PS change in apporach....how about a really simple example of a custom rule and decoder for server side (that would go into /var/ossec/rules/local_rules.xml and /var/ossec/etc/local_decoder.xml respectively, and a statement for an ossec.conf windows client side...
these would monitor any common event from client side windows event log, show up in /var/ossec/logs/archive/archive.log server side, and trigger an email alert with a high level value (e.g., 10)? I.e., a "known good" set of examples I can use to help with troubleshooting? On Wednesday, August 16, 2023 at 9:35:30 AM UTC-4 Secure moi wrote: > Hi all - have been beating my head against the wall for some time now > trying to get any sort of custom rules/decoders/alerts to work (have an > ubuntu server, windows 10 and server 2019 clients, all updated & patched). > Not finding the testing tool nor the logs helpful (the ossec log not > throwing errors other than a duplicate agent key which I don't think is the > problem), though suspect this is some sort of user knowledge problem (mine) > that "everyone else knows".... > > One oddity, while my ossec.conf on the server points to the canned rule > sets (most of which I think are aimed a linux) in /var/ossec/rules, only > rule 18107 in msauth_rules.xml is generating alerts that show up in my > email (I've got the email alert part of ossec.conf set to 1, figuring I'd > tighten that up later). Various alerts are showing up in archives.log and > alerts.log, and e.g., alert settings in ms-se_rules.xml don't seem to work > though the level is set to 7, 12 etc on many of the rules, including when I > do an Eicar test on a windows client that shows up in the windows event > log. When I try to add in a <decoded_as> statement, ossec starts and runs > fine (I think) but the testing tool using archive.log entries return "no > decoder found". > > Have tried putting a <local file> statement on the windows client pointing > to the defender operational log that seems not to upset the ossec > agent/service/agent log but doesn't seem to matter in terms of things > showing up in the archives.log on the server. > > Hoping for some tips on where to start to troubleshoot this all more > effectively than I'm doing now (happy to provide logs and configs, more > specificity on os versions etc). > > Help? Thx:) > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/7bd40757-cf2e-465b-be3c-3de9a7446ed2n%40googlegroups.com.
