I'm using OSSEC in a slightly unconventional manner where I have it
installed on a centralized syslog server and it's tripping correlations
from multiple servers with just one agent. A small snippet of the setup is
below.
ossec-server.domain.com monitoring:
- /logs/networking/*.log
- /logs/windows/*.log
- /logs/unix/*.log
Overall this has worked pretty good for a low key correlation system for
some alerts but I recently added a few more logs to it and I feel like
OSSEC is missing some entries now. For example, I see alerts being
tripped /var/ossec/logs/alerts/alerts.log for some events, but others are
not. I know for a fact while tailing the alerts.log file, I should have
received the alert below as I was also tailing the logs OSSEC was
monitoring. Below shows that the format is correct and it's
decoding/alerting correctly when running the test. Therefore my only
conclusion is OSSEC is potentially getting overwhelmed and missing some. Is
there a way to check that or any other reason this wouldn't of tripped for
me?
Feb 16 13:04:34 server1 sudo: user_name : command not allowed ; TTY=pts/0
; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root
**Phase 1: Completed pre-decoding.
full event: 'Feb 16 13:04:34 server1 sudo: user_name : command not
allowed ; TTY=pts/0 ; PWD=/home/user_name ; USER=root ; COMMAND=/bin/su
root'
hostname: 'server1'
program_name: 'sudo'
log: ' user_name : command not allowed ; TTY=pts/0 ;
PWD=/home/user_name ; USER=root ; COMMAND=/bin/su root'
**Phase 2: Completed decoding.
decoder: 'sudo'
dstuser: 'user_name'
**Phase 3: Completed filtering (rules).
Rule id: '100012'
Level: '10'
Description: 'User attempted to run a command that was not allowed.'
**Alert to be generated.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
