[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] custom decoder & rules for nas device
From: mjwoods69 via ossec-list <ossec-list () googlegroups ! com>
Date: 2018-07-27 19:57:53
Message-ID: a6e251a0-e061-4b67-b630-bf5a37b346af () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Dan
Thanks for the info, been working on this for the last few days and
unfortunately I tried this approach and could not get it to work. In the
end installed syslog-ng & picked up the info locally from a file/imported
into ossec just like any other log file . This worked like a dream and
getting all the alerts/emails now :) Once again thanks for replying and for
anyone else trying this syslog-ng might be your friend ...
On Friday, July 27, 2018 at 3:39:01 PM UTC+1, dan (ddpbsd) wrote:
>
> On Wed, Jul 25, 2018 at 2:42 PM, mjwoods69 via ossec-list
> <ossec...@googlegroups.com <javascript:>> wrote:
> > Hi
> >
> > Trying to get alerting implemented on my nas. Unfortunately my work to
> date
> > has failed, in summary I have:
> >
> > 1. Identified the log message in /var/ossec/logs/archives/archives.log,
> this
> > is sent from nas to ossec via syslog ->
> >
> > 2018 Jul 25 17:55:58 nas->10.0.0.3 Jul 25 18:48:23 nas qlogd[8736]: conn
> > log: Users: admin, Source IP: 10.0.0.54, Computer name: ---, Connection
> > type: , Accessed resources: Administration, Action: Login OK
> >
>
> archives.log has a meta data header attached: `2018 Jul 25 17:55:58
> nas->10.0.0.3 `
> Remove this header for the actual log: `Jul 25 14:37:23 nas
> qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer
> name: ---, Connection type: , Accessed resources: Administration,
> Action: Login OK`
>
> Using the non-meta-data-encumbered log message with a modified decoder
> gives the following output:
>
> ossec-testrule: Type one log per line.
>
> Jul 25 14:37:23 nas qlogd[8736]: conn log: Users: admin, Source IP:
> 10.0.0.54, Computer name: ---, Connection type: , Accessed resources:
> Administration, Action: Login OK
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Jul 25 14:37:23 nas qlogd[8736]: conn log: Users:
> admin, Source IP: 10.0.0.54, Computer name: ---, Connection type: ,
> Accessed resources: Administration, Action: Login OK'
> hostname: 'nas'
> program_name: 'qlogd'
> log: 'conn log: Users: admin, Source IP: 10.0.0.54, Computer
> name: ---, Connection type: , Accessed resources: Administration,
> Action: Login OK'
>
> **Phase 2: Completed decoding.
> decoder: 'qlogd'
> dstuser: 'admin'
> srcip: '10.0.0.54'
> action: 'Login'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '100004'
> Level: '12'
> Description: 'nas user logged in'
> **Alert to be generated.
>
>
> Modified decoder:
>
> <decoder name="qlogd">
> <program_name>^qlogd</program_name>
> <regex>\.+ Users: (\S+), Source IP: (\d+.\d+.\d+.\d+), \.+ Action:
> (\S+)</regex>
> <order>user, srcip, action</order>
> </decoder>
>
> Next, I restart the ossec processes on the manager, and use `logger`
> to test the log:
> `echo 'conn log: Users: admin, Source IP: 10.0.0.54, Computer name:
> ---, Connection type: , Accessed resources: Administration, Action:
> Login OK' | logger -t qlogd`
> I get the following in `/var/log/messages`:
> Jul 27 10:36:40 rossak qlogd: conn log: Users: admin, Source IP:
> 10.0.0.54, Computer name: ---, Connection type: , Accessed resources:
> Administration, Action: Login OK
>
> And the following in `/var/ossec/logs/alerts/alerts.log`:
> ** Alert 1532702200.100802: mail - syslog,qlogd,
> 2018 Jul 27 10:36:40 rossak->/var/log/messages
> Rule: 100004 (level 12) -> 'nas user logged in'
> Src IP: 10.0.0.54
> User: admin
> Jul 27 10:36:40 rossak qlogd: conn log: Users: admin, Source IP:
> 10.0.0.54, Computer name: ---, Connection type: , Accessed resources:
> Administration, Action: Login OK'
>
>
>
> > 2. Constructed a decoder at /var/ossec/etc/local_decoder.xml ->
> >
> > <decoder name="qlogd">
> > <prematch>\S+ qlogd</prematch>
> > <regex offset="after_prematch">\.+ Users: (\S+), Source IP:
> > (\d+.\d+.\d+.\d+), \.+ Action: (\S+)</regex>
> > <order>user, srcip, action</order>
> > </decoder>
> >
> > 3. Constructed a number of rules at /var/ossec/rules/local_rules.xml ->
> >
> > <group name="syslog,qlogd,">
> > <rule id="100002" level="0">
> > <decoded_as>qlogd</decoded_as>
> > <description>qlogd messages to analyze</description>
> > </rule>
> > <rule id="100003" level="12">
> > <if_sid>100002</if_sid>
> > <action>Logout</action>
> > <description>nas user logged out</description>
> > </rule>
> > <rule id="100004" level="12">
> > <if_sid>100002</if_sid>
> > <action>Login</action>
> > <description>nas user logged in</description>
> > </rule>
> > </group>
> >
> > 4. Confirmed grammer via /var/ossec/bin/ossec-logtest ->
> >
> > **Phase 1: Completed pre-decoding.
