Crap ... Now the dual (hostname / IP) is solved - see previous post. But the rules is not matching, and just classified as 1002 .
Any idea ? For me this should be not classified as 1002, those message are success info. SAMPLE 1 ------- r...@syslog:/var/ossec/bin# ./ossec-logtest 2010/12/28 11:37:18 ossec-testrule: INFO: Reading local decoder file. 2010/12/28 11:37:18 ossec-testrule: INFO: Started (pid: 6925). ossec-testrule: Type one log per line. Dec 28 06:54:36 1.1.1.1 MSWinEventLog;1;Security;23875316;Tue: Dec 28 06:54:34 2010;680;Security;DOMAINUSER;User;Success Audit;ADSERVER;Account Logon;;Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: DOMAINUSER Source Workstation: DOMAINSTATION Error Code: 0x0 ; 23866818 **Phase 1: Completed pre-decoding. full event: 'Dec 28 06:54:36 1.1.1.1 MSWinEventLog;1;Security; 23875316;Tue: Dec 28 06:54:34 2010;680;Security;DOMAINUSER;User;Success Audit;ADSERVER;Account Logon;;Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: DOMAINUSER Source Workstation: DOMAINSTATION Error Code: 0x0 ;23866818' hostname: '1.1.1.1' program_name: '(null)' log: 'MSWinEventLog;1;Security;23875316;Tue: Dec 28 06:54:34 2010;680;Security;DOMAINUSER;User;Success Audit;ADSERVER;Account Logon;;Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: DOMAINUSER Source Workstation: DOMAINSTATION Error Code: 0x0 ;23866818' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. ------- SAMPLE 2 r...@syslog:/var/ossec/bin# ./ossec-logtest 2010/12/28 11:49:24 ossec-testrule: INFO: Reading local decoder file. 2010/12/28 11:49:24 ossec-testrule: INFO: Started (pid: 10082). ossec-testrule: Type one log per line. Dec 28 11:30:12 1.1.1.2 MSWinEventLog;1;Security;23986439;Tue: Dec 28 11:30:09 2010;673;Security;SYSTEM;User;Success Audit;ADSERVER;Account Logon;;Service Ticket Request: User Name: mach...@domain.corp User Domain: PETERCAM.CORP Service Name: ADSERVER$ Service ID: % {S-1-5-21-1424381949-1679034567-623647354-10835} Ticket Options: 0x40800000 Ticket Encryption Type: 0x17 Client Address: 10.10.2.3 Failure Code: - Logon GUID: {f471326b-4fb3-0f68-7bd8-974d71ba493f} Transited Services: - ;23977936 **Phase 1: Completed pre-decoding. full event: 'Dec 28 11:30:12 1.1.1.2 MSWinEventLog;1;Security; 23986439;Tue: Dec 28 11:30:09 2010;673;Security;SYSTEM;User;Success Audit;ADSERVER;Account Logon;;Service Ticket Request: User Name: mach...@domain.corp User Domain: PETERCAM.CORP Service Name: ADSERVER$ Service ID: % {S-1-5-21-1424381949-1679034567-623647354-10835} Ticket Options: 0x40800000 Ticket Encryption Type: 0x17 Client Address: 10.10.2.3 Failure Code: - Logon GUID: {f471326b-4fb3-0f68-7bd8-974d71ba493f} Transited Services: - ;23977936' hostname: '1.1.1.2' program_name: '(null)' log: 'MSWinEventLog;1;Security;23986439;Tue: Dec 28 11:30:09 2010;673;Security;SYSTEM;User;Success Audit;ADSERVER;Account Logon;;Service Ticket Request: User Name: mach...@domain.corp User Domain: PETERCAM.CORP Service Name: ADSERVER$ Service ID: % {S-1-5-21-1424381949-1679034567-623647354-10835} Ticket Options: 0x40800000 Ticket Encryption Type: 0x17 Client Address: 10.10.2.3 Failure Code: - Logon GUID: {f471326b-4fb3-0f68-7bd8-974d71ba493f} Transited Services: - ;23977936' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. ---- Any idea . On Dec 27, 10:56 am, Js Opdebeeck <js.opdebe...@gmail.com> wrote: > Thanks for your troubleshoting > > I found the mistake ... > Must *CHECK* "Enable SYSLOG Header?" option ... this is not the > default value after Setup. > > Kind regards > > Js > > On Dec 24, 8:54 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > > > > > > > > > On Fri, Dec 24, 2010 at 6:55 AM, Js Opdebeeck <js.opdebe...@gmail.com> > > wrote: > > > Hello > > > > Thanks for your reply. > > > > The events are coming from Active Directory running SNARE, then > > > forward the events to Syslog-NG > > > Ossec tails the syslog-ng dedicated log. > > > > Does it help ? > > > > Kind regards > > > Ok, the format is funky, and the decoder isn't recognizing it. > > Part of the issue may be that the IP address and hostname(?) are both > > showing up in the header: > > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME > > > This could throw it all off. That maybe something you can "fix" with > > syslog-ng, but I don't know enough about syslog-ng to offer any real > > solutions. I think, if it can be done, this is the best place to > > start. > > > You could also (and I don't think this is the best solution), adjust > > the "windows-snare" decoder to deal with this situation. Removing the > > "^" in the <prematch> may be all it takes. > > > You could also (still not the best option, but possibly better than > > the one just above) add the following to local_decoder.xml: > > <decoder name="windows-snare2"> > > <type>windows</type> > > <prematch>MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch> > > <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex> > > <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex> > > <order>id, extra_data, user, status, system_name</order> > > <fts>name, id, location, user, system_name</fts> > > </decoder> > > > You might have to put it in decoder.xml above the "windows-snare" > > decoder, I'm not sure. A quick test with ossec-logtest (pasting > > everything from "Dec 23 09:08:13" to the end) would verify whether > > this is working. > > > > On Dec 23, 5:18 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > > >> These event messages seem odd. Running the first one through logtest > > >> gives me the following: > > >> 2010/12/23 11:12:21 ossec-testrule: INFO: Reading local decoder file. > > >> 2010/12/23 11:12:21 ossec-testrule: INFO: Started (pid: 25248). > > >> ossec-testrule: Type one log per line. > > > >> Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 > > >> Security 19699453 Thu: Dec 23 09:08:15 2010 680 > > >> Security USERXXX User Success Audit DOMAINCONTROLERNAME > > >> Account Logon Logon attempt by: > > >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT > > >> Source Workstation: STATIONNAMEXXX Error Code: 0x0 > > >> 19695682 > > > >> **Phase 1: Completed pre-decoding. > > >> full event: 'Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME > > >> MSWinEventLog 1 Security 19699453 Thu: Dec 23 09:08:15 > > >> 2010 680 Security USERXXX User Success Audit > > >> DOMAINCONTROLERNAME Account Logon Logon attempt by: > > >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT > > >> Source Workstation: STATIONNAMEXXX Error Code: 0x0 > > >> 19695682 ' > > >> hostname: '1.1.1.1' > > >> program_name: '(null)' > > >> log: 'DOMAINCONTROLERNAME MSWinEventLog 1 Security > > >> 19699453 Thu: Dec 23 09:08:15 2010 680 Security > > >> USERXXX User Success Audit DOMAINCONTROLERNAME Account Logon > > >> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon > > >> account: USERACCOUNT Source Workstation: STATIONNAMEXXX Error Code: > > >> 0x0 19695682 ' > > > >> **Phase 2: Completed decoding. > > >> No decoder matched. > > > >> **Phase 3: Completed filtering (rules). > > >> Rule id: '1002' > > >> Level: '2' > > >> Description: 'Unknown problem somewhere in the system.' > > >> **Alert to be generated. > > > >> How are these messages being passed to OSSEC? > > > >> On Thu, Dec 23, 2010 at 3:34 AM, Js Opdebeeck <js.opdebe...@gmail.com> > > >> wrote: > > >> > Hello > > > >> > Rule: 1002 'Unknown problem somewhere in the system.' represent 45% of > > >> > the Alerts and > > > >> > Here are 2 kind of alert that should be passed to 0 or at least > > >> > correctly classified. > > >> > Those are 'Failures' and 'Errors' but a I thought it will be handled > > >> > by 'msauth_rules.xml' > > > >> > Did someone already RE-classified this kind of rules ? If not , I'll > > >> > probably have to ( mute them at least) > > > >> > ** Alert 1293091695.18221016: - syslog,errors, > > >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log > > >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > >> > Src IP: (none) > > >> > User: (none) > > >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 > > >> > Security 19699453 Thu: Dec 23 09:08:15 2010 680 > > >> > Security USERXXX User Success Audit DOMAINCONTROLERNAME > > >> > Account Logon Logon attempt by: > > >> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT > > >> > Source > > >> > Workstation: STATIONNAMEXXX Error Code: 0x0 19695682 > > > >> > ** Alert 1293091695.18219733: - syslog,errors, > > >> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log > > >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > >> > Src IP: (none) > > >> > User: (none) > > >> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 > > >> > Security 19699449 Thu: Dec 23 09:08:14 2010 673 > > >> > Security SYSTEM User Success Audit DOMAINCONTROLERNAME > > >> > Account Logon Service Ticket Request: User Name: > > >> > stationna...@petercam.corp User Domain: PETERCAM.CORP Service > > >> > Name: > > >> > krbtgt Service ID: %{S-1-5-21-1424381949-1679034567-623647154-502} > > >> > Ticket Options: 0x60810010 Ticket Encryption Type: 0x17 Client > > >> > Address: 10.10.10.1 Failure Code: - Logon GUID: > > >> > {d3ba7bf0-795b-27fd-f4a8-d70ed4268f72} Transited Services: - > > >> > 19695678 > > > >> > Kind regards > > > >> > Js Op de Beeck