Because now the problem is we have new log files created daily. Is this something OSSEC is not capable of?
On Wednesday, January 27, 2016 at 10:43:52 AM UTC-5, Greg Burns wrote: > > That worked! I think I was not testing it properly. I used the tail -f as > you said and added the line with the alert. I really appreciate your help. > > I have one more question. Is there anyway to monitor new log files as they > appear? > > This is the naming convention: > BatchLog_LT_01192016203220 > > In the config file could I put something like ? Would that look at all > files with that name convention? It seems the last 6 numbers may change > > <localfile> > <location>C:\logs\Batch_Log_LT_%m%d%y</location> > <log_format>syslog</log_format> > </localfile> > > > On Tuesday, January 26, 2016 at 10:46:06 AM UTC-5, LostInThe Tubez wrote: >> >> Great, so we know OSSEC is matching against your custom rule. Next step >> would be to make sure the alert is showing up in >> /var/ossec/logs/alerts/alerts.log on the OSSEC manager. Double check you’ve >> restarted the manager since you made the edit to local_rules.xml. If your >> OSSEC manager isn’t too busy, I find the easiest way to do a live test of a >> rule is to tail –f the alerts.log on the server so you can watch as new >> logs are written to it. Then, on the agent, copy/paste your test log line >> into C:\logs\BatchLog_LT_01192016203220. After a moment or two, you should >> see it show up in the tailed alerts.log file on the manager. In that alert >> entry it will indicate whether an email was generated or not. The header >> for the alert will look something like this: “** Alert 1453814129.49577: >> mail - local,syslog,”. “mail” being the keyword you’re looking for. >> >> >> >> If you see a mail was generated, you know you are dealing with an email >> delivery problem and not an OSSEC detection problem. >> >> >> >> >> >> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On >> Behalf Of *Greg Burns >> *Sent:* Tuesday, January 26, 2016 8:28 AM >> *To:* ossec-list <ossec...@googlegroups.com> >> *Subject:* Re: [ossec-list] Log file not triggering alert >> >> >> >> Thanks for the response. >> >> >> >> I ran log test with the following output: >> >> >> >> ossec-testrule: Type one log per line. >> >> >> >> 2016-01-20T17:49:19 Error validating xml data against the >> schema on line 272 >> >> Content of element "litleTxnId" is incomplete >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: '2016-01-20T17:49:19 Error validating xml >> data against the schema on line 272' >> >> hostname: 'kali' >> >> program_name: '(null)' >> >> log: '2016-01-20T17:49:19 Error validating xml data >> against the schema on line 272' >> >> >> >> **Phase 2: Completed decoding. >> >> No decoder matched. >> >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '8888' >> >> Level: '12' >> >> Description: 'An error was found in an order' >> >> **Alert to be generated. >> >> >> >> >> On Friday, January 22, 2016 at 7:31:23 PM UTC-5, LostInThe Tubez wrote: >> >> Have you run your log entry through ossec-logtest on the server? This >> will tell you if an alert should be generated or not. It is always possible >> that another rule is matching first or perhaps your rule isn’t working as >> expected. There are a couple potential issues with your rule, but I would >> suggest checking ossec-logtest and reporting back before you get too far >> into the nitty gritty. >> >> >> >> You can use %Y, %m, and %d in your filenames to represent the year, month >> and day, respectively. The file has to exist before the agent starts, >> otherwise it won’t be monitored. IIRC, wildcards (asterisks) do not work >> with the Windows agent for some strange reason. >> >> >> >> >> >> *From:* ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] *On >> Behalf Of *Greg Burns >> *Sent:* Friday, January 22, 2016 1:08 PM >> *To:* ossec-list <ossec...@googlegroups.com> >> *Subject:* [ossec-list] Log file not triggering alert >> >> >> >> I wrote a rule in OSSEC to send an email alert anytime the following >> string appears in a log (its a flat log file with no extension): >> >> >> >> 2016-01-20T17:49:19 Error validating xml data against the >> schema on line 272 Content of element "litleTxnId" is incomplete >> >> >> >> the rule should be triggered anytime the word "error validating" appear. >> Below is the rule: >> >> >> >> <!-- Syslog errors. --> >> >> <group name="syslog,errors,"> >> >> <rule id="8888" level="12"> >> >> <match>error validating</match> >> >> <options>alert_by_email</options> >> >> <description>An error was found in an order</description> >> >> </rule> >> >> >> >> >> >> For testing purposes placed a log file in C:\logs and set the >> configuration file to look in that directory- its the fourth one down >> >> >> >> <ossec_config> >> >> >> >> <!-- One entry for each file/Event log to monitor. --> >> >> <localfile> >> >> <location>Application</location> >> >> <log_format>eventlog</log_format> >> >> </localfile> >> >> >> >> <localfile> >> >> <location>Security</location> >> >> <log_format>eventlog</log_format> >> >> </localfile> >> >> >> >> <localfile> >> >> <location>System</location> >> >> <log_format>eventlog</log_format> >> >> </localfile> >> >> >> >> <localfile> >> >> <location>C:\logs\BatchLog_LT_01192016203220</location> >> >> <log_format>syslog</log_format> >> >> </localfile> >> >> >> >> However it does not seem to be working. When I go in and restart the >> agent it appears to successfully analyze the logs except it does not >> trigger an alert. below is the ossec.log after restarting: >> >> >> >> 2016/01/22 15:04:28 ossec-agent: INFO: Started (pid: 7268). >> >> >> >> 2016/01/22 15:04:29 ossec-agent(4102): INFO: Connected to the server ( >> 10.8.216.157:1514). >> >> >> >> 2016/01/22 15:04:29 ossec-agent: INFO: System is Vista or newer >> (Microsoft Windows 7 Business Edition Professional Service Pack 1 (Build >> 7601) - OSSEC HIDS v2.8.3). >> >> >> >> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: >> 'Application'. >> >> >> >> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: >> 'Security'. >> >> >> >> 2016/01/22 15:04:29 ossec-agent(1951): INFO: Analyzing event log: >> 'System'. >> >> >> >> 2016/01/22 15:04:30 ossec-agent(1950): INFO: Analyzing file: >> 'C:\logs\BatchLog_LT_01192016203220'. >> >> >> >> 2016/01/22 15:04:30 ossec-agent: INFO: Started (pid: 7268). >> >> >> >> Any idea's? Is my config on the agent not right? - Also what if I wanted >> to look in a specific folder and analyze all logs in that folder? such as >> <location>C:\logs\Batch*</location> - will this work to view all log files >> that begin with 'Batch"? >> >> >> >> Thanks! >> >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