> > full event: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23
> nas
> > qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer
> name:
> > ---, Connection type: , Accessed resources: Administration, Action:
> Login
> > OK'
> > hostname: 'pi'
> > program_name: '(null)'
> > log: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 nas
> > qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer
> name:
> > ---, Connection type: , Accessed resources: Administration, Action:
> Login
> > OK'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'qlogd'
> > dstuser: 'admin'
> > srcip: '10.0.0.54'
> > action: 'Login'
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '100004'
> > Level: '12'
> > Description: 'nas user logged in'
> > **Alert to be generated.
> >
> > Unfortunately this does not result in any alerts/emails. Done the usual
> > googling & reading of "OSSEC HIDS Host-Based ....." but still cannot
> figure
> > out what i'm doing wrong. Will be super grateful if someone could point
> out
> > what i have done wrong.
> >
> > Regards
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Hi Dan<div><br></div><div>Thanks for the info, been working on this \
for the last few days and unfortunately I tried this approach and could not get it to \
work. In the end installed syslog-ng & picked up the info locally from a \
file/imported into ossec just like any other log file . This worked like a dream and \
getting all the alerts/emails now :) Once again thanks for replying and for anyone \
else trying this syslog-ng might be your friend ... <br><br>On Friday, July 27, 2018 \
at 3:39:01 PM UTC+1, dan (ddpbsd) wrote:<blockquote class="gmail_quote" \
style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: \
1ex;">On Wed, Jul 25, 2018 at 2:42 PM, mjwoods69 via ossec-list <br><<a \
href="javascript:" target="_blank" gdf-obfuscated-mailto="YIaQvtMnCQAJ" \
rel="nofollow" onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec...@googlegroups.com</a>> wrote: <br>> Hi
<br>>
<br>> Trying to get alerting implemented on my nas. Unfortunately my work to date
<br>> has failed, in summary I have:
<br>>
<br>> 1. Identified the log message in /var/ossec/logs/archives/<wbr>archives.log, \
this <br>> is sent from nas to ossec via syslog ->
<br>>
<br>> 2018 Jul 25 17:55:58 nas->10.0.0.3 Jul 25 18:48:23 nas qlogd[8736]: conn
<br>> log: Users: admin, Source IP: 10.0.0.54, Computer name: ---, Connection
<br>> type: , Accessed resources: Administration, Action: Login OK
<br>>
<br>
<br>archives.log has a meta data header attached: `2018 Jul 25 17:55:58
<br>nas->10.0.0.3 `
<br>Remove this header for the actual log: `Jul 25 14:37:23 nas
<br>qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer
<br>name: ---, Connection type: , Accessed resources: Administration,
<br>Action: Login OK`
<br>
<br>Using the non-meta-data-encumbered log message with a modified decoder
<br>gives the following output:
<br>
<br>ossec-testrule: Type one log per line.
<br>
<br>Jul 25 14:37:23 nas qlogd[8736]: conn log: Users: admin, Source IP:
<br>10.0.0.54, Computer name: ---, Connection type: , Accessed resources:
<br>Administration, Action: Login OK
<br>
<br>
<br>**Phase 1: Completed pre-decoding.
<br> full event: 'Jul 25 14:37:23 nas qlogd[8736]: conn log: Users:
<br>admin, Source IP: 10.0.0.54, Computer name: ---, Connection type: ,
<br>Accessed resources: Administration, Action: Login OK'
<br> hostname: 'nas'
<br> program_name: 'qlogd'
<br> log: 'conn log: Users: admin, Source IP: 10.0.0.54, Computer
<br>name: ---, Connection type: , Accessed resources: Administration,
<br>Action: Login OK'
<br>
<br>**Phase 2: Completed decoding.
<br> decoder: 'qlogd'
<br> dstuser: 'admin'
<br> srcip: '10.0.0.54'
<br> action: 'Login'
<br>
<br>**Phase 3: Completed filtering (rules).
<br> Rule id: '100004'
<br> Level: '12'
<br> Description: 'nas user logged in'
<br>**Alert to be generated.
