On Fri, Dec 24, 2010 at 6:55 AM, Js Opdebeeck <js.opdebe...@gmail.com> wrote: > Hello > > Thanks for your reply. > > The events are coming from Active Directory running SNARE, then > forward the events to Syslog-NG > Ossec tails the syslog-ng dedicated log. > > Does it help ? > > Kind regards >
Ok, the format is funky, and the decoder isn't recognizing it. Part of the issue may be that the IP address and hostname(?) are both showing up in the header: Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME This could throw it all off. That maybe something you can "fix" with syslog-ng, but I don't know enough about syslog-ng to offer any real solutions. I think, if it can be done, this is the best place to start. You could also (and I don't think this is the best solution), adjust the "windows-snare" decoder to deal with this situation. Removing the "^" in the <prematch> may be all it takes. You could also (still not the best option, but possibly better than the one just above) add the following to local_decoder.xml: <decoder name="windows-snare2"> <type>windows</type> <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch> <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex> <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex> <order>id, extra_data, user, status, system_name</order> <fts>name, id, location, user, system_name</fts> </decoder> You might have to put it in decoder.xml above the "windows-snare" decoder, I'm not sure. A quick test with ossec-logtest (pasting everything from "Dec 23 09:08:13" to the end) would verify whether this is working. > On Dec 23, 5:18 pm, "dan (ddp)" <ddp...@gmail.com> wrote: >> These event messages seem odd. Running the first one through logtest >> gives me the following: >> 2010/12/23 11:12:21 ossec-testrule: INFO: Reading local decoder file. >> 2010/12/23 11:12:21 ossec-testrule: INFO: Started (pid: 25248). >> ossec-testrule: Type one log per line. >> >> Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 >> Security 19699453 Thu: Dec 23 09:08:15 2010 680 >> Security USERXXX User Success Audit DOMAINCONTROLERNAME >> Account Logon Logon attempt by: >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT >> Source Workstation: STATIONNAMEXXX Error Code: 0x0 >> 19695682 >> >> **Phase 1: Completed pre-decoding. >> full event: 'Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME >> MSWinEventLog 1 Security 19699453 Thu: Dec 23 09:08:15 >> 2010 680 Security USERXXX User Success Audit >> DOMAINCONTROLERNAME Account Logon Logon attempt by: >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT >> Source Workstation: STATIONNAMEXXX Error Code: 0x0 >> 19695682 ' >> hostname: '1.1.1.1' >> program_name: '(null)' >> log: 'DOMAINCONTROLERNAME MSWinEventLog 1 Security >> 19699453 Thu: Dec 23 09:08:15 2010 680 Security >> USERXXX User Success Audit DOMAINCONTROLERNAME Account Logon >> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon >> account: USERACCOUNT Source Workstation: STATIONNAMEXXX Error Code: >> 0x0 19695682 ' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '1002' >> Level: '2' >> Description: 'Unknown problem somewhere in the system.' >> **Alert to be generated. >> >> How are these messages being passed to OSSEC? >> >> >> >> >> >> >> >> On Thu, Dec 23, 2010 at 3:34 AM, Js Opdebeeck <js.opdebe...@gmail.com> wrote: >> > Hello >> >> > Rule: 1002 'Unknown problem somewhere in the system.' represent 45% of >> > the Alerts and >> >> > Here are 2 kind of alert that should be passed to 0 or at least >> > correctly classified. >> > Those are 'Failures' and 'Errors' but a I thought it will be handled >> > by 'msauth_rules.xml' >> >> > Did someone already RE-classified this kind of rules ? If not , I'll >> > probably have to ( mute them at least) >> >> > ** Alert 1293091695.18221016: - syslog,errors, >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> > Src IP: (none) >> > User: (none) >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 >> > Security 19699453 Thu: Dec 23 09:08:15 2010 680 >> > Security USERXXX User Success Audit DOMAINCONTROLERNAME >> > Account Logon Logon attempt by: >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT >> > Source >> > Workstation: STATIONNAMEXXX Error Code: 0x0 19695682 >> >> > ** Alert 1293091695.18219733: - syslog,errors, >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> > Src IP: (none) >> > User: (none) >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 >> > Security 19699449 Thu: Dec 23 09:08:14 2010 673 >> > Security SYSTEM User Success Audit DOMAINCONTROLERNAME >> > Account Logon Service Ticket Request: User Name: >> > stationna...@petercam.corp User Domain: PETERCAM.CORP Service >> > Name: >> > krbtgt Service ID: %{S-1-5-21-1424381949-1679034567-623647154-502} >> > Ticket Options: 0x60810010 Ticket Encryption Type: 0x17 Client >> > Address: 10.10.10.1 Failure Code: - Logon GUID: >> > {d3ba7bf0-795b-27fd-f4a8-d70ed4268f72} Transited Services: - >> > 19695678 >> >> > Kind regards >> >> > Js Op de Beeck