Hi
Trying to get alerting implemented on my nas. Unfortunately my work to date
has failed, in summary I have:
1. Identified the log message in /var/ossec/logs/archives/archives.log,
this is sent from nas to ossec via syslog ->
2018 Jul 25 17:55:58 nas->10.0.0.3 Jul 25 18:48:23 nas qlogd[8736]: conn
log: Users: admin, Source IP: 10.0.0.54, Computer name: ---, Connection
type: , Accessed resources: Administration, Action: Login OK
2. Constructed a decoder at /var/ossec/etc/local_decoder.xml ->
<decoder name="qlogd">
<prematch>\S+ qlogd</prematch>
<regex offset="after_prematch">\.+ Users: (\S+), Source IP:
(\d+.\d+.\d+.\d+), \.+ Action: (\S+)</regex>
<order>user, srcip, action</order>
</decoder>
3. Constructed a number of rules at /var/ossec/rules/local_rules.xml ->
<group name="syslog,qlogd,">
<rule id="100002" level="0">
<decoded_as>qlogd</decoded_as>
<description>qlogd messages to analyze</description>
</rule>
<rule id="100003" level="12">
<if_sid>100002</if_sid>
<action>Logout</action>
<description>nas user logged out</description>
</rule>
<rule id="100004" level="12">
<if_sid>100002</if_sid>
<action>Login</action>
<description>nas user logged in</description>
</rule>
</group>
4. Confirmed grammer via /var/ossec/bin/ossec-logtest ->
**Phase 1: Completed pre-decoding.
full event: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 nas
qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer name:
---, Connection type: , Accessed resources: Administration, Action: Login
OK'
hostname: 'pi'
program_name: '(null)'
log: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 nas
qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer name:
---, Connection type: , Accessed resources: Administration, Action: Login
OK'
**Phase 2: Completed decoding.
decoder: 'qlogd'
dstuser: 'admin'
srcip: '10.0.0.54'
action: 'Login'
**Phase 3: Completed filtering (rules).
Rule id: '100004'
Level: '12'
Description: 'nas user logged in'
**Alert to be generated.
Unfortunately this does not result in any alerts/emails. Done the usual
googling & reading of "OSSEC HIDS Host-Based ....." but still cannot figure
out what i'm doing wrong. Will be super grateful if someone could point out
what i have done wrong.
Regards
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