<br>
<br>
<br>Modified decoder:
<br>
<br><decoder name="qlogd">
<br> <program_name>^qlogd</program_<wbr>name>
<br> <regex>\.+ Users: (\S+), Source IP: (\d+.\d+.\d+.\d+), \.+ Action:
<br>(\S+)</regex>
<br> <order>user, srcip, action</order>
<br></decoder>
<br>
<br>Next, I restart the ossec processes on the manager, and use `logger`
<br>to test the log:
<br>`echo 'conn log: Users: admin, Source IP: 10.0.0.54, Computer name:
<br>---, Connection type: , Accessed resources: Administration, Action:
<br>Login OK' | logger -t qlogd`
<br>I get the following in `/var/log/messages`:
<br>Jul 27 10:36:40 rossak qlogd: conn log: Users: admin, Source IP:
<br>10.0.0.54, Computer name: ---, Connection type: , Accessed resources:
<br>Administration, Action: Login OK
<br>
<br>And the following in `/var/ossec/logs/alerts/<wbr>alerts.log`:
<br>** Alert 1532702200.100802: mail - syslog,qlogd,
<br>2018 Jul 27 10:36:40 rossak->/var/log/messages
<br>Rule: 100004 (level 12) -> 'nas user logged in'
<br>Src IP: 10.0.0.54
<br>User: admin
<br>Jul 27 10:36:40 rossak qlogd: conn log: Users: admin, Source IP:
<br>10.0.0.54, Computer name: ---, Connection type: , Accessed resources:
<br>Administration, Action: Login OK'
<br>
<br>
<br>
<br>> 2. Constructed a decoder at /var/ossec/etc/local_decoder.<wbr>xml ->
<br>>
<br>> <decoder name="qlogd">
<br>> <prematch>\S+ qlogd</prematch>
<br>> <regex offset="after_prematch">\.+ Users: (\S+), \
Source IP: <br>> (\d+.\d+.\d+.\d+), \.+ Action: (\S+)</regex>
<br>> <order>user, srcip, action</order>
<br>> </decoder>
<br>>
<br>> 3. Constructed a number of rules at /var/ossec/rules/local_rules.<wbr>xml \
-> <br>>
<br>> <group name="syslog,qlogd,">
<br>> <rule id="100002" level="0">
<br>> <decoded_as>qlogd</decoded_as>
<br>> <description>qlogd messages to analyze</description>
<br>> </rule>
<br>> <rule id="100003" level="12">
<br>> <if_sid>100002</if_sid>
<br>> <action>Logout</action>
<br>> <description>nas user logged out</description>
<br>> </rule>
<br>> <rule id="100004" level="12">
<br>> <if_sid>100002</if_sid>
<br>> <action>Login</action>
<br>> <description>nas user logged in</description>
<br>> </rule>
<br>> </group>
<br>>
<br>> 4. Confirmed grammer via /var/ossec/bin/ossec-logtest ->
<br>>
<br>> **Phase 1: Completed pre-decoding.
<br>> full event: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 \
14:37:23 nas <br>> qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, \
Computer name: <br>> ---, Connection type: , Accessed resources: Administration, \
Action: Login <br>> OK'
<br>> hostname: 'pi'
<br>> program_name: '(null)'
<br>> log: '2018 Jul 25 13:44:58 nas->10.0.0.3 Jul 25 14:37:23 \
nas <br>> qlogd[8736]: conn log: Users: admin, Source IP: 10.0.0.54, Computer \
name: <br>> ---, Connection type: , Accessed resources: Administration, Action: \
Login <br>> OK'
<br>>
<br>> **Phase 2: Completed decoding.
<br>> decoder: 'qlogd'
<br>> dstuser: 'admin'
<br>> srcip: '10.0.0.54'
<br>> action: 'Login'
<br>>
<br>> **Phase 3: Completed filtering (rules).
<br>> Rule id: '100004'
<br>> Level: '12'
<br>> Description: 'nas user logged in'
<br>> **Alert to be generated.
<br>>
<br>> Unfortunately this does not result in any alerts/emails. Done the usual
<br>> googling & reading of "OSSEC HIDS Host-Based ....." but still \
cannot figure <br>> out what i'm doing wrong. Will be super grateful if \
someone could point out <br>> what i have done wrong.
<br>>
<br>> Regards
<br>>
<br>> --
<br>>
<br>> ---
<br>> You received this message because you are subscribed to the Google Groups
<br>> "ossec-list" group.
<br>> To unsubscribe from this group and stop receiving emails from it, send an
<br>> email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="YIaQvtMnCQAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec-list+...@<wbr>googlegroups.com</a>. <br>> For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>. <br></blockquote></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic