*hi Dan,
Thank you for your reply.
The original netscreen log message has timestamp. Log is taken from another
syslog server.*
"
Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111
[Root]system-warning-00518: Admin user "userid" login attempt for Web(http)
management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)
"
*Log message on your test was a part of alert.log.
here is my Logtest results..but we are still unable to decode it. Any idea?*
Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111
[Root]system-warning-00518: Admin user "userid" login attempt for Web(http)
management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)
**Phase 1: Completed pre-decoding.
full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen
device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login
attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed.
(2012-08-15 11:33:36)'
hostname: '136.10.247.130'
program_name: 'SSG350M'
log: 'NetScreen device_id=Juniper111 [Root]system-warning-00518:
Admin user "userid" login attempt for Web(http) management (port 20480)
from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
**Phase 2: Completed decoding.
decoder: 'netscreenfw'
action: 'warning'
id: '00518'
**Phase 3: Completed filtering (rules).
Rule id: '4502'
Level: '9'
Description: 'Netscreen warning message.'
**Alert to be generated.
15 Ağustos 2012 Çarşamba 16:20:34 UTC+3 tarihinde dan (ddpbsd) yazdı:
>
> On Wed, Aug 15, 2012 at 7:03 AM, Ozgur Orhan
> <[email protected]<javascript:>>
> wrote:
> >
> >
> >
> > Hi All,
> >
> >
> >
> > We have issues configuring Ossec server to receive Netscreen firewall
> > logs. Logs are decoded as syslog not netscreen firewall.
> >
> >
> >
> > Here are my configuration steps;
> >
> > First, firewalls are configured sending audit logs via syslog.
> >
> > We changed ossec.conf file as below to allow syslog;
> >
> >
> >
> > <remote>
> >
> > <connection>syslog</connection>
> >
> > <allowed-ips>firewall ip</allowed-ips>
> >
> > </remote>
> >
> >
> >
> > Ossec services restarted without problem.
> >
> >
> >
> > I checked with tcpdump that firewall syslog traffic is received by Ossec
> > Server.
> >
> >
> >
> > Here is my sample log.
> >
> >
> >
> > Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111
> > [Root]system-warning-00518: Admin user "userid" login attempt for
> Web(http)
> > management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15
> 11:33:36)
> >
> >
> >
> >
> >
> > /var/ossec/bin/ossec-logtest shows logs from netscreen device decoded
> > properly.
> >
> >
> >
> > **Phase 1: Completed pre-decoding.
> >
> > full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen
> > device_id=Juniper111 [Root]system-warning-00518: Admin user "userid"
> login
> > attempt for Web(http) management (port 20480) from 1.1.1.1:22560failed.
> > (2012-08-15 11:33:36)'
> >
> > hostname: '1.1.1.1'
> >
> > program_name: 'SSG350M'
> >
> > log: 'NetScreen device_id=Juniper111 [Root]system-warning-00518:
> > Admin user "userid" login attempt for Web(http) management (port 20480)
> from
> > 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
> >
> >
> >
> > **Phase 2: Completed decoding.
> >
> > decoder: 'netscreenfw'
> >
> > action: 'warning'
> >
> > id: '00518'
> >
> >
> >
> > **Phase 3: Completed filtering (rules).
> >
> > Rule id: '4502'
> >
> > Level: '9'
> >
> > Description: 'Netscreen warning message.'
> >
> > **Alert to be generated.
> >
> >
> >
> > No logs/alerts occured on /var/ossec/logs/firewall/firewall.log.
> >
> > I checked /var/ossec/logs/alerts/alerts.log and a log about syslog
> > process. It seems log is decoded as syslog.
> >
> >
> >
> > ** Alert 1345026945.197836: -
> syslog,access_control,authentication_failed,
> >
> > 2012 Aug 15 13:35:45 logyon->1.1.1.1
> >
> > Rule: 2501 (level 5) -> 'User authentication failure.'
> >
> > SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: ADM:
> > Local admin authentication failed for login name userid: invalid
> password
> > (2012-08-15 14:39:22)
> >
>
> It looks like the log message sent to OSSEC is different than the log
> message you tested above. This log message doesn't have the timestamp
> at the beginning.
>
> **Phase 1: Completed pre-decoding.
> full event: 'SSG350M: NetScreen device_id=Juniper111
> [Root]system-warning-00518: ADM: Local admin authentication failed for
> login name userid: invalid password (2012-08-15 14:39:22)'
> hostname: 'arrakis'
> program_name: '(null)'
> log: 'SSG350M: NetScreen device_id=Juniper111
> [Root]system-warning-00518: ADM: Local admin authentication failed for
> login name userid: invalid password (2012-08-15 14:39:22)'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '2501'
> Level: '5'
> Description: 'User authentication failure.'
> **Alert to be generated.
>
>
> >
> >
> > I couldn’t find what I am missing. Any help would be greatly
> > appreciated..
> >
> >
> >
> > Regards,
> >
> >
> >
> > Ozgur
> >
> > Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun dosyalar
> > sadece gondericisi tarafindan almasi amaclanan yetkili kisinin kullanimi
> > icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla
> ulasmissa,
> > icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili
> e-postayi
> > mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz.
> >
> > The information in this message and/or attachments is intended solely
> for
> > the attention and use of the named addressee and may be confidential. If
> you
> > are not the intended recipient, you are hereby notified that you have
> > received this transmittal in error and that any use of it is strictly
> > prohibited. In such a case please delete this message and kindly notify
> the
> > sender accordingly.
>
