This is not a solution to your log monitoring question, but might be able to get close to what you want with a little scripting: http://www.mail-archive.com/ossec-list@googlegroups.com/msg07466.html
Sent from my iPhone On Nov 10, 2010, at 3:12 PM, Doug Burks <doug.bu...@gmail.com> wrote: > Has anybody used OSSEC to monitor OpenLDAP logs? Specifically, I'd > like to monitor for auth failures (err=49 in the sanitized log sample > below). As you can see, one LDAP connection (conn=999999) creates > multiple log entries. Further complicating the matter is the fact > that there are two instances of the err=49 error in this LDAP > connection. > > Here's what I'd like to do. > 1. Write a decoder that would: > -process all of these lines together > -pull out the source IP address from the "ACCEPT from > IP=10.10.248.27:33957" entry > -pull out the username from the "BIND > dn="uid=username,ou=Department,ou=Business > Unit,ou=People,dc=example,dc=com"" entry > 2. Write an "Invalid credentials" rule that would look for > "err=49". > > Would this be possible? Would it require the multi-line log reader > support added in OSSEC v2.5? If so, I haven't found any documentation > on this feature. > > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 ACCEPT > from IP=10.10.248.27:33957 (IP=10.10.241.77:389) > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 EXT > oid=1.3.6.1.4.1.1466.20037 > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 STARTTLS > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 RESULT oid= > err=0 text= > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 TLS > established tls_ssf=256 ssf=256 > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 BIND > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128 > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 BIND > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0 > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 RESULT > tag=97 err=0 text= > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 SRCH > base="ou=People,dc=example,dc=com" scope=2 deref=0 > filter="(uid=username)" > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 ENTRY > dn="uid=username,ou=Department,ou=Business > Unit,ou=people,dc=example,dc=com" > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 SEARCH > RESULT tag=101 err=0 nentries=1 text= > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 BIND > anonymous mech=implicit ssf=0 > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 BIND > dn="uid=username,ou=Department,ou=Business > Unit,ou=People,dc=example,dc=com" method=128 > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 RESULT > tag=97 err=49 text= > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 BIND > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128 > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 BIND > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0 > Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 RESULT > tag=97 err=0 text= > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 BIND > anonymous mech=implicit ssf=0 > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 BIND > dn="uid=username,ou=Department,ou=Business > Unit,ou=People,dc=example,dc=com" method=128 > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 RESULT > tag=97 err=49 text= > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 BIND > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128 > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 BIND > dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0 > Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 RESULT > tag=97 err=0 text= > Jan 11 09:27:01 hostname slapd2.4[20872]: conn=999999 op=7 UNBIND > Jan 11 09:27:01 hostname slapd2.4[20872]: conn=999999 fd=64 closed > > Thanks, > Doug Burks
