[ossec-list] audispd 1002 errors
Hello I currently have Nagios monitoring SSH on my servers which produces a login failure. This is picked up by OSSEC as a 1002. I have audit logging to syslog via audispd. I have not been able to create a rule for this and have been unsuccessful on ignoring ssh requests from my Nagios/Monitoring server. Anyone have a rule or anyway to get around this problem? I am getting 100's of these alerts per day. I can not change the monitoring at this time. Received From: hids-/var/log/messages Rule: 1002 fired (level 2) - Unknown problem somewhere in the system. Portion of the log(s): 2012-10-01T07:59:40.429266-06:00 hids audispd: node=hids.XX.com type=USER_LOGIN msg=audit(1349099980.428:16816): user pid=10188 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe=/usr/sbin/sshd hostname=? addr=XXX.XXX.XXX.XXX terminal=ssh res=failed' -- = Matthew Feinberg
Re: [ossec-list] audispd 1002 errors
On Mon, Oct 1, 2012 at 10:07 AM, thewebbie theweb...@gmail.com wrote: Hello I currently have Nagios monitoring SSH on my servers which produces a login failure. This is picked up by OSSEC as a 1002. I have audit logging to syslog via audispd. I have not been able to create a rule for this and have been unsuccessful on ignoring ssh requests from my Nagios/Monitoring server. Anyone have a rule or anyway to get around this problem? I am getting 100's of these alerts per day. I can not change the monitoring at this time. Received From: hids-/var/log/messages Rule: 1002 fired (level 2) - Unknown problem somewhere in the system. Portion of the log(s): 2012-10-01T07:59:40.429266-06:00 hids audispd: node=hids.XX.com type=USER_LOGIN msg=audit(1349099980.428:16816): user pid=10188 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe=/usr/sbin/sshd hostname=? addr=XXX.XXX.XXX.XXX terminal=ssh res=failed' -- = Matthew Feinberg I'm not sure why you were having problems, but this is a simple fix: Add to /var/ossec/etc/local_decoder.xml: decoder name=audispd program_nameaudispd/program_name regexnode=(\S+) \.+ addr=(\S+) terminal=/regex orderextra_data,srcip/order /decoder Add to /var/ossec/rles/local_rules.xml: rule id=110005 level=3 decoded_asaudispd/decoded_as srcipXXX.XXX.XXX.XXX/srcip !-- FIX THIS -- descriptionBlah/description /rule Restart OSSEC. Try again.
Re: [ossec-list] audispd 1002 errors
Thank you for the help. There is no /var/ossec/etc/local_decoder.xml , do I just create it? On Mon, Oct 1, 2012 at 10:25 AM, dan (ddp) ddp...@gmail.com wrote: On Mon, Oct 1, 2012 at 10:07 AM, thewebbie theweb...@gmail.com wrote: Hello I currently have Nagios monitoring SSH on my servers which produces a login failure. This is picked up by OSSEC as a 1002. I have audit logging to syslog via audispd. I have not been able to create a rule for this and have been unsuccessful on ignoring ssh requests from my Nagios/Monitoring server. Anyone have a rule or anyway to get around this problem? I am getting 100's of these alerts per day. I can not change the monitoring at this time. Received From: hids-/var/log/messages Rule: 1002 fired (level 2) - Unknown problem somewhere in the system. Portion of the log(s): 2012-10-01T07:59:40.429266-06:00 hids audispd: node=hids.XX.com type=USER_LOGIN msg=audit(1349099980.428:16816): user pid=10188 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe=/usr/sbin/sshd hostname=? addr=XXX.XXX.XXX.XXX terminal=ssh res=failed' -- = Matthew Feinberg I'm not sure why you were having problems, but this is a simple fix: Add to /var/ossec/etc/local_decoder.xml: decoder name=audispd program_nameaudispd/program_name regexnode=(\S+) \.+ addr=(\S+) terminal=/regex orderextra_data,srcip/order /decoder Add to /var/ossec/rles/local_rules.xml: rule id=110005 level=3 decoded_asaudispd/decoded_as srcipXXX.XXX.XXX.XXX/srcip !-- FIX THIS -- descriptionBlah/description /rule Restart OSSEC. Try again. -- = Matthew Feinberg
Re: [ossec-list] audispd 1002 errors
On Mon, Oct 1, 2012 at 11:20 AM, thewebbie theweb...@gmail.com wrote: Thank you for the help. There is no /var/ossec/etc/local_decoder.xml , do I just create it? It's been a million years since I've had to worry about that, but creating the file should work. On Mon, Oct 1, 2012 at 10:25 AM, dan (ddp) ddp...@gmail.com wrote: On Mon, Oct 1, 2012 at 10:07 AM, thewebbie theweb...@gmail.com wrote: Hello I currently have Nagios monitoring SSH on my servers which produces a login failure. This is picked up by OSSEC as a 1002. I have audit logging to syslog via audispd. I have not been able to create a rule for this and have been unsuccessful on ignoring ssh requests from my Nagios/Monitoring server. Anyone have a rule or anyway to get around this problem? I am getting 100's of these alerts per day. I can not change the monitoring at this time. Received From: hids-/var/log/messages Rule: 1002 fired (level 2) - Unknown problem somewhere in the system. Portion of the log(s): 2012-10-01T07:59:40.429266-06:00 hids audispd: node=hids.XX.com type=USER_LOGIN msg=audit(1349099980.428:16816): user pid=10188 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe=/usr/sbin/sshd hostname=? addr=XXX.XXX.XXX.XXX terminal=ssh res=failed' -- = Matthew Feinberg I'm not sure why you were having problems, but this is a simple fix: Add to /var/ossec/etc/local_decoder.xml: decoder name=audispd program_nameaudispd/program_name regexnode=(\S+) \.+ addr=(\S+) terminal=/regex orderextra_data,srcip/order /decoder Add to /var/ossec/rles/local_rules.xml: rule id=110005 level=3 decoded_asaudispd/decoded_as srcipXXX.XXX.XXX.XXX/srcip !-- FIX THIS -- descriptionBlah/description /rule Restart OSSEC. Try again. -- = Matthew Feinberg