On Thu, Mar 4, 2010 at 10:14 AM, Doug Burks <mub...@gmail.com> wrote: > I'm having trouble getting a rule to fire for a Windows agent. I've > written other Windows rules before and they work fine, but I can't > figure out why this isn't working. > > Here's what shows up in the Windows System log: > Printer HP Color LaserJet 8500 PS (from WORKSTATION) in session 2 was > set. > > I am receiving other alerts from that Windows System log, so I know > the Agent is working properly. > > I added the following to /var/ossec/rules/local_rules.xml on my OSSEC > server: > <rule id="101013" level="5"> > <if_sid>18100</if_sid> > <match>HP Color LaserJet 8500 PS</match> > <description>Printer test</description> > </rule> > > I then restarted both the OSSEC Server and the OSSEC Agent on the > Windows box. I can generate new log entries on the Windows box, but > they never show up on the OSSEC server. > > I then tried removing the if_sid line making the rule just: > <rule id="101013" level="5"> > <match>HP Color LaserJet 8500 PS</match> > <description>Printer test</description> > </rule> > > I then restarted both the OSSEC Server and the OSSEC Agent on the > Windows box. It still doesn't work. > > Here are my questions: > 1. What is the bare minimum in a rule definition? Can I get by with > just a <match>? > 2. After adding the rule to local_rules.xml, is it necessary to > restart both the server and the agent? Or just one or the other? > 3. Is there something obviously wrong with my rule that would prevent > it from matching the above log snippet? > > Thanks, > Doug Burks >
1. You'll probably need the <if_sid> line in your rule. 2. You should only have to restart the server after adding a rule. In the global section of your ossec.conf, you can try setting the <logall>yes</logall> option. This will populate /var/ossec/logs/archives on the server. In the archive.log file you should then have all of the alerts sent to the server. Look for the one you're trying to create a rule for. You can then copy and paste part of that line into ossec-logtest to see how it is being decoded. For example, I have the following line in my archives.log file: 2010 Mar 04 01:39:16 (giediprime-win) 192.168.17.0->WinEvtLog WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: GIEDIPRIME: Logon Failure: Reason: Unknown user name or bad password User Name: guest Domain: Logon Type: 3 Logon Process: NtLmSsp Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\192.168.1.9 If I copy everything after the first "WinEvtLog" and paste it into ossec-logtest I get the information I'm looking for. If you still have issues, paste the line from the archives.log file to the list, we can probably help a bit more then.