Closed gjahchan closed 7 years ago
Are you able to provide raw messages? Try listening on the wire with netcat
for example.
Thanks!
Will test and revert with netcat captures as soon as I can.
Regards,
Georges
------------ Original Message ------------ From: Lennart Koopmann notifications@github.com Sent: Monday, October 10, 2016 06:59:51 +0300 To: Graylog2/graylog-plugin-cef graylog-plugin-cef@noreply.github.com Cc: Jahchan, Georges J., Author <gjahchan@compucenter.org, author@noreply.github.com> Subject: Re: [Graylog2/graylog-plugin-cef] CEF UDP Plugin does not seem to process non-standard (other than Application, Security, System) in post-Vista Windows forwarded by OSSEC Server. (#9)
Are you able to provide raw messages? Try listening on the wire with |netcat| for example.
Thanks!
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Graylog2/graylog-plugin-cef/issues/9#issuecomment-252534889, or mute the thread https://github.com/notifications/unsubscribe-auth/AVKWugSPeTkG0f-gpf9hpE1NUu5uFsWWks5qybg3gaJpZM4J-nFE.
Attached is the OSSEC CEF UDP capture of the events forwarded by OSSEC and captured by a netcat listener.
All AppLocker events (the only non-standard events that I am currently collecting with OSSEC from a Windows 10 System) are silently dropped by the CEF UDP plugin.
None shows up in the graylog event view for the CEF UDP plugin.
Regards,
------------ Original Message ------------ From: Lennart Koopmann notifications@github.com Sent: Monday, October 10, 2016 06:59:51 +0300 To: Graylog2/graylog-plugin-cef graylog-plugin-cef@noreply.github.com Cc: Jahchan, Georges J., Author <gjahchan@compucenter.org, author@noreply.github.com> Subject: Re: [Graylog2/graylog-plugin-cef] CEF UDP Plugin does not seem to process non-standard (other than Application, Security, System) in post-Vista Windows forwarded by OSSEC Server. (#9)
Are you able to provide raw messages? Try listening on the wire with |netcat| for example.
Thanks!
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Graylog2/graylog-plugin-cef/issues/9#issuecomment-252534889, or mute the thread https://github.com/notifications/unsubscribe-auth/AVKWugSPeTkG0f-gpf9hpE1NUu5uFsWWks5qybg3gaJpZM4J-nFE.
OSSEC --> FileBeat --> LogStash --> GELF UDP --> Graylog = AppLocker events in Graylog Search. OSSEC --> Syslog CEF Output --> Graylog CEF UDP Plugin --> Graylog = No AppLocker events.
AppLocker events can be seen forwarded by OSSEC Syslog CEF if I capture traffic to Graylog CEF UDP Plugin.
This can be solved using processing pipeline steps since the v1.2.0 release of the CEF plugin. See: https://github.com/Graylog2/graylog-plugin-cef/blob/master/README.md#usage
I have configured OSSEC to forward AppLocker events by creating a set of rules that are working exactly as expected (there was no need for a custom OSSEC decoder).
The event path is as follows: OSSEC --> csyslogd --> CEF UDP Input Plugin --> Graylog
Watching packet traces, I can clearly see that csyslogd is doing its job and forwarding AppLocker events (they are small compared to a typical Windows event), but they are being dropped silently by the CEF Input plugin. I have not extended testing further to determine whether this is particular to AppLocker events, or applies more generally to any events not originating in the standard post-Vista Windows logs (Application, Security, and System).