Hi 

Trying to get alerting implemented on my nas. Unfortunately my work to date 
has failed, in summary I have:

1. Identified the log message in /var/ossec/logs/archives/archives.log, 
this is sent from nas to ossec via syslog ->

2018 Jul 25 17:55:58 nas->10.0.0.3 Jul 25 18:48:23 nas qlogd[8736]: conn 
log: Users: admin, Source IP: 10.0.0.54, Computer name: ---, Connection 
type: , Accessed resources: Administration, Action: Login OK

2. Constructed a decoder at /var/ossec/etc/local_decoder.xml ->

<decoder name="qlogd">
    <prematch>\S+ qlogd</prematch>
    <regex offset="after_prematch">\.+ Users: (\S+), Source IP: 
(\d+.\d+.\d+.\d+), \.+ Action: (\S+)</regex>
    <order>user, srcip, action</order>
</decoder>

3. Constructed a number of rules at /var/ossec/rules/local_rules.xml ->

<group name="syslog,qlogd,">
    <rule id="100002" level="0">
        <decoded_as>qlogd</decoded_as>
        <description>qlogd messages to analyze</description>
   </rule>
   <rule id="100003" level="12">
    <if_sid>100002</if_sid>
        <action>Logout</action>
    <description>nas user logged out</description>
   </rule>
   <rule id="100004" level="12">
        <if_sid>100002</if_sid>
        <action>Login</action>
        <description>nas user logged in</description>
   </rule>
</group>

4. Confirmed grammer via /var/ossec/bin/ossec-logtest ->

**Phase 1: Completed pre-decoding.
       full event: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 nas 
qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer name: 
---, Connection type: , Accessed resources: Administration, Action: Login 
OK'
       hostname: 'pi'
       program_name: '(null)'
       log: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 nas 
qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer name: 
---, Connection type: , Accessed resources: Administration, Action: Login 
OK'

**Phase 2: Completed decoding.
       decoder: 'qlogd'
       dstuser: 'admin'
       srcip: '10.0.0.54'
       action: 'Login'

**Phase 3: Completed filtering (rules).
       Rule id: '100004'
       Level: '12'
       Description: 'nas user logged in'
**Alert to be generated.

Unfortunately this does not result in any alerts/emails. Done the usual 
googling & reading of "OSSEC HIDS Host-Based ....." but still cannot figure 
out what i'm doing wrong. Will be super grateful if someone could point out 
what i have done wrong.

Regards

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to