OSSEC 2.8.3, Server doesnot trigger email alerts for agent

[Tirumala Raja Siriki]

Hi Everyone,

I am running Ossec 2.8.3 version on Server as well as agents. I am not getting any email alerts from Ossec Server(Suse Linux) for one of the agent which is also running on Suse Linux.

I see alerts are getting logged in /var/ossec/logs/alerts/alerts.log file but no emails triggered. Other agents are working fine.

I noticed Ossec Server has rsyslog running while Agent has syslog-ng. Is there any changes needs to be done for logging.

Any help is appreciated.

Many Thanks

[dan (ddp)]

Are the alerts that this agent triggers high enough level to be semt via email? Are the alerts grouped with other alerts in a single email?

Many Thanks

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tirumala Raja Siriki]

Email levels are at enough priority, I am getting emails now after stopping alerting from RDP. I have multiple RDP where agent is installed and I get lot of false alerts from RDPs, for Authentication failure and Account locked out.

Many Thanks

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Mon, Aug 28, 2017 at 2:25 AM, Tirumala Raja Siriki
<tiruma...@opsveda.com> wrote:
> Email levels are at enough priority, I am getting emails now after stopping
> alerting from RDP. I have multiple RDP where agent is installed and I get
> lot of false alerts from RDPs, for Authentication failure and Account locked
> out.
>

If you're seeing false positives, it would be great if you reported
them. We could fix them (or they have been fixed in recent versions of
OSSEC).

[Tirumala Raja Siriki]

Hi Dan,

The False positives are as follows,

Rule 18138: The Account Name is one of our Associate account, and alert got triggered for this.

----------------------------------------------------------------------------------------------------------------------------------

** Alert 1504511181.106613271: mail  - windows,win_authentication_failed,

2017 Sep 04 07:46:21 (------RDP INFO -------------)->WinEvtLog

Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'

User: (no user)

2017 Sep 04 07:46:26 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  Pinaj  Account Domain:    Failure Information:  Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc000006a  Process Information:  Caller Process ID: 0x0  Caller Process Name: -  Network Information:  Workstation Name: Rdesktop  Source Network Address: -  Source Port:  -  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon request fails. It is generated on the computer where access was attempted.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

And if we look into same alert for the Account Name is Sklad which is not our user and it is a genuine alert; attack from outside

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

** Alert 1504511181.106614388: mail  - windows,win_authentication_failed,

2017 Sep 04 07:46:21 (-------RDP INFO------>WinEvtLog

Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'

User: (no user)

2017 Sep 04 07:46:27 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  Sklad  Account Domain:    Failure Information:  Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc0000064  Process Information:  Caller Process ID: 0x0  Caller Process Name: -  Network Information:  Workstation Name:   Source Network Address: -  Source Port:  -  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon request fails. It is generated on the computer where access was attempted.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Similarly we get alerts for rule 18152 and the Account Name: varies from ADMINISTRATOR to TEST1 so on.. in this case we want only the genuine alerts and want to reduce noise by not alerting for our users. Is there any other way or we need to modify any rules?

And even our users have not Failed Authenticating to RDPs we do get alerts like Account locked, Authentication failure so on.

Can you help us on this.

[dan (ddp)]

I'd love an example of a failed login/account locked alert for a
successful login.

If you want to ignore some users, you might be able to create a cdb
with the usernames, and compare the user in the alert to that cdb. If
there is a match, set the alert level to 0.
It might be error prone due to capitalization, but I'm not positive.