On Mon, Oct 27, 2014 at 8:34 PM, Brian <[email protected]> wrote:
> From what I can tell, and I am doing this correctly. here is the log for
> event ID 5145. . I did run ./ossec-logtest , I placed "
> WinEvtLog: Security: AUDIT_SUCCESS(5145)" and it took me to Rule 18100 and
> not 19000.
> below I have my log, rules and logtest
>
> Log:
>
> 2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 14:17:07
> WinEvtLog: Security: AUDIT_SUCCESS(5145):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707
> User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538
> %%1541
> %%4416
> %%4417
> %%4418
> %%4419
> %%4420
> %%4423
> %%4424
>
I don't know enough about the Windows stuff to know why all of these
are being presented on their own lines and whatnot.
Running everything up until the first newline through ossec-logtest
gives me the following output (Removing everything between the
beginning of the line and 2014 because that should be an OSSEC header
added to the archives.log entries):
[root@localhost ddp]# cat /tmp/xxx
2014 Oct 27 14:17:07 WinEvtLog: Security: AUDIT_SUCCESS(5145):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707
User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f
%%1538
[root@localhost ddp]# cat /tmp/xxx | /var/ossec/bin/ossec-logtest
2014/10/28 09:30:41 ossec-testrule: INFO: Reading local decoder file.
2014/10/28 09:30:41 ossec-testrule: INFO: Started (pid: 6981).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2014 Oct 27 14:17:07 WinEvtLog: Security:
AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user):
no domain: WinClient.Domain.Local:
S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a
File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538'
hostname: 'localhost'
program_name: '(null)'
log: '2014 Oct 27 14:17:07 WinEvtLog: Security:
AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user):
no domain: WinClient.Domain.Local:
S-1-5-21-3748380571-1685127485-3479259990-2707 User01 Domain 0xbe810a
File 10.5.5.8 51134 \\*\IPC$ srvsvc 0x12019f %%1538'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '5145'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'WinClient.Domain.Local'
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
So the id is decoded. And this rule successfully captures that log message:
<rule id="300001" level="6">
<if_sid>18104</if_sid>
<id>^5142$|^5143$|^5144$|^5145$</id>
<status>^AUDIT_SUCCESS|^success</status>
<description>Windows audit success event.</description>
</rule>
> 2014 Oct 27 14:16:54 (WinClient) 10.10.10.67->WinEvtLog 2014 Oct 27 14:17:07
> WinEvtLog: Security: AUDIT_SUCCESS(5145):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> WinClient.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-2707
> User01 Domain 0xbe810a File 10.5.5.8 51134 \\*\Objects
> \??\C:\import\DFSRoot\Objects \ 0x100081 %%1541
> %%4416
> %%4423
> %%1541: %%1801 D:(A;;0x1200a9;;;WD)
> %%4416: %%1801 D:(A;;0x1200a9;;;WD)
> %%4423: %%1801 D:(A;;0x1200a9;;;WD)
>
>
>
> Rules:
>
> <group name="windows,">
>
> <rule id="18100" level="0">
> <category>windows</category>
> <description>Group of windows rules.</description>
> </rule>
>
> <rule id="18101" level="0">
> <if_sid>18100</if_sid>
> <status>^INFORMATION</status>
> <description>Windows informational event.</description>
> </rule>
>
> <rule id="18102" level="0">
> <if_sid>18100</if_sid>
> <status>^WARNING</status>
> <description>Windows warning event.</description>
> </rule>
>
> <rule id="18103" level="5">
> <if_sid>18100</if_sid>
> <status>^ERROR</status>
> <description>Windows error event.</description>
> <group>system_error,</group>
> </rule>
>
> <rule id="19000" level="6">
> <if_sid>18100</if_sid>
> <id>^5142$|^5143$|^5144$|^5145$</id>
> <status>^AUDIT_SUCCESS|^success</status>
> <description>Windows audit success event.</description>
> </rule>
>
> <rule id="18104" level="0">
> <if_sid>18100</if_sid>
> <status>^AUDIT_SUCCESS|^success</status>
> <description>Windows audit success event.</description>
> </rule>
>
>
>
> Logtest:
>
> ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest
> 2014/10/27 19:15:53 ossec-testrule: INFO: Reading local decoder file.
> 2014/10/27 19:15:53 ossec-testrule: INFO: Started (pid: 16744).
> ossec-testrule: Type one log per line.
>
> WinEvtLog: Security: AUDIT_SUCCESS(5145)
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)'
> hostname: 'OSSECServer'
> program_name: '(null)'
> log: 'WinEvtLog: Security: AUDIT_SUCCESS(5145)'
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18100'
> Level: '0'
> Description: 'Group of windows rules.'
>
>
>
> On Monday, October 27, 2014 3:09:44 PM UTC-4, dan (ddpbsd) wrote:
>>
>> On Mon, Oct 27, 2014 at 3:03 PM, Brian <[email protected]> wrote:
>> > I'm not sure if I am running it correctly..
>> > I get the following, it doesn't show anything... in the ossec.conf
>> > file, I placed <logall>yes</logall> in the global section and
>> > restarted.
>> > I got no errors when restarting.
>> >
>> > ossec@OSSECServer:/var/ossec/bin$ sudo ./ossec-logtest
>> > /var/ossec/logs/archives/archives.log
>> > 2014/10/27 13:59:38 ossec-testrule: INFO: Reading local decoder file.
>> > 2014/10/27 13:59:38 ossec-testrule: INFO: Started (pid: 15224).
