Don't see the intrusion logs
16 views
Skip to first unread message
Arthur Hidalgo
Nov 17, 2016, 2:05:15 AM11/17/16
to ossec-list
Hi!
I have installed OSSEC agents on RedHat VM.But I have not see the intrusion alerts on the Web. On RedHat VM, the intrusion logs are in the file :"../var/log/secure"".
This is the config on "ossec.conf":
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
.
.
.
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
Regards,
Arthur.
I have installed OSSEC agents on RedHat VM.But I have not see the intrusion alerts on the Web. On RedHat VM, the intrusion logs are in the file :"../var/log/secure"".
This is the config on "ossec.conf":
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
.
.
.
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
Regards,
Arthur.
Pedro Sanchez
Nov 17, 2016, 4:34:00 AM11/17/16
to ossec...@googlegroups.com
Hi Arthur,
What do you mean by "on the Web?" OSSEC WUI?
Your configuration looks right, is your agent connected? You can check the status with:
/var/ossec/bin/agent_control -l
Once the agent is connected, it should report log/secure events to the Manager.
Best regards,
Pedro S.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Arthur Hidalgo
Nov 17, 2016, 4:55:42 AM11/17/16
to ossec-list
yes, OSSEC WUI.
The agent is connected. So, if I go on the VM, the agent would have to detect on intrusion of me.
The agent is connected. So, if I go on the VM, the agent would have to detect on intrusion of me.
Pedro Sanchez
Nov 17, 2016, 5:06:33 AM11/17/16
to ossec...@googlegroups.com
Can you see other alerts coming from your agent on the WUI?
Remember to Add your web server user (apache, www or nobody) to the ossec group.
Try to grep your agent name in /var/ossec/logs/alerts/alerts.log.
Arthur Hidalgo
Nov 17, 2016, 5:18:36 AM11/17/16
to ossec-list
no. I don't see other alerts.
Le jeudi 17 novembre 2016 08:05:15 UTC+1, Arthur Hidalgo a écrit :
Arthur Hidalgo
Nov 17, 2016, 5:39:36 AM11/17/16
to ossec-list
In the file "/var/log/secure" :
Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP
Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP
Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: Accepted password for SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2
So in OSSEC, we must have an alert for the IP 10.22.130.26
Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP
Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP
Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: Accepted password for SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2
So in OSSEC, we must have an alert for the IP 10.22.130.26
Le jeudi 17 novembre 2016 08:05:15 UTC+1, Arthur Hidalgo a écrit :
dan (ddp)
Nov 17, 2016, 8:12:46 AM11/17/16
to ossec...@googlegroups.com
Did you restart the ossec processes after adding the new localfile entry?
Try running the logs through ossec-logtest.
On Thu, Nov 17, 2016 at 5:39 AM, Arthur Hidalgo
<hidalgo...@gmail.com> wrote:
> In the file "/var/log/secure" :
>
> Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.22.130.26 user=SVCWABADMINSUP
> Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.22.130.26 user=SVCWABADMINSUP
For these I get:
full event: 'Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]:
hostname: 'PCYINTPSEVU001'
program_name: 'sshd'
log: 'pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP'
**Phase 2: Completed decoding.
decoder: 'pam'
srcip: '10.22.130.26'
dstuser: 'SVCWABADMINSUP'
**Phase 3: Completed filtering (rules).
Rule id: '5503'
Level: '5'
Description: 'User login failed.'
**Alert to be generated.
> Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: Accepted password for
> SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2
>
And for this one:
full event: 'Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]:
hostname: 'PCYINTPSEVU001'
program_name: 'sshd'
log: 'Accepted password for SVCWABADMINSUP from 10.22.130.26
port 53878 ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'SVCWABADMINSUP'
srcip: '10.22.130.26'
**Phase 3: Completed filtering (rules).
Rule id: '5715'
Level: '3'
Description: 'SSHD authentication success.'
**Alert to be generated.
> So in OSSEC, we must have an alert for the IP 10.22.130.26
>
Check /var/ossec/logs/alerts/alerts.log to see if there is anything in
there for those logs.
> Le jeudi 17 novembre 2016 08:05:15 UTC+1, Arthur Hidalgo a écrit :
>>
>> Hi!
>>
>> I have installed OSSEC agents on RedHat VM.But I have not see the
>> intrusion alerts on the Web. On RedHat VM, the intrusion logs are in the
>> file :"../var/log/secure"".
>> This is the config on "ossec.conf":
>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>> <directories check_all="yes">/bin,/sbin</directories>
>> .
>> .
>> .
>> <localfile>
>> <log_format>syslog</log_format>
>> <location>/var/log/secure</location>
>> </localfile>
>>
>> Regards,
>>
>> Arthur.
>>
Try running the logs through ossec-logtest.
On Thu, Nov 17, 2016 at 5:39 AM, Arthur Hidalgo
<hidalgo...@gmail.com> wrote:
> In the file "/var/log/secure" :
>
> Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.22.130.26 user=SVCWABADMINSUP
> Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.22.130.26 user=SVCWABADMINSUP
Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.22.130.26 user=SVCWABADMINSUP
**Phase 1: Completed pre-decoding.
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.22.130.26 user=SVCWABADMINSUP
full event: 'Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP'
hostname: 'PCYINTPSEVU001'
program_name: 'sshd'
log: 'pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=10.22.130.26 user=SVCWABADMINSUP'
**Phase 2: Completed decoding.
decoder: 'pam'
srcip: '10.22.130.26'
dstuser: 'SVCWABADMINSUP'
**Phase 3: Completed filtering (rules).
Rule id: '5503'
Level: '5'
Description: 'User login failed.'
**Alert to be generated.
> Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: Accepted password for
> SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2
>
Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]: Accepted password for
SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2
**Phase 1: Completed pre-decoding.
SVCWABADMINSUP from 10.22.130.26 port 53878 ssh2
full event: 'Nov 17 11:05:03 PCYINTPSEVU001 sshd[35427]:
Accepted password for SVCWABADMINSUP from 10.22.130.26 port 53878
ssh2'
hostname: 'PCYINTPSEVU001'
program_name: 'sshd'
log: 'Accepted password for SVCWABADMINSUP from 10.22.130.26
port 53878 ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'SVCWABADMINSUP'
srcip: '10.22.130.26'
**Phase 3: Completed filtering (rules).
Rule id: '5715'
Level: '3'
Description: 'SSHD authentication success.'
**Alert to be generated.
> So in OSSEC, we must have an alert for the IP 10.22.130.26
>
there for those logs.
> Le jeudi 17 novembre 2016 08:05:15 UTC+1, Arthur Hidalgo a écrit :
>>
>> Hi!
>>
>> I have installed OSSEC agents on RedHat VM.But I have not see the
>> intrusion alerts on the Web. On RedHat VM, the intrusion logs are in the
>> file :"../var/log/secure"".
>> This is the config on "ossec.conf":
>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
>> <directories check_all="yes">/bin,/sbin</directories>
>> .
>> .
>> .
>> <localfile>
>> <log_format>syslog</log_format>
>> <location>/var/log/secure</location>
>> </localfile>
>>
>> Regards,
>>
>> Arthur.
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
Reply all
Reply to author
Forward
0 new messages