On Fri, Jan 6, 2012 at 10:41 AM, dan (ddp) <[email protected]> wrote: > On Fri, Jan 6, 2012 at 10:19 AM, Marc Esher <[email protected]> wrote: >> On Fri, Jan 6, 2012 at 9:58 AM, dan (ddp) <[email protected]> wrote: >>> On Fri, Jan 6, 2012 at 9:41 AM, Marc Esher <[email protected]> wrote: >>>> On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <[email protected]> wrote: >>>>> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <[email protected]> wrote: >>>>>> Great. Thanks for the starting point, Dan. >>>>>> >>>>> >>>>> If you continue to have issues, posting a log sample might help. >>>> >>>> >>>> Thanks Dan. I narrowed it down to the fact that the IIS log settings >>>> were not set to log cookies. Consequently, the parser was not >>>> correctly identifying the status-code field. Turning on all logging >>>> fixed that. >>>> >>>> However, there's still something strange: I have an email alert rule >>>> set up to email me for log-level 10. >>>> >>>> <email_alerts> >>>> <email_to>my email....</email_to> >>>> <level>10</level> >>>> </email_alerts> >>>> >>>> >>>> <email_alerts> >>>> <email_to>my email...</email_to> >>>> <rule_id>31151</rule_id> >>>> </email_alerts> >>>> >> >> Can't imagine why I'd need that. Nonetheless, I added it as you > > Having a global email section is always necessary.
Got it. I had that, but I only had the server and "from" configured, not the "to". Frankly, even with the log level set to 10, it's just way too noisy -- I get all manner of windows audit junk that I don't care about (not in real-time, anyway), and I haven't dug in to figure out how to filter them out yet. Ideally, I just want to get notifications on certain classes of rules -- like the web rules for example. Interestingly enough, in the last several hours, the "404" rule has quit working as it was previously. I no longer see any entries in the alerts log. Using logtest shows that the same entries, when pasted into stdin, do trigger the alert. But the log monitoring on the agent server isn't picking them up. Weird. > >> suggested, and I get an error on ossec restart indicating <level> is >> invalid in the global config. >> > > Ok, I'll fix it: > <ossec_config> > <global> > <email_to>my email....</email_to> > <email_notification>yes</email_notification> > <smtp_server>127.0.0.1</smtp_server> > <email_from>[email protected]</email_from> > </global> > > > <email_alerts> > <email_to>my email...</email_to> > <rule_id>31151</rule_id> > </email_alerts> > > <!-- XXX This is probably already in your ossec.conf, you should modify it --> > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>10</email_alert_level> > </alerts> > > > >> Thoughts? >> > > Troubleshooting should be part of your job description. > >> >>> >>> You should have an email setup in the <global section>, not just the >>> granular email setups. >>> >>> <ossec_config> >>> <global> >>> <email_to>my email....</email_to> >>> <level>10</level> >>> <email_notification>yes</email_notification> >>> <smtp_server>127.0.0.1</smtp_server> >>> <email_from>[email protected]</email_from> >>> <email_maxperhour>100</email_maxperhour> >>> </global> >>> >>> <email_alerts> >>> <email_to>my email...</email_to> >>> <rule_id>31151</rule_id> >>> </email_alerts> >>> >>> >>>> >>>> >>>> >>>> >>>> I triggered the multiple 404 error codes rule, and I see it in the alert >>>> log: >>>> >>>> >>>> ** Alert 1325859327.297377: mail - web,accesslog,web_scan,recon, >>>> 2012 Jan 06 09:15:27 (yyyy) >>>> XXXX->\inetpub\logs\LogFiles\W3SVC\u_ex120106.log >>>> Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from >>>> same source ip.' >>>> ..... >>>> >>>> My understanding of this is that the rule is triggered, and due to >>>> "mail" being in the log message, it should be sending the email as >>>> configured. In fact, I imagine it should send two emails, 1 for >>>> reaching a log-level of 10, and the other for matching rule 31151 >>>> >>>> However, when I tail /var/log/maillog, I see no evidence of mail being >>>> sent (and obviously I didn't receive any emails). >>>> >>>> Thoughts? >>>> >>>> Thanks again. >>>> >>>> Marc >>>> >>>> >>>>> >>>>>> On Thu, Jan 5, 2012 at 4:16 PM, dan (ddp) <[email protected]> wrote: >>>>>>> On Thu, Jan 5, 2012 at 3:46 PM, Marc Esher <[email protected]> wrote: >>>>>>>> Greetings all, >>>>>>>> >>>>>>>> Typical "Brand new to ossec" post here. >>>>>>>> >>>>>>>> I have a ossec manager server, with a minimally modified standard >>>>>>>> ossec.conf file. It monitors two Windows agents. I see in the agent >>>>>>>> log files that it is correctly picking up the IIS log files each day >>>>>>>> as they rotate. >>>>>>>> >>>>>>>> I see entries in the IIS log related to the ZmEu scanner (just like >>>>>>>> this one, which is successfully using ossec to punt these attempts: >>>>>>>> http://itscblog.tamu.edu/protecting-web-servers-with-ossec/). >>>>>>>> >>>>>>>> However, I was never notified of these scan attempts by ossec. I have >>>>>>>> all manner of information in the nightly log emails I receive, but >>>>>>>> nothing related to "Mutiple web server 400 error codes from same >>>>>>>> source ip" >>>>>>>> >>>>>>>> I'm assuming I have something misconfigured, but I don't know what >>>>>>>> that is. >>>>>>>> >>>>>>>> What would cause me not to be notified of these scan attempts? >>>>>>>> >>>>>>>> Thanks for guidance. >>>>>>>> >>>>>>>> Marc >>>>>>> >>>>>>> I don't see log samples in that blog post. So you'll have to do some >>>>>>> work. >>>>>>> >>>>>>> Run a log message through ossec-logtest. See how it's parsed. See what >>>>>>> alert is triggered. >>>>>>> >>>>>>> Run a bunch of log messages through ossec-logtest. See what alert is >>>>>>> triggered then.
