On Wed, Aug 15, 2012 at 7:03 AM, Ozgur Orhan <[email protected]> wrote:
>
>
>
> Hi All,
>
>
>
> We have issues configuring Ossec server to receive Netscreen firewall
> logs. Logs are decoded as syslog not netscreen firewall.
>
>
>
> Here are my configuration steps;
>
> First, firewalls are configured sending audit logs via syslog.
>
> We changed ossec.conf file as below to allow syslog;
>
>
>
> <remote>
>
> <connection>syslog</connection>
>
> <allowed-ips>firewall ip</allowed-ips>
>
> </remote>
>
>
>
> Ossec services restarted without problem.
>
>
>
> I checked with tcpdump that firewall syslog traffic is received by Ossec
> Server.
>
>
>
> Here is my sample log.
>
>
>
> Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111
> [Root]system-warning-00518: Admin user "userid" login attempt for Web(http)
> management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)
>
>
>
>
>
> /var/ossec/bin/ossec-logtest shows logs from netscreen device decoded
> properly.
>
>
>
> **Phase 1: Completed pre-decoding.
>
> full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen
> device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login
> attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed.
> (2012-08-15 11:33:36)'
>
> hostname: '1.1.1.1'
>
> program_name: 'SSG350M'
>
> log: 'NetScreen device_id=Juniper111 [Root]system-warning-00518:
> Admin user "userid" login attempt for Web(http) management (port 20480) from
> 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
>
>
>
> **Phase 2: Completed decoding.
>
> decoder: 'netscreenfw'
>
> action: 'warning'
>
> id: '00518'
>
>
>
> **Phase 3: Completed filtering (rules).
>
> Rule id: '4502'
>
> Level: '9'
>
> Description: 'Netscreen warning message.'
>
> **Alert to be generated.
>
>
>
> No logs/alerts occured on /var/ossec/logs/firewall/firewall.log.
>
> I checked /var/ossec/logs/alerts/alerts.log and a log about syslog
> process. It seems log is decoded as syslog.
>
>
>
> ** Alert 1345026945.197836: - syslog,access_control,authentication_failed,
>
> 2012 Aug 15 13:35:45 logyon->1.1.1.1
>
> Rule: 2501 (level 5) -> 'User authentication failure.'
>
> SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: ADM:
> Local admin authentication failed for login name userid: invalid password
> (2012-08-15 14:39:22)
>
It looks like the log message sent to OSSEC is different than the log
message you tested above. This log message doesn't have the timestamp
at the beginning.
**Phase 1: Completed pre-decoding.
full event: 'SSG350M: NetScreen device_id=Juniper111
[Root]system-warning-00518: ADM: Local admin authentication failed for
login name userid: invalid password (2012-08-15 14:39:22)'
hostname: 'arrakis'
program_name: '(null)'
log: 'SSG350M: NetScreen device_id=Juniper111
[Root]system-warning-00518: ADM: Local admin authentication failed for
login name userid: invalid password (2012-08-15 14:39:22)'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '2501'
Level: '5'
Description: 'User authentication failure.'
**Alert to be generated.
>
>
> I couldn’t find what I am missing. Any help would be greatly
> appreciated..
>
>
>
> Regards,
>
>
>
> Ozgur
>
> Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun dosyalar
> sadece gondericisi tarafindan almasi amaclanan yetkili kisinin kullanimi
> icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla ulasmissa,
> icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili e-postayi
> mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz.
>
> The information in this message and/or attachments is intended solely for
> the attention and use of the named addressee and may be confidential. If you
> are not the intended recipient, you are hereby notified that you have
> received this transmittal in error and that any use of it is strictly
> prohibited. In such a case please delete this message and kindly notify the
> sender accordingly.
