On Thu, Mar 4, 2010 at 10:14 AM, Doug Burks <mub...@gmail.com> wrote:
> I'm having trouble getting a rule to fire for a Windows agent. I've
> written other Windows rules before and they work fine, but I can't
> figure out why this isn't working.
>
> Here's what shows up in the Windows System log:
> Printer HP Color LaserJet 8500 PS (from WORKSTATION) in session 2 was
> set.
>
> I am receiving other alerts from that Windows System log, so I know
> the Agent is working properly.
>
> I added the following to /var/ossec/rules/local_rules.xml on my OSSEC
> server:
> <rule id="101013" level="5">
> <if_sid>18100</if_sid>
> <match>HP Color LaserJet 8500 PS</match>
> <description>Printer test</description>
> </rule>
>
> I then restarted both the OSSEC Server and the OSSEC Agent on the
> Windows box. I can generate new log entries on the Windows box, but
> they never show up on the OSSEC server.
>
> I then tried removing the if_sid line making the rule just:
> <rule id="101013" level="5">
> <match>HP Color LaserJet 8500 PS</match>
> <description>Printer test</description>
> </rule>
>
> I then restarted both the OSSEC Server and the OSSEC Agent on the
> Windows box. It still doesn't work.
>
> Here are my questions:
> 1. What is the bare minimum in a rule definition? Can I get by with
> just a <match>?
> 2. After adding the rule to local_rules.xml, is it necessary to
> restart both the server and the agent? Or just one or the other?
> 3. Is there something obviously wrong with my rule that would prevent
> it from matching the above log snippet?
>
> Thanks,
> Doug Burks
>
1. You'll probably need the <if_sid> line in your rule.
2. You should only have to restart the server after adding a rule.
In the global section of your ossec.conf, you can try setting the
<logall>yes</logall> option. This will populate /var/ossec/logs/archives
on the server.
In the archive.log file you should then have all of the alerts sent to the
server. Look for the one you're trying to create a rule for. You can then
copy and paste part of that line into ossec-logtest to see how it is being
decoded.
For example, I have the following line in my archives.log file:
2010 Mar 04 01:39:16 (giediprime-win) 192.168.17.0->WinEvtLog
WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT
AUTHORITY: GIEDIPRIME: Logon Failure: Reason: Unknown
user name or bad password User Name: guest Domain:
Logon Type: 3 Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: \\192.168.1.9
If I copy everything after the first "WinEvtLog" and paste it into
ossec-logtest
I get the information I'm looking for.
If you still have issues, paste the line from the archives.log file to
the list,
we can probably help a bit more then.
