I haven't had a chance to ask dcid about the multi line log support. I'm not convinced it would work the way we're hoping, because I'm guessing the logs from multiple ldap sessions (conn=\d+) could be mixed together (unlike multi-line logs from snort, which keep multiple log entries separate from each other).
The "best" idea I've come up with so far is write support into logcollector for these logs and make sure slapd is writing its logs to a file specific to those logs. I'm not a programmer, but I'm looking at the snort_full code right now to see if that can spark some inspiration for how to do this. On Wed, Nov 17, 2010 at 3:54 PM, Doug Burks <doug.bu...@gmail.com> wrote: > Any ideas on this one? > > Thanks, > Doug Burks > > On Nov 12, 2:29 pm, "dan (ddp)" <ddp...@gmail.com> wrote: >> What happens on the list stays on the list. ;) >> >> >> >> On Thu, Nov 11, 2010 at 9:15 PM, Chris Decker <deckmo...@gmail.com> wrote: >> > I'm interested in such a decoder as well, so any effort expended to help >> > Doug would also help me and countless others I'm sure. >> >> > On Wed, Nov 10, 2010 at 3:55 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> On Wed, Nov 10, 2010 at 3:12 PM, Doug Burks <doug.bu...@gmail.com> wrote: >> >> > Has anybody used OSSEC to monitor OpenLDAP logs? Specifically, I'd >> >> > like to monitor for auth failures (err=49 in the sanitized log sample >> >> > below). As you can see, one LDAP connection (conn=999999) creates >> >> > multiple log entries. Further complicating the matter is the fact >> >> > that there are two instances of the err=49 error in this LDAP >> >> > connection. >> >> >> > Here's what I'd like to do. >> >> > 1. Write a decoder that would: >> >> > -process all of these lines together >> >> > -pull out the source IP address from the "ACCEPT from >> >> > IP=10.10.248.27:33957" entry >> >> > -pull out the username from the "BIND >> >> > dn="uid=username,ou=Department,ou=Business >> >> > Unit,ou=People,dc=example,dc=com"" entry >> >> > 2. Write an "Invalid credentials" rule that would look for >> >> > "err=49". >> >> >> > Would this be possible? Would it require the multi-line log reader >> >> > support added in OSSEC v2.5? If so, I haven't found any documentation >> >> > on this feature. >> >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 ACCEPT >> >> > from IP=10.10.248.27:33957 (IP=10.10.241.77:389) >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 EXT >> >> > oid=1.3.6.1.4.1.1466.20037 >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 STARTTLS >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 RESULT oid= >> >> > err=0 text= >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 TLS >> >> > established tls_ssf=256 ssf=256 >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 BIND >> >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128 >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 BIND >> >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0 >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 RESULT >> >> > tag=97 err=0 text= >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 SRCH >> >> > base="ou=People,dc=example,dc=com" scope=2 deref=0 >> >> > filter="(uid=username)" >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 ENTRY >> >> > dn="uid=username,ou=Department,ou=Business >> >> > Unit,ou=people,dc=example,dc=com" >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 SEARCH >> >> > RESULT tag=101 err=0 nentries=1 text= >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 BIND >> >> > anonymous mech=implicit ssf=0 >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 BIND >> >> > dn="uid=username,ou=Department,ou=Business >> >> > Unit,ou=People,dc=example,dc=com" method=128 >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 RESULT >> >> > tag=97 err=49 text= >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 BIND >> >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128 >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 BIND >> >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0 >> >> > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 RESULT >> >> > tag=97 err=0 text= >> >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 BIND >> >> > anonymous mech=implicit ssf=0 >> >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 BIND >> >> > dn="uid=username,ou=Department,ou=Business >> >> > Unit,ou=People,dc=example,dc=com" method=128 >> >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 RESULT >> >> > tag=97 err=49 text= >> >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 BIND >> >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128 >> >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 BIND >> >> > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0 >> >> > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 RESULT >> >> > tag=97 err=0 text= >> >> > Jan 11 09:27:01 hostname slapd2.4[20872]: conn=999999 op=7 UNBIND >> >> > Jan 11 09:27:01 hostname slapd2.4[20872]: conn=999999 fd=64 closed >> >> >> > Thanks, >> >> > Doug Burks >> >> >> Gross. >> >> >> I was going to look into OpenLDAP at some point, now I think I see why >> >> it wasn't done before. >> >> >> Out of curiosiry, can connection logs from different conn's be mixed >> >> together? For example: >> >> Jan 11 09:27:34 blah slapd: conn=99997 blahblah >> >> Jan 11 09:27:35 blah slapd: conn=99998 blahblah >> >> Jan 11 09:27:36 blah slapd: conn=99999 blahblah >> >> Jan 11 09:27:36 blah slapd: conn=99997 More blahblah >> >> >> Unfortunately I haven't seem much about the multi-line log option. >> >> Here's the source in logcollector that should be handling it: >> >> >>http://bitbucket.org/dcid/ossec-hids/src/tip/src/logcollector/read_mu... >> >> >> I'm going to try and get an idea of how do use it tonight, and ask >> >> about it on IRC tomrrow. I'm just not sure how it'll handle multiple >> >> connection logs getting mixed together. >> >> It's almost like we need a log format where we can specify an >> >> identifier that groups logs together (conn=ID)...
