Level 0 custom rules still forwarding to remote syslog server

64 views
Skip to first unread message

Keith

unread,
Jul 16, 2020, 9:40:23 AM7/16/20
to ossec-list
Hey everyone,

In trying to do some tuning to ignore overly noisy logs messages I dont care about I`m running into an issue and I`m hoping someone here can help me with this.

I have this log being generated I want to ignore:

2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT AUTHORITY: somerandomserver.public.mycorp.com: A fatal error occurred while creating an SSL client credential. The internal error state is 10013

I created/added the following into local.rules:

<rule id="200010" level="0">
  <if_sid>18103</if_sid>
  <id>^36871$</id>
  <user>SYSTEM</user>
  <match>Schannel</match>
  <description>ignore schannel errors</description>
</rule>

When I then run the log through ossec-logtest I get the following showing it is matching at level 0

root@SEC02:/var/ossec/bin# ./ossec-logtest 
2020/07/16 13:26:52 ossec-testrule: INFO: Reading local decoder file.
2020/07/16 13:26:52 ossec-testrule: INFO: Started (pid: 74716).
ossec-testrule: Type one log per line.

2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT AUTHORITY: somerandomserver.public.mycorp.com: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.


**Phase 1: Completed pre-decoding.
       full event: '2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT AUTHORITY: somerandomserver.public.mycorp.com: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.'
       hostname: 'SEC02'
       program_name: '(null)'
       log: '2020 Jul 16 09:24:58 WinEvtLog: System: ERROR(36871): Schannel: SYSTEM: NT AUTHORITY: somerandomserver.public.mycorp.com: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.'

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'ERROR'
       id: '36871'
       extra_data: 'Schannel'
       dstuser: 'SYSTEM'
       system_name: 'somerandomserver.public.mycorp.com'

**Phase 3: Completed filtering (rules).
       Rule id: '200010'
       Level: '0'
       Description: 'ignore schannel errors'

The log however is still being forwarded into my splunk server from OSSEC - any idea's on what I`m doing wrong and how to prevent these logs from being forwarded?

Also, I do have log_alert_level as 1 in ossec.conf:

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>12</email_alert_level>  
  </alerts>

Any suggestions would be great.

Thanks --

José Manuel López del Río

unread,
Aug 24, 2020, 11:07:53 AM8/24/20
to ossec-list
Hello Keith,

It seems that the modifications made to your rule are not being applied.
In order to apply the modifications made to the rules, you will need to restart the OSSEC service in your server.
Also, make sure that the events that are being alerted are matching with all the conditions from your custom rule:

<if_sid>18103</if_sid>
<id>^36871$</id>
<user>SYSTEM</user>
<match>Schannel</match>

Once you restart your server, you should be applying the latest modifications made to your rule.
I hope this helps.

Regards,
Jose Manuel Lopez

Reply all
Reply to author
Forward
0 new messages