Looking to take these logs from two seperate server applications and perform alerts and possibly responses to them.
server 1: 2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15 2016-05-26 15:38:15 172.18.2.247 GET /wff - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/50.0.2661.102+Safari/537.36 404 0 2 203 Server 2: 2016-05-26 00:16:02 W3SVC1071858006 192.168.1.30 POST /servlet/Router/Transaction/Erp - 80 - 10.13.100.4 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 2016-05-26 00:16:03 W3SVC1071858006 192.168.1.30 GET /lawson/portal/drill/drsearch.css - 80 - 10.12.100.10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/5.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 404 0 2 Right now I am just attempting to work with logs from Server1: to alert on 200 & 4040 errors for for web scans and alike but a beginning. Entry in local_decoder.xml: <decoder name="kronos-web"> <parent>windows-date-format</parent> <use_own_name>true</use_own_name> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ POST </prematch> <regex offset="after_prematch">(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex> <order>url,srcip,id</order> </decoder> Entry in local_rules.xml <group name="kronos-web,syslog,"> <rule id="100007" level="0"> <decoded_as>kronos-web</decoded_as> <description>Grouping for Kronos web rules.</description> </rule> <rule id="100008" level="5"> <if_sid>100007</if_sid> <id>404</id> <description>IIS 7 Web Server 404 Error.</description> <group>connection attempt,</group> </rule> <rule id="100009" level="5"> <if_sid>100007</if_sid> <id>200</id> <description>IIS 7 Web Server 200 Error.</description> <group>connection attempt,</group> </rule> <rule id="100010" level="10" frequency="10" timeframe="60"> <if_matched_sid>100008,100009</if_matched_sid> <description>Possible Kronos Web Scan/Attack Detected.</description> <group>attacks,</group> </rule> </group> When I run the logtest is get this output that I am getting the url,srcip and id.. but is not getting to the rules I have created above... **Phase 1: Completed pre-decoding. full event: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15' hostname: 'alamo' program_name: '(null)' log: '2016-05-26 15:45:47 172.18.2.247 POST /wfc/portal - 443 - 10.18.100.24 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+rv:39.0)+Gecko/20100101+Firefox/39.0 200 0 0 15' **Phase 2: Completed decoding. decoder: 'windows-date-format' url: '/wfc/portal -' srcip: '10.18.100.24' id: '200' Am I missing something like a base idea behind this or a syntax thing I really do not know... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.