I should probably mention that I think the -a flag for ossec-logtest will give you OSSEC alert log output. Redirect that to a file or possibly to ossec-reportd, and you should probably get what you're after.
On Mon, Mar 5, 2012 at 5:48 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Mon, Mar 5, 2012 at 4:26 AM, C. L. Martinez <carlopm...@gmail.com> wrote: >> Hi all, >> >> I am trying to report all actions made by some CheckPoint Firewall's. >> After adjust my decoder, I am trying to write some rules to match all >> logged firewall actions like: Drop, Accept, Session Auth, etc... >> >> For example to report all drops, I have write this rule: >> >> <group name="cpfirewall,"> >> <rule id="100100" level="0"> >> <description>CheckPoint Firewall-1 rules grouped.</description> >> </rule> >> <rule id="100101" level="5"> >> <if_sid>100100</if_sid> >> <action>Drop</action> >> <description>CheckPoint Firewall-1 drop action event.</description> >> <group>cpfirewall,drop,</group> >> </rule> >> </group> >> >> Testing one rule: >> >> **Phase 1: Completed pre-decoding. >> full event: '"294" "28Feb2012" "23:59:14" "Lan2" "CHCKPNT1" >> "Log" "Drop" "nbname" "nbname" "192.168.1.5" "192.168.1.255" "udp" "" >> "" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""' >> hostname: 'cosclunode02' >> program_name: '(null)' >> log: '"294" "28Feb2012" "23:59:14" "Lan2" "FW-INT-CHCKPNT1" >> "Log" "Drop" "nbname" "nbname" "192.168.1.5" "192.168.1.255" "udp" "" >> "" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""' >> >> **Phase 2: Completed decoding. >> decoder: 'custom-checkpoint-fw' >> action: 'Drop' >> srcip: '192.168.1.5' >> dstip: '192.168.1.255' >> proto: 'udp' >> extra_data: 'message_info: Address spoofing' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100100' >> Level: '0' >> Description: 'CheckPoint Firewall-1 rules grouped.' >> >> After this, I have run ossec-reportd test: >> >> [root@ossecsrv rules]# cat /data/config/logs/cp.logs | > > Is cp.logs the firewall logs or OSSEC alert logs? ossec-reportd looks > through OSSEC alert logs. > >> /data/ossec/slave/bin/ossec-reportd -f level 5 >> 2012/03/05 09:11:08 ossec-reportd: INFO: Started (pid: 25097). >> 2012/03/05 09:11:15 ossec-reportd: INFO: Report completed and zero >> alerts post-filter >> >> ... and: >> >> [root@ossecsrv rules]# cat /data/config/logs/cp.logs | >> /data/ossec/slave/bin/ossec-reportd -f group cpfirewall >> 2012/03/05 09:12:10 ossec-reportd: INFO: Started (pid: 25097). >> 2012/03/05 09:12:50 ossec-reportd: INFO: Report completed and zero >> alerts post-filter >> >> ... and >> >> [root@ossecsrv rules]# cat /data/config/logs/cp.logs | >> /data/ossec/slave/bin/ossec-reportd -f group cpfirewall_drop >> 2012/03/05 09:13:45 ossec-reportd: INFO: Started (pid: 25097). >> 2012/03/05 09:14:10 ossec-reportd: INFO: Report completed and zero >> alerts post-filter >> >> ... but it doesn't works ... What am I doing wrong??