search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.44k stars 1.04k forks source link

Windows agent & custom alerts #2074

Open securemoi opened 1 year ago

securemoi commented 1 year ago

Hi All: I am struggling to get windows alerts to work for custom events. On a couple of windows 10 clients I have added a couple of events but can't get them to come back as alerts. I am using a debian server, and I believe "canned" windows events work (e.g., windows user log ins and logouts) as I am getting alerts from the windows clients to my email and in the ossec archive.log. I've tried adding rules on both the client and server side but no joy. Happy to share configs, but was thinking maybe the place to start with examples that "work" for others...

Q is there a link someone could share as to how to come at this? Hopefully a step by step, with examples.

Thx

wolle604 commented 1 year ago

Hi,

that sounds really like a configuration problem. Did you tried troubleshooting with ossec-logtest? https://ossec-documentation.readthedocs.io/en/latest/legacy/docs/programs/ossec-logtest.html?highlight=logtest

Best wishes

securemoi commented 1 year ago

Thx so much for response (and apologies for my slow uptake...). I tried logtest, but user error and now doing it right, so am pursuing that. Says there is no matching decoder, so will see if I can figure that out, share what I find. Thx!

On Tue, Jan 24, 2023 at 9:30 AM wolle604 @.***> wrote:

Hi,

that sounds really like a configuration problem. Did you tried troubleshooting with ossec-logtest? https://ossec-documentation.readthedocs.io/en/latest/legacy/docs/programs/ossec-logtest.html?highlight=logtest

Best wishes

— Reply to this email directly, view it on GitHub https://github.com/ossec/ossec-hids/issues/2074#issuecomment-1402042830, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5L7AFVOIEOEZ2M3G3QIWIDWT7RPXANCNFSM6AAAAAAUB4A2U4 . You are receiving this because you authored the thread.Message ID: @.***>

securemoi commented 1 year ago

Still stuck, I am attempting to add selected parts of my configs and logtest below that I assume are most relevant (can add these in their entirety if that's better). I can see that an alert for the custom event I've added to the client is ending up in "archive.log" (so that's progress), but I'm not getting any emails for the particular test alert I'm testing against (am getting email alerts for non custom rules).. The ID of the fake windows event I've added to a test client is 5090.

ARCHIVE.LOG grep excerpt (I've redacted some of this) that shows alert is ending in archive.log 2023 Feb 02 13:23:05 (machine) PublicIP->WinEvtLog 2023 Feb 02 08:23:07 WinEvtLog: Application: ERROR(5090): SourceText: (no user): no domain: Machine: Test rule fired

LOGALL SET & CUSTOM RULE (From /var/ossec/etc/ossec.conf)

yes

... alerts>

0 
<email_alert_level>0</email_alert_level>

CUSTOM DECODER (From /var/ossec/rules/local_rules.xml)

example windows example Group of custom windows rules. 100010 example 5090 Test rule fired FROM LOGTEST (/var/ossec/bin/ossec-logtest -v) **Phase 1: Completed pre-decoding. full event: 'archive.log' hostname: 'test' program_name: '(null)' log: 'archive.log' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. ...(passes a number of :"rule 1" vtests & hangs on. rule 51559) Trying rule: 51559 - ntpd peer connection refused.
securemoi commented 1 year ago

PS big apologies, messed up my headings above:(., .and left out custom decoder from /var/ossec/etc/decoder.xml

example example 5090 id

On Thu, Feb 2, 2023 at 10:04 AM Secure moi @.***> wrote:

Still stuck, I am attempting to add selected parts of my configs and logtest below that I assume are most relevant (can add these in their entirety if that's better). I can see that an alert for the custom event I've added to the client is ending up in "archive.log" (so that's progress), but I'm not getting any emails for the particular test alert I'm testing against (am getting email alerts for non custom rules).. The ID of the fake windows event I've added to a test client is 5090.

  • logtest shows no decoder match, not sure this matters but if so that could be where I've gone wrong
  • not sure my rule pcre2 is off or not, or if some other part of my rule 100011 is wrong THX

ARCHIVE.LOG grep excerpt (I've redacted some of this) that shows alert is ending in archive.log 2023 Feb 02 13:23:05 (machine) PublicIP->WinEvtLog 2023 Feb 02 08:23:07 WinEvtLog: Application: ERROR(5090): SourceText: (no user): no domain: Machine: Test rule fired

LOGALL SET & CUSTOM RULE (From /var/ossec/etc/ossec.conf)

yes

... alerts>

0 
<email_alert_level>0</email_alert_level>

CUSTOM DECODER (From /var/ossec/rules/local_rules.xml)

example windows example Group of custom windows rules. 100010 example 5090 Test rule fired FROM LOGTEST (/var/ossec/bin/ossec-logtest -v) **Phase 1: Completed pre-decoding. full event: 'archive.log' hostname: 'test' program_name: '(null)' log: 'archive.log' **Rule debugging: Trying rule: 1 - Generic template for all syslog rules. *Rule 1 matched. *Trying child rules. ...(passes a number of :"rule 1" vtests & hangs on. rule 51559) Trying rule: 51559 - ntpd peer connection refused.