>> > ossec-testrule: Type one log per line.
>> >
>>
>> The archives.log file is just a text log file. You'll need to find the
>> entries you are interested in, copy them out of the file, and paste
>> them into the ossec-logtest program.
>>
>> Windows is odd (why does it put so many spaces in odd places?), so
>> copying archives.log to another location, then deleting all of the
>> lines you are not interested in might be the best solution.
>>
>>
>> As a shortcut while testing, I frequently save the log message to a
>> file, then run:
>>
>> cat LOGMESSAGEFILE | /var/ossec/bin/ossec-logtest
>>
>> >
>> > On Monday, October 27, 2014 2:05:27 PM UTC-4, dan (ddpbsd) wrote:
>> >>
>> >> On Mon, Oct 27, 2014 at 2:01 PM, Brian <[email protected]> wrote:
>> >> > Thank you for your Reply: Looks like the & was a TypeO. I fixed
>> >> > that
>> >> > and
>> >> > now looks like: <id>^5142$|^5143$|^5144$|^5145$</id>
>> >> > So, i turned on debugging on the client side, and I get the
>> >> > following
>> >> > shown
>> >> > below.. When I run : tail -f /var/ossec/logs/alerts/alerts.log
>> >> > on the server side, I don't see anything coming in. The windows
>> >> > client
>> >> > is a
>> >> > Windows 2012 server.
>> >> >
>> >> >
>> >> > Debug:
>> >> >
>> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message to
>> >> > server.
>> >> >
>> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server:
>> >> > '2014
>> >> > Oct
>> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145):
>> >> > Microsoft-Windows-Security-Auditing: (no user): no domain:
>> >> > FileServer.Domain.Local:
>> >> > S-1-5-21-3748380571-1685127485-3479259990-18013
>> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ \ 0x100080
>> >> > %%1541
>> >> >
>> >> > %%4423
>> >> >
>> >> > - '
>> >> >
>> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message to
>> >> > server.
>> >> >
>> >> > 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server:
>> >> > '2014
>> >> > Oct
>> >> > 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145):
>> >> > Microsoft-Windows-Security-Auditing: (no user): no domain:
>> >> > FileServer.Domain.Local:
>> >> > S-1-5-21-3748380571-1685127485-3479259990-18013
>> >> > User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ Program Files
>> >> > (x86)\ossec-agent 0x100081 %%1541
>> >> >
>> >> > %%4416
>> >> >
>> >> > %%4423
>> >> >
>> >> >
>> >>
>> >> Did you turn on the log all option on the manager? If you run the log
>> >> messages from the archives.log through ossec-logtest, what happens?
>> >>
>> >> >
>> >> > On Monday, October 27, 2014 11:42:37 AM UTC-4, dan (ddpbsd) wrote:
>> >> >>
>> >> >> On Mon, Oct 27, 2014 at 11:36 AM, Ivars Grīnbergs
>> >> >> <[email protected]>
>> >> >> wrote:
>> >> >> > Is the ampersand correctly used at the end of 5142? For other IDs
>> >> >> > there
>> >> >> > are
>> >> >> > $ sign used.
>> >> >> >
>> >> >>
>> >> >> Nope, I'm not sure what they were attempting with that.
>> >> >>
>> >> >> > Ivars
>> >> >> >
>> >> >> > On Mon, Oct 27, 2014 at 1:51 PM, Brian <[email protected]> wrote:
>> >> >> >>
>> >> >> >> Hello, I am hopping someone may be able to help..
>> >> >> >> I want to capture Windows Event ID's 5142 5143 5144 5145. I
>> >> >> >> found
>> >> >> >> this
>> >> >> >> discussion on how to add it to your ossec.conf file.
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> https://www.alienvault.com/forums/discussion/550/how-to-capture-windows-event-ids-not-captured-by-default-using-snare-or-ossec
>> >> >> >>
>> >> >> >> However, the events aren't showing up in ossec. Would this be
>> >> >> >> the
>> >> >> >> correct
>> >> >> >> way in configuring OSSEC to capture specific Windows Event ID's
>> >> >> >> ?
>> >> >> >>
>> >> >> >> I added the following to my ossec,conf file, above 18104 as the
>> >> >> >> above
>> >> >> >> article suggested. and then restarted ossec..
>> >> >> >>
>> >> >> >> <rule id="19000" level="6">
>> >> >> >> <if_sid>18100</if_sid>
>> >> >> >> <id>^5142&|^5143$|^5144$|^5145$</id>
>> >> >> >> <status>^AUDIT_SUCCESS|^success</status>
>> >> >> >> <description>Windows audit success event.</description>
>> >> >> >> </rule>
>> >> >> >>
>> >> >> >> Thank you for your help.
>> >> >> >>
>> >> >> >> --
>> >> >> >>
>> >> >> >> ---
>> >> >> >> You received this message because you are subscribed to the
>> >> >> >> Google
>> >> >> >> Groups
>> >> >> >> "ossec-list" group.
>> >> >> >> To unsubscribe from this group and stop receiving emails from it,
>> >> >> >> send
>> >> >> >> an
>> >> >> >> email to [email protected].
>> >> >> >> For more options, visit https://groups.google.com/d/optout.
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> >
>> >> >> > ---
>> >> >> > You received this message because you are subscribed to the Google
>> >> >> > Groups
>> >> >> > "ossec-list" group.
>> >> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> >> > send
>> >> >> > an
>> >> >> > email to [email protected].
>> >> >> > For more options, visit https://groups.google.com/d/optout.
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to [email protected].
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
