Re: [ossec-list] Re: alert for logging outside working hours

2015-12-08 Thread dan (ddp) 
On Dec 8, 2015 10:58 AM, "Maxim Surdu"  wrote:
>
> Allert is working fine!
> In kibana the log is coming with 2015 Dec 08 17:45:20
> in mail alert is coming with 2015 Dec 08 07:45:20
> not 17:45 or 05:45 but 07:45 and this can be problematic
>

Which one is correct? If the ossec alert is wrong, check the timezone file
at /var/ossec/etc/localtime
I'm not sure how to check the timezone of the kibana instance.

>
>
> luni, 7 decembrie 2015, 12:09:40 UTC+2, Maxim Surdu a scris:
>>
>> Hi everyone,
>>
>> I am new in Ossec, i configure ossec-server and ossec agent, all is
working formidable!
>> but i need to create an alert to show me people who are logging outside
working hours in my system server or agent
>> for example my company working hours are Monday-Friday from 09.00 until
18.00 and i need to know who from my employers working after work-hours!
>>
>> Any help would be greatly appreciated
>>
>> Thanks,
>> Maxim
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: alert for logging outside working hours

2015-12-08 Thread Maxim Surdu 
Allert is working fine!
In kibana the log is coming with* 2015 Dec 08 17:45:20*
in mail alert is coming with *2015 Dec 08 *07*:45:20*
not 17:45 or 05:45 but 07:45 and this can be problematic


luni, 7 decembrie 2015, 12:09:40 UTC+2, Maxim Surdu a scris:
>
> Hi everyone,
>
> I am new in Ossec, i configure ossec-server and ossec agent, all is 
> working formidable!
> but i need to create an alert to show me people who are logging outside 
> working hours in my system server or agent 
> for example my company working hours are Monday-Friday from 09.00 until 
> 18.00 and i need to know who from my employers working after work-hours!
>
> Any help would be greatly appreciated
>  
> Thanks,
> Maxim
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: alert for logging outside working hours

2015-12-08 Thread Maxim Surdu 
The correct time is showed in kibana

luni, 7 decembrie 2015, 12:09:40 UTC+2, Maxim Surdu a scris:
>
> Hi everyone,
>
> I am new in Ossec, i configure ossec-server and ossec agent, all is 
> working formidable!
> but i need to create an alert to show me people who are logging outside 
> working hours in my system server or agent 
> for example my company working hours are Monday-Friday from 09.00 until 
> 18.00 and i need to know who from my employers working after work-hours!
>
> Any help would be greatly appreciated
>  
> Thanks,
> Maxim
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: OSSEC - Windows Event Log - PowerShell Alerts

2015-12-08 Thread Daniel 
So basically what you're doing is looking for INFO logs and then matching 
the log content and not the actual log ID? Interesting. My general rule 
workflow is this: 
If OS=WINDOWS, then if TYPE=ERROR/INFO/WARN/etc, then if EVENTID=x, then 
create alert with LEVEL=y.

Types can be referenced in /rules/msauth_rules.xml, with 18101 
being informational. Also, check out 
"http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf;

My basic powershell rule looks like the following:


  
18101
^400$|^403$
PowerShell
PowerShell Started/Stopped.
From "Windows PowerShell.evtx"
  



On Wednesday, December 2, 2015 at 4:02:25 PM UTC-5, Phillipa Moorea wrote:
>
> Thanks for all the help from you (Santiago), from dan, some other posts on 
> here, github repository issues, a book I bought on ossec for $10, and the 
> work of the OSSEC developers that made the 2.8.3 update, and of course the 
> people in the AlienVault Labs!
>
> I was now able to get the alerts working.  I analyzed the PowerShell logs 
> and changed my rules a bit.  Here is what I changed it too:
>
> 
>   
> 18100,18101
> CommandType=Script
> Powershell Script.
>   
>   
> 18100,18101
> CommandType=Cmdlet
> Powershell Command.
>   
>   
> 18100,18101
> CommandType=Function
> Powershell Function.
> 
>   
> 100210
> NewCommandState=Started
> Powershell Script (500-Started).
>   
>   
> 100210
> NewCommandState=Stopped
> Powershell Script (501-Stopped).
> 
>   
> 100211
> NewCommandState=Started
> Powershell Command (500-Started).
>   
>   
> 100211
> NewCommandState=Stopped
> Powershell Command (501-Stopped).
> 
>   
> 100212
> NewCommandState=Started
> Powershell Function (500-Started).
>   
> ...

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.