I can. Are you interested in just the important bits as they relate to the decodes (authentication success/failure), or did you want to see the entire log file? It's a fairly verbose application, so with the logging level that I setup on it, it only reports application errors, administrator functions, and authentications (so far anyway). In our case, we're using SMS text message only at the moment.
I tested the voice call and the local_rules would need to be updated for failures on that. Looks like it follows a similar format. Sanitized logs below from syslog: 2014 Dec 08 13:04:05 pfserver->1.2.3.4 Dec 8 13:04:05 pfserver pfsvc: Pfauth succeeded for user 'DOMAIN\username'. Call status: SUCCESS_SMS_AUTHENTICATED - "SMS Authenticated". 2014 Dec 08 13:04:43 pfserver->1.2.3.4 Dec 8 13:04:43 pfserver pfsvc: Pfauth succeeded for user 'DOMAIN\username'. Call status: SUCCESS_SMS_AUTHENTICATED - "SMS Authenticated". 2014 Dec 08 13:06:32 pfserver->1.2.3.4 Dec 8 13:06:32 pfserver pfsvc: Pfauth failed for user 'DOMAIN\username'. Call status: FAILED_SMS_OTP_INCORRECT - "SMS OTP Incorrect". 2014 Dec 08 13:33:23 pfserver->1.2.3.4 Dec 8 13:33:23 pfserver pfsvc: User "DOMAIN\domainadmin" changed user "DOMAIN\username" value mode3 from 3 to 2. 2014 Dec 08 13:33:50 pfserver->1.2.3.4 Dec 8 13:33:50 pfserver pfsvc: Pfauth succeeded for user 'DOMAIN\username'. Call status: SUCCESS_NO_PIN - "Only # Entered". 2014 Dec 08 13:35:23 pfserver->1.2.3.4 Dec 8 13:35:23 pfserver pfsvc: Pfauth failed for user 'DOMAIN\username'. Call status: SUCCESS_NO_PIN_BUT_TIMEOUT - "No Phone Input - Timed Out". On Monday, December 8, 2014 5:03:57 AM UTC-8, dan (ddpbsd) wrote: > On Fri, Dec 5, 2014 at 3:19 PM, Brent Morris <brent....@gmail.com > <javascript:>> wrote: > > Wish I could edit that last post! > > > > I forgot a few lines.... complete local_decoder.xml below. > > > > add the following to local_decoder.xml > > > > > > <decoder name="pfsvc-auth"> > > <program_name>^pfsvc</program_name> > > </decoder> > > > > <decoder name="pfsvc-authentication"> > > <parent>pfsvc-auth</parent> > > <regex offset="after_parent">Pfauth \w+ for user '(\S+)'. Call > status: > > (\S+) - "\w+\s+\w+|\w+\s+\w+\s+\w+\.".</regex> > > <order>srcuser, status</order> > > </decoder> > > > > Awesome stuff! Can you provide some log samples? > > > > > > > On Friday, December 5, 2014 11:51:18 AM UTC-8, Brent Morris wrote: > >> > >> Not exactly sure if this is the right place to post this, but it took > me > >> some time to get working decodes for Microsoft's Azure Multi-Factor > >> Authentication (PhoneFactor.net). > >> > >> It's pretty cool multifactor authentication for on-prem RDP Gateway and > >> OWA using your phone as the second factor. > >> > >> This was my first attempt to create my own decodes for an app that > wasn't > >> supported by OSSEC. OSSEC is so cool that I wanted to share these with > >> others incase there might be one or two of you out there that could > benefit. > >> We're not using the APP or voice calls, but it shouldn't be to hard > with the > >> info below to setup the rest of the options for those. > >> > >> You could have the agent monitor the log files, or setup syslog inside > the > >> PhoneFactor app. I opted for syslog messages. > >> > >> And let me know if I'm posting in the wrong place, have an error in my > >> decodes, or anything else helpful. > >> > >> Thanks! > >> > >> --- > >> > >> > >> > >> add the following to local_decoder.xml > >> > >> <decoder name="pfsvc-authentication"> > >> <parent>pfsvc-auth</parent> > >> <regex offset="after_parent">Pfauth \w+ for user '(\S+)'. Call > status: > >> (\S+) - "\w+\s+\w+|\w+\s+\w+\s+\w+\.".</regex> > >> <order>srcuser, status</order> > >> </decoder> > >> > >> then add the following to local_rules.xml (tailor to your specific > needs). > >> > >> <group name="syslog,pfauth,"> > >> <rule id="100140" level="0"> > >> <decoded_as>pfsvc-auth</decoded_as> > >> <description>Phone Factor Authentication app group.</description> > >> </rule> > >> <rule id="100141" level="10"> > >> <if_sid>100140</if_sid> > >> <match>FAILED_SMS_OTP_INCORRECT</match> > >> <description>User Failed SMS Challenge/Response</description> > >> </rule> > >> </group> > >> > >> --end local_rules.xml > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
