On Fri, Jan 6, 2012 at 10:19 AM, Marc Esher <[email protected]> wrote: > On Fri, Jan 6, 2012 at 9:58 AM, dan (ddp) <[email protected]> wrote: >> On Fri, Jan 6, 2012 at 9:41 AM, Marc Esher <[email protected]> wrote: >>> On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <[email protected]> wrote: >>>> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <[email protected]> wrote: >>>>> Great. Thanks for the starting point, Dan. >>>>> >>>> >>>> If you continue to have issues, posting a log sample might help. >>> >>> >>> Thanks Dan. I narrowed it down to the fact that the IIS log settings >>> were not set to log cookies. Consequently, the parser was not >>> correctly identifying the status-code field. Turning on all logging >>> fixed that. >>> >>> However, there's still something strange: I have an email alert rule >>> set up to email me for log-level 10. >>> >>> <email_alerts> >>> <email_to>my email....</email_to> >>> <level>10</level> >>> </email_alerts> >>> >>> >>> <email_alerts> >>> <email_to>my email...</email_to> >>> <rule_id>31151</rule_id> >>> </email_alerts> >>> > > Can't imagine why I'd need that. Nonetheless, I added it as you
Having a global email section is always necessary. > suggested, and I get an error on ossec restart indicating <level> is > invalid in the global config. > Ok, I'll fix it: <ossec_config> <global> <email_to>my email....</email_to> <email_notification>yes</email_notification> <smtp_server>127.0.0.1</smtp_server> <email_from>[email protected]</email_from> </global> <email_alerts> <email_to>my email...</email_to> <rule_id>31151</rule_id> </email_alerts> <!-- XXX This is probably already in your ossec.conf, you should modify it --> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>10</email_alert_level> </alerts> > Thoughts? > Troubleshooting should be part of your job description. > >> >> You should have an email setup in the <global section>, not just the >> granular email setups. >> >> <ossec_config> >> <global> >> <email_to>my email....</email_to> >> <level>10</level> >> <email_notification>yes</email_notification> >> <smtp_server>127.0.0.1</smtp_server> >> <email_from>[email protected]</email_from> >> <email_maxperhour>100</email_maxperhour> >> </global> >> >> <email_alerts> >> <email_to>my email...</email_to> >> <rule_id>31151</rule_id> >> </email_alerts> >> >> >>> >>> >>> >>> >>> I triggered the multiple 404 error codes rule, and I see it in the alert >>> log: >>> >>> >>> ** Alert 1325859327.297377: mail - web,accesslog,web_scan,recon, >>> 2012 Jan 06 09:15:27 (yyyy) >>> XXXX->\inetpub\logs\LogFiles\W3SVC\u_ex120106.log >>> Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from >>> same source ip.' >>> ..... >>> >>> My understanding of this is that the rule is triggered, and due to >>> "mail" being in the log message, it should be sending the email as >>> configured. In fact, I imagine it should send two emails, 1 for >>> reaching a log-level of 10, and the other for matching rule 31151 >>> >>> However, when I tail /var/log/maillog, I see no evidence of mail being >>> sent (and obviously I didn't receive any emails). >>> >>> Thoughts? >>> >>> Thanks again. >>> >>> Marc >>> >>> >>>> >>>>> On Thu, Jan 5, 2012 at 4:16 PM, dan (ddp) <[email protected]> wrote: >>>>>> On Thu, Jan 5, 2012 at 3:46 PM, Marc Esher <[email protected]> wrote: >>>>>>> Greetings all, >>>>>>> >>>>>>> Typical "Brand new to ossec" post here. >>>>>>> >>>>>>> I have a ossec manager server, with a minimally modified standard >>>>>>> ossec.conf file. It monitors two Windows agents. I see in the agent >>>>>>> log files that it is correctly picking up the IIS log files each day >>>>>>> as they rotate. >>>>>>> >>>>>>> I see entries in the IIS log related to the ZmEu scanner (just like >>>>>>> this one, which is successfully using ossec to punt these attempts: >>>>>>> http://itscblog.tamu.edu/protecting-web-servers-with-ossec/). >>>>>>> >>>>>>> However, I was never notified of these scan attempts by ossec. I have >>>>>>> all manner of information in the nightly log emails I receive, but >>>>>>> nothing related to "Mutiple web server 400 error codes from same >>>>>>> source ip" >>>>>>> >>>>>>> I'm assuming I have something misconfigured, but I don't know what >>>>>>> that is. >>>>>>> >>>>>>> What would cause me not to be notified of these scan attempts? >>>>>>> >>>>>>> Thanks for guidance. >>>>>>> >>>>>>> Marc >>>>>> >>>>>> I don't see log samples in that blog post. So you'll have to do some >>>>>> work. >>>>>> >>>>>> Run a log message through ossec-logtest. See how it's parsed. See what >>>>>> alert is triggered. >>>>>> >>>>>> Run a bunch of log messages through ossec-logtest. See what alert is >>>>>> triggered then.
