Thanks man that help me a LOT, it was problem with smtp server On Friday, August 10, 2018 at 3:17:59 PM UTC+2, dan (ddpbsd) wrote: > > Just a couple of quick ones. I took 3 of the logs you provided, and > used `ossec-logtest` to see how they were decoded. > > **Phase 1: Completed pre-decoding. > full event: 'Aug 9 06:00:00 server2 systemd: > pam_unix(systemd-user:session): session opened for user dzoni by ($' > hostname: 'server2' > program_name: 'systemd' > log: 'pam_unix(systemd-user:session): session opened for user > dzoni by ($' > > **Phase 2: Completed decoding. > decoder: 'pam' > > **Phase 3: Completed filtering (rules). > Rule id: '5501' > Level: '3' > Description: 'Login session opened.' > **Alert to be generated. > > > So the above log will create an alert of id 5501. It's only a level 3, > so it probably doesn't make it to your email. > You can either lower the email alert level in the ossec.conf, or > modify the rule to always alert (add <options>alert_by_email</options> > to the rule). > Something like this in `/var/ossec/rules/local_rules.xml` (totally > untested): > <rule id="5501" level="3" overwrite="yes"> > <if_sid>5500</if_sid> > <match>session opened for user </match> > <options>alert_by_email</options> > <description>Login session opened.</description> > <group>authentication_success,</group> > </rule> > > > > **Phase 1: Completed pre-decoding. > full event: 'Aug 9 06:00:00 server2 systemd-logind[735]: New > session 1 of user dzoni' > hostname: 'server2' > program_name: 'systemd-logind' > log: 'New session 1 of user dzoni' > > **Phase 2: Completed decoding. > No decoder matched. > > For this one, nothing matched. A decoder would have to be written, > then a rule. Quick and dirty decoder (in > /var/ossec/etc/local_decoder.xml): > <decoder name="systemd-logind"> > <program_name>^systemd-logind$</program_name> > <regex> of user (\S+)</regex> > <order>user</order> > </decoder> > > Now we get: > **Phase 1: Completed pre-decoding. > full event: 'Aug 9 06:00:00 server2 systemd-logind[735]: New > session 1 of user dzoni' > hostname: 'server2' > program_name: 'systemd-logind' > log: 'New session 1 of user dzoni' > > **Phase 2: Completed decoding. > decoder: 'systemd-logind' > dstuser: 'dzoni' > > Still need a rule though. In /var/ossec/rules/local_rules.xml: > <rule id="333333" level="3"> > <decoded_as>systemd-logind</decoded_as> > <match>^New session </match> > <description>New session started for a user.</description> > <group>authentication</group> > </rule> > > Gives us: > **Phase 1: Completed pre-decoding. > full event: 'Aug 9 06:00:00 server2 systemd-logind[735]: New > session 1 of user dzoni' > hostname: 'server2' > program_name: 'systemd-logind' > log: 'New session 1 of user dzoni' > > **Phase 2: Completed decoding. > decoder: 'systemd-logind' > dstuser: 'dzoni' > > **Phase 3: Completed filtering (rules). > Rule id: '333333' > Level: '3' > Description: 'New session started for a user.' > **Alert to be generated. > > This probably isn't a high enough level to get an email, but adjust to > taste. > > > > > **Phase 1: Completed pre-decoding. > full event: 'Aug 9 06:00:00 server2 login[818]: > pam_unix(login:session): session opened for user dzoni by LOGIN$' > hostname: 'server2' > program_name: 'login' > log: 'pam_unix(login:session): session opened for user dzoni by > LOGIN$' > > **Phase 2: Completed decoding. > decoder: 'pam' > > **Phase 3: Completed filtering (rules). > Rule id: '5501' > Level: '3' > Description: 'Login session opened.' > **Alert to be generated. > > Level 3 again, use the above advise to adjust. > > > On Thu, Aug 9, 2018 at 9:58 AM, Dzenis Aslani <dzenis...@gmail.com > <javascript:>> wrote: > > O thank you, you are really helpful :) lol. How it doesnt matter where > you > > see information.I told you i cant copy the text from VM(Ubuntu Server) > to > > Pc(Win10), this was the only way to get data. > > > > On Thursday, August 9, 2018 at 3:49:29 PM UTC+2, dan (ddpbsd) wrote: > >> > >> On Thu, Aug 9, 2018 at 9:40 AM, Dzenis Aslani <dzenis...@gmail.com> > wrote: > >> > I couldnt copy from Virtualmachine but i did make a picture.I hope > that > >> > it > >> > make it help > >> > > >> > > https://drive.google.com/file/d/11na75k4lPAXUAPowmIjugjpEvQXzqw5n/view?usp=sharing > > >> > https://drive.google.com/open?id=11na75k4lPAXUAPowmIjugjpEvQXzqw5n > >> > https://drive.google.com/open?id=1PaG4-TNLjxtrnbjyFxw-xEpYuoNnDMeM > >> > https://drive.google.com/open?id=1zGzEZesuN_CWkW3NRn1wWIqbYFxDiHIp > >> > https://drive.google.com/open?id=1UhyhOpUsG2WgL0Eie9N8DtArNh-6knJQ > >> > > >> > >> OSSEC doesn't process images, so it might take a while to type out the > >> interesting ones. > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
