Hello dan, Indeed, that was the issue! Thank you very much for your help.
Regards, artien Van: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] Namens dan (ddp) Verzonden: dinsdag 29 november 2011 13:15 Aan: ossec-list@googlegroups.com Onderwerp: RE: [ossec-list] server-agent response on <command> and another question On Nov 29, 2011 5:51 AM, "Artien Bel" <artien....@protopics.nl<mailto:artien....@protopics.nl>> wrote: > > Hello Dan, > > My configuration is as follows: > > Server: > > Local_rules.xml > ============ > <group name="ossec,local,"> > <rule id="100101" level="7" ignore="7200"> > <if_sid>530</if_sid> > <match>ossec: output: 'uptime': </match> > <regex>load average:</regex> > <description>Load average reached 0..</description> > </rule> > > </group> > > Ossec.conf > ======== > <global> > <email_notification>no</email_notification> > <logall>yes</logall> > </global> > > (at the bottom) > <localfile> > <log_format>command</log_format> > <command>uptime</command> > </localfile> > > Agent: > > Ossec-agent.conf: > ============== > <localfile> > <log_format>command</log_format> > <command>uptime</command> > </localfile> > > > I have turned on logall but still see no alert generated by the uptime > command on the agent (while I see the command being executed in the agent > log). Other alerts (like checkum changes) do get send from the agent to the > server. > Logall won't change alerts, just allow you to see the actual log message. I walked someone through this yesterday. This is just a guess, but I think the ignore in your rule is ignoring the log messages from your agent. > > Regards, > > Artien > > > Van: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> > [mailto:ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>] > Namens dan (ddp) > Verzonden: dinsdag 29 november 2011 10:19 > Aan: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> > Onderwerp: RE: [ossec-list] server-agent response on <command> and another > question > > > On Nov 29, 2011 4:11 AM, "Artien Bel" > <artien....@protopics.nl<mailto:artien....@protopics.nl>> wrote: > > > > Hello Dan/Doug, > > > > I added the rule to the ossec.conf of the agent and I see that the agent > > executes the command itself. However it doesn't generate an alert on the > > server. Is there something I need to do to tell the agent to transmit the > > results of the command to the server? > > > You'll have to show is what you did exactly. You don't put rules on agents or > in the ossec.conf. > If you added the localfile uptime command, you could turn on logall on the > manager to see the log message being generated by the agent. > > Thank you for your help, > > > > Artien > > > > -----Oorspronkelijk bericht----- > > Van: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> > > [mailto:ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>] > > Namens dan (ddp) > > Verzonden: maandag 28 november 2011 21:24 > > Aan: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> > > Onderwerp: Re: [ossec-list] server-agent response on <command> and another > > question > > > > On Tue, Nov 22, 2011 at 2:03 PM, Artien Bel > > <artien....@protopics.nl<mailto:artien....@protopics.nl>> wrote: > > > Hello Doug, > > > > > > Thank you, sometimes something obvious as a typo is all that's needed to > > > make it frustrating :) On the server it worked by adding: > > > > > > <group name="ossec,local,"> > > > <rule id="100101" level="7" ignore="7200"> > > > <if_sid>530</if_sid> > > > <match>ossec: output: 'uptime': </match> > > > <regex>load average:</regex> > > > <description>Load average reached 0..</description> </rule> > > > > > > </group> > > > > > > To the local_rules.xml > > > > > > Is there a way however to get this information from the agent(s) too, or > > > is this something that only works on the server/local install/by reading > > > remote syslog with a cronjob? > > > > > > Regards, > > > > > > Artien > > > > You can add commands to agents by editing their ossec.confs. > > > > > > There is also a way to add them to the agent.conf, but you have to modify > > internal_options.conf as well (for post 2.6, it'll work out of the box with > > pre-2.6, and won't work at all with 2.6). > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> > > > [mailto:ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>] > > > Namens Doug Burks > > > Verzonden: dinsdag 22 november 2011 14:53 > > > Aan: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> > > > Onderwerp: Re: [ossec-list] server-agent response on <command> and > > > another question > > > > > > Hi Artien, > > > > > > The rule should be in local_rules.xml (and don't forget to restart OSSEC > > > after placing it there). > > > > > > Looks like the output of the command says "load average" (no 's'), but > > > the rule is trying to match "load averages" (with an 's'). > > > > > > Please try changing the rule to match the command output (and don't > > > forget to restart OSSEC). > > > > > > I've got some other examples here which you may be interested in: > > > http://securityonion.blogspot.com/2011/11/how-do-i-receive-email-when- > > > my-sensor.html > > > http://securityonion.blogspot.com/2011/11/follow-up-on-ossec-alerts-fo > > > r-packet.html > > > > > > Hope that helps! > > > > > > Thanks, > > > -- > > > Doug Burks, GSE, CISSP | http://securityonion.blogspot.com President, > > > Greater Augusta ISSA | http://augusta.issa.org > > > > > > On Mon, Nov 21, 2011 at 5:17 AM, Artien Bel > > > <artien....@protopics.nl<mailto:artien....@protopics.nl>> wrote: > > >> Hello, > > >> > > >> As test to replace our application and server monitoring software, I am > > >> checking out OSSEC. I run at the moment a server/agent installation on 2 > > >> VM's with CentOS 5.6 and this works rather well. I do run into some > > >> issues though I can't seem to resolve by trying mindlessly, reading the > > >> documentation and searching the mailing list. > > >> > > >> 1. I created a "uptime" command on the agent and the server, and I see > > >> in the log that it runs: > > >> > > >> ossec-logcollector: INFO: Monitoring output of command(360): > > >> uptime > > >> > > >> ossec-logcollector: DEBUG: Running command 'uptime' > > >> ossec-logcollector: DEBUG: Reading command message: 'ossec: output: > > >> 'uptime': 10:30:30 up 7 min, 2 users, load average: 0.37, 0.65, 0.41' > > >> > > >> My issue is though, that I don't seem to be able to generate an alert > > >> from this. I added the rule: > > >> > > >> <rule id="100101" level="7" ignore="7200"> > > >> <if_sid>530</if_sid> > > >> <match>ossec: output: "uptime": </match> > > >> <regex>load averages:</regex> > > >> <description>Load average reached 0..</description> </rule> > > >> > > >> I tried to add it to both local_rules.xml and ossec_rules.xml (under the > > >> df -h rule) but in both cases it did not generate an alert, nor for the > > >> agent, nor for the server. > > >> > > >> Can anyone tell me what I'm doing wrong? > > >> > > >> My other question is: can OSSEC do rate detection on its own or will I > > >> need like syslog for that? I want to be able to alert only when event x > > >> is triggered more than y times in z interval. > > >> > > >> Regards, > > >> > > >> Artien > > >> > > >> > > >
