>syslog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sun.log</location>
<log_format>syslog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>C:\WINDOWS\system32\dhcp\DhcpSrvLog-Mon.log</location>
<log_format>syslog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>C:\WINDOWS\system32\dhcp\DhcpSrvLog-Tue.log</location>
<log_format>syslog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>c:\windows\system32\dhcp\DhcpSrvLog-Wed.log</location>
<log_format>syslog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log</location>
<log_format>syslog</log_format>
>>>> </localfile>
>>>>
>>>> <localfile>
>>>> <location>C:\WINDOWS\system32\dhcp\DhcpSrvLog-Fri.log</location>
<log_format>syslog</log_format>
>>>> </localfile>
>>>>
>>>>
>>>>> Hi Derek,
>>>>>
>>>>> How did you set your <localfile> entry for this log? It means that ossec
is not finding the
>>>>> new log file.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> --
>>>>> Daniel B. Cid
>>>>> dcid ( at ) ossec.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, May 20, 2009 at 11:38 AM, Derek J. Morris
>>>>> <dmor...@digitalmorris.com> wrote:
>>>>>> Getting errors now:
>>>>>>
>>>>>> 2009/05/20 10:42:32 ossec-agent(1951): INFO: Analyzing event log:
'Application'.
>>>>>>
>>>>>> 2009/05/20 10:42:32 ossec-agent(1951): INFO: Analyzing event log:
'Security'.
>>>>>>
>>>>>> 2009/05/20 10:42:33 ossec-agent(1951): INFO: Analyzing event log:
>>>>>> 'System'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sat.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sat.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sun.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Sun.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Mon.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Mon.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Tue.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Tue.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'c:\windows\system32\dhcp\DhcpSrvLog-Wed.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'c:\windows\system32\dhcp\DhcpSrvLog-Wed.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Thu.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1103): ERROR: Unable to open file
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Fri.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent(1950): INFO: Analyzing file:
'C:\WINDOWS\system32\dhcp\DhcpSrvLog-Fri.log'.
>>>>>>
>>>>>> 2009/05/20 10:42:34 ossec-agent: INFO: Started (pid: 3848).
>>>>>>
>>>>>>
>>>>>>> Here is the latest and *hopefully* final version. I've created three
separate decoders for Windows DHCP server. One for Windows 2003 IPv4,
one for Windows 2008 IPv4 and the last one for Windows 2008 IPv6. I'm
not using
>>>>>>> IPv6, so I could only test a few log entries against the decoder. If
someone
>>>>>>> is using 2K8 IPv6 and you can send me more logs, I'd be happy to test.
Also,
>>>>>>> I'm pretty new to writing rules in regular expression. If you look at my
decoders and think "WTF!", please let me know what I could do to make it
better. ;)
>>>>>>>
>>>>>>> I've moved my decoders from decoder.xml to local_decoder.xml as was
recommended on the mailing list.
>>>>>>>
>>>>>>> I've updated the ms_dhcp_rules.xml file to include 2 new rules from 2008
IPv4 as well as a separate section for 2008 IPv6 rules. I've changed
them from the 12200/12300 range to 120200 for 2k3/2k8 IPv4 and 120300
for 2k8 IPv6. I also updated the alert levels to a little more
reasonable level and
>>>>>>> I've changed the groups to match predefined groups when applicable.
>>>>>>>
>>>>>>> The decoders also fixed a "bug" when trying to filter out the MAC
address or
>>>>>>> "extra data". In the last decoder I posted, it didn't always get it
>>>>>>> right.
>>>>>>>
>>>>>>> If you've followed my previous instructions, please remove the decoder
>>>>>>> from
>>>>>>> your OSSEC server's decoder.xml file and use the attached
>>>>>>> local_decoder.xml.
>>>>>>> If you're already using a local_decoder.xml file, then don't overwrite
>>>>>>> your
>>>>>>> copy with mine! Copy and paste the contents of mine into yours...
Otherwise,
>>>>>>> the rest of the previous instructions still apply.
>>>>>>>
>>>>>>> I'm still working out some possible bugs with the OSSEC agent monitoring
the
>>>>>>> Windows logs. When I told the agent to monitor
>>>>>>> c:\windows\system32\dhcp\*.log it stopped monitoring on Sunday at
>>>>>>> Midnight.
>>>>>>> I'm not sure if that was due to timestamps not being updated or not.
I've since added an entry in the OSSEC agent's ossec.conf file for each
day's log
>>>>>>> and we'll see if that works better.
>>>>>>>
>>>>>>> Will the dev team take notice of this on the list and decide if they
want to
>>>>>>> include it in their project or do I need to send it elsewhere?
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
