On Thu, Aug 18, 2016 at 9:09 AM, Cliftyman <[email protected]> wrote:
> I'm confused about how to use the rule types built into the OSSEC log rule
> syntax.
>
> I have a localfile declared in my /var/ossec/etc/shared/agent.conf....
>
> agent_config name="centrallogger">
> <localfile>
> <location>/var/log/LOC/*.log</location>
> <log_format>syslog</log_format>
> </localfile>
> </agent_config>
>
> This is a central logging "catchall" server that I send multiple systems
> logs to and I run an OSSEC agent on that syslog server to watch all the
> logs. So all .log files in /var/log/LOC on server1 should be syslog
> format.... I'm receiving alerts from these logs just fine. Alerts come
> from "centrallogger" but the first line states the location so I know which
> server the alert is referencing. There are some scripting errors on one of
> the servers sending logs to "centrallogger" and I want to filter them out.
> So I wrote a rule in local.rules on my OSSEC server that included a <srcip>
> declaration:
>
> <rule id="100073" level="0">
> <if_sid>5720</if_sid>
> <srcip>192.168.1.5</srcip>
Using the logs below, I get this with ossec-logtest:
ossec-testrule: Type one log per line.
Aug 18 07:30:25 192.168.1.5 sshd[20247]: [ID 800047 auth.notice]
Failed none for root from 192.168.1.1 port 36942 ssh2
**Phase 1: Completed pre-decoding.
full event: 'Aug 18 07:30:25 192.168.1.5 sshd[20247]: [ID
800047 auth.notice] Failed none for root from 192.168.1.1 port 36942
ssh2 '
hostname: '192.168.1.5'
program_name: 'sshd'
log: 'Failed none for root from 192.168.1.1 port 36942 ssh2 '
**Phase 2: Completed decoding.
decoder: 'sshd'
**Phase 3: Completed filtering (rules).
Rule id: '5716'
Level: '5'
Description: 'SSHD authentication failed.'
**Alert to be generated.
So srcip isn't being decoded.
> <hostname>centrallogger</hostname>
> <description>scripted maint failing on interconnect links</description>
> </rule>
>
> To suppress the alert I was receiving below.........
>
> OSSEC HIDS Notification.
>
> 2016 Aug 18 08:36:29
>
>
>
> Received From: (centrallogger) 10.147.130.0->/var/log/LOC/loggedserver1.log
>
> Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."
>
> Portion of the log(s):
>
>
>
> Aug 18 07:30:25 192.168.1.5 sshd[20247]: [ID 800047 auth.notice] Failed none
> for root from 192.168.1.1 port 36942 ssh2
> Aug 18 07:30:24 192.168.1.5 sshd[20227]: [ID 800047 auth.notice] Failed none
> for root from 192.168.1.1 port 36941 ssh2
> Aug 18 07:30:23 192.168.1.5 sshd[20205]: [ID 800047 auth.notice] Failed none
> for root from 192.168.1.1 port 36939 ssh2
>
> And the suppression is not working. I've also attempted a <match> on ASCII
> text "Failed none for root". I've historically had issues getting matching
> to work in log messages and I'm wondering if this has something to do with
> using a wildcard, or if my syslog log format decoder is not working
> properly? If I'm using <srcip> OSSEC has to recognize where the SRCIP is in
> the syslog string?
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
