Hi Dan Thanks for the info, been working on this for the last few days and unfortunately I tried this approach and could not get it to work. In the end installed syslog-ng & picked up the info locally from a file/imported into ossec just like any other log file . This worked like a dream and getting all the alerts/emails now :) Once again thanks for replying and for anyone else trying this syslog-ng might be your friend ...
On Friday, July 27, 2018 at 3:39:01 PM UTC+1, dan (ddpbsd) wrote: > > On Wed, Jul 25, 2018 at 2:42 PM, mjwoods69 via ossec-list > <[email protected] <javascript:>> wrote: > > Hi > > > > Trying to get alerting implemented on my nas. Unfortunately my work to > date > > has failed, in summary I have: > > > > 1. Identified the log message in /var/ossec/logs/archives/archives.log, > this > > is sent from nas to ossec via syslog -> > > > > 2018 Jul 25 17:55:58 nas->10.0.0.3 Jul 25 18:48:23 nas qlogd[8736]: conn > > log: Users: admin, Source IP: 10.0.0.54, Computer name: ---, Connection > > type: , Accessed resources: Administration, Action: Login OK > > > > archives.log has a meta data header attached: `2018 Jul 25 17:55:58 > nas->10.0.0.3 ` > Remove this header for the actual log: `Jul 25 14:37:23 nas > qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer > name: ---, Connection type: , Accessed resources: Administration, > Action: Login OK` > > Using the non-meta-data-encumbered log message with a modified decoder > gives the following output: > > ossec-testrule: Type one log per line. > > Jul 25 14:37:23 nas qlogd[8736]: conn log: Users: admin, Source IP: > 10.0.0.54, Computer name: ---, Connection type: , Accessed resources: > Administration, Action: Login OK > > > **Phase 1: Completed pre-decoding. > full event: 'Jul 25 14:37:23 nas qlogd[8736]: conn log: Users: > admin, Source IP: 10.0.0.54, Computer name: ---, Connection type: , > Accessed resources: Administration, Action: Login OK' > hostname: 'nas' > program_name: 'qlogd' > log: 'conn log: Users: admin, Source IP: 10.0.0.54, Computer > name: ---, Connection type: , Accessed resources: Administration, > Action: Login OK' > > **Phase 2: Completed decoding. > decoder: 'qlogd' > dstuser: 'admin' > srcip: '10.0.0.54' > action: 'Login' > > **Phase 3: Completed filtering (rules). > Rule id: '100004' > Level: '12' > Description: 'nas user logged in' > **Alert to be generated. > > > Modified decoder: > > <decoder name="qlogd"> > <program_name>^qlogd</program_name> > <regex>\.+ Users: (\S+), Source IP: (\d+.\d+.\d+.\d+), \.+ Action: > (\S+)</regex> > <order>user, srcip, action</order> > </decoder> > > Next, I restart the ossec processes on the manager, and use `logger` > to test the log: > `echo 'conn log: Users: admin, Source IP: 10.0.0.54, Computer name: > ---, Connection type: , Accessed resources: Administration, Action: > Login OK' | logger -t qlogd` > I get the following in `/var/log/messages`: > Jul 27 10:36:40 rossak qlogd: conn log: Users: admin, Source IP: > 10.0.0.54, Computer name: ---, Connection type: , Accessed resources: > Administration, Action: Login OK > > And the following in `/var/ossec/logs/alerts/alerts.log`: > ** Alert 1532702200.100802: mail - syslog,qlogd, > 2018 Jul 27 10:36:40 rossak->/var/log/messages > Rule: 100004 (level 12) -> 'nas user logged in' > Src IP: 10.0.0.54 > User: admin > Jul 27 10:36:40 rossak qlogd: conn log: Users: admin, Source IP: > 10.0.0.54, Computer name: ---, Connection type: , Accessed resources: > Administration, Action: Login OK' > > > > > 2. Constructed a decoder at /var/ossec/etc/local_decoder.xml -> > > > > <decoder name="qlogd"> > > <prematch>\S+ qlogd</prematch> > > <regex offset="after_prematch">\.+ Users: (\S+), Source IP: > > (\d+.\d+.\d+.\d+), \.+ Action: (\S+)</regex> > > <order>user, srcip, action</order> > > </decoder> > > > > 3. Constructed a number of rules at /var/ossec/rules/local_rules.xml -> > > > > <group name="syslog,qlogd,"> > > <rule id="100002" level="0"> > > <decoded_as>qlogd</decoded_as> > > <description>qlogd messages to analyze</description> > > </rule> > > <rule id="100003" level="12"> > > <if_sid>100002</if_sid> > > <action>Logout</action> > > <description>nas user logged out</description> > > </rule> > > <rule id="100004" level="12"> > > <if_sid>100002</if_sid> > > <action>Login</action> > > <description>nas user logged in</description> > > </rule> > > </group> > > > > 4. Confirmed grammer via /var/ossec/bin/ossec-logtest -> > > > > **Phase 1: Completed pre-decoding. > > full event: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 > nas > > qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer > name: > > ---, Connection type: , Accessed resources: Administration, Action: > Login > > OK' > > hostname: 'pi' > > program_name: '(null)' > > log: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 nas > > qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer > name: > > ---, Connection type: , Accessed resources: Administration, Action: > Login > > OK' > > > > **Phase 2: Completed decoding. > > decoder: 'qlogd' > > dstuser: 'admin' > > srcip: '10.0.0.54' > > action: 'Login' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '100004' > > Level: '12' > > Description: 'nas user logged in' > > **Alert to be generated. > > > > Unfortunately this does not result in any alerts/emails. Done the usual > > googling & reading of "OSSEC HIDS Host-Based ....." but still cannot > figure > > out what i'm doing wrong. Will be super grateful if someone could point > out > > what i have done wrong. > > > > Regards > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
