alerts details

[Felipe Andres Concha Sepúlveda]

Hi All,

I'm looking in detail at an alert to understand the source, for example the following alert shows the file /var/log/secure generated a rotation at 12:17 min

If I see that file, it changed at that time and if I see rule 591 it has a mach, but my question is:

Where is the source of information? Where is this rule going to look for mach, where can I see the log with the source of this change?

[Fran Glez]

Hello Felipe,

this is Fran Gonzalez, from Wazuh support team, and I'll be pleased to shed some light on your questions.

If I'm not wrong (please correct me if I am), your question is about why is that alert triggered, and where comes that information from.

If you take a look at your ossec.conf file (Wazuh configuration file, present in /var/ossec/etc/ossec.conf), you'll see the following lines (and some similar ones):

<localfile>

<log_format>syslog</log_format>

<location>/var/log/messages</location>

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/secure</location>

</localfile>

<localfile>

<log_format>syslog</log_format>

<location>/var/log/maillog</location>

</localfile>

This means that, by default, the daemon ossec-logcollector monitors these files in order to read the log messages contained in them and sends it to ossec-analysisd to analyze them and compare with the existent rules/decoders to see if it triggers an alert. You can check this if you take a look at the logs generated by Wazuh when is started /var/ossec/logs/ossec.log: 

...

2018/08/24 17:34:20 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/messages'.

2018/08/24 17:34:20 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/secure'.

2018/08/24 17:34:20 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/maillog'.

...

To ensure that these logs will be read no matter if any of these files are rotated or reduced, the inode is monitored: When a file is rotated, the inode changes, so ossec-logcollector will take note of this new inode to keep reading the new logs stored in the "new" file.

When this inode change is detected, ossec-logcollector itself will send a message directly to ossec-analisysd, as you marked in your screenshot: ossec: File rotated (inode changed): '/var/log/secure'.

This message is sent directly from one daemon to another, so it's not being dumped in any log file and the location appears to be ossec-logcollector.

I hope I answered your question, and please don't hesitate to reply to this thread or open a new one if you have further questions.

Best regards,

Fran G.

[Felipe Andres Concha Sepúlveda]

Hello Fran, thank you very much for your answer, it is clear to me.

I only have one question, when looking at the log/var/ossec/etc/ossec.conf I only see this, I do not see what you show me in the image

Regards,

Felipe

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4550872c-f38a-401e-a216-f32ca68b228b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Fran Glez]

Thanks for your feedback Felipe, it's always a pleasure to help!

The log messages I showed you are visible when Wazuh is started (agent or manager) to indicate which files will be monitored. So, if you restart Wazuh, you will be able to see what I showed you in the first response in /var/ossec/logs/ossec.log.

Please check it and confirm to us that you're able to see such messages, and please write again if you still have any question, as I said, it's always a pleasure!

Best regards,

Fran G.

[Felipe Andres Concha Sepúlveda]

Fran, thanks for your response!

As you say, I rebooted Wazuh and the files appeared

thank you very much

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d75b148c-52f4-4903-905a-52df3d16d76d%40googlegroups.com.