Alert ID not present JSON logs, feature request?
23 views
Skip to first unread message
Adam Tworkowski
Jan 9, 2017, 10:06:35 AM1/9/17
to ossec-list
Hi,
I am collecting OSSEC logs via JSON on several log collection systems (ELK, Graylog2) and am attempting to accomplish some basic reporting with respects to determining which host triggered an Active Response. For example, if I have an alert id (i.e. 1483628458.3576646) from an AR alert (firewall-drop.sh), i.e.:
** Alert 1483628460.3579808: mail - local,syslog,active_response,pci_dss_11.4,
2017 Jan 05 10:01:00 (server2) 192.xx.xx.11->/var/ossec/logs/active-responses.log
Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response'
Src IP: 123.30.37.44
Thu Jan 5 10:00:58 EST 2017 /var/ossec/active-response/bin/firewall-drop.sh add - 123.30.37.44 1483628458.3576646 5712
...I am able to search alerts.log for all instances of the Alert ID which will include other AR alerts plus the "originating" alert with the alert ad following (** Alert <Alert ID>:):
** Alert 1483628458.3576646: mail - syslog,sshd,authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,
2017 Jan 05 10:00:58 (server1) 192.xx.xx.10->/var/log/messages
Rule: 5712 (level 10) -> 'SSHD brute force trying to get access to the system.'
Src IP: 123.30.37.44
Jan 5 10:00:58 server1 sshd[17432]: Invalid user pi from 123.30.37.44
Jan 5 10:00:56 server1 sshd[17430]: Failed password for invalid user admin from 123.30.37.44 port 50770 ssh2
Jan 5 10:00:55 server1 sshd[17430]: Failed none for invalid user admin from 123.30.37.44 port 50770 ssh2
Jan 5 10:00:49 server1 sshd[17428]: Failed password for invalid user root from 123.30.37.44 port 63117 ssh2
Jan 5 10:00:49 server1 sshd[17428]: Failed none for invalid user root from 123.30.37.44 port 63117 ssh2
Jan 5 10:00:42 server1 sshd[17425]: Failed password for invalid user user from 123.30.37.44 port 50598 ssh2
Jan 5 10:00:42 server1 sshd[17425]: Failed none for invalid user user from 123.30.37.44 port 50598 ssh2
Jan 5 10:00:42 server1 sshd[17425]: Invalid user user from 123.30.37.44
In this case I know that server2 triggered the alert for server1 (and any number of other hosts including server1).
So while I can make these correlations from within the alerts.log for, it does not transpose to the JSON version of the log as json.log does not include the the alert id and therefore not in the remote logging tools. Would anyone find this useful enough for inclusion in OSSEC? I am not a coder so this is above my head but I would welcome any assistance. I would also be interested to hear if anyone has devised other ways to achieve similar reporting.
Thank you,
Adam
I am collecting OSSEC logs via JSON on several log collection systems (ELK, Graylog2) and am attempting to accomplish some basic reporting with respects to determining which host triggered an Active Response. For example, if I have an alert id (i.e. 1483628458.3576646) from an AR alert (firewall-drop.sh), i.e.:
** Alert 1483628460.3579808: mail - local,syslog,active_response,pci_dss_11.4,
2017 Jan 05 10:01:00 (server2) 192.xx.xx.11->/var/ossec/logs/active-responses.log
Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response'
Src IP: 123.30.37.44
Thu Jan 5 10:00:58 EST 2017 /var/ossec/active-response/bin/firewall-drop.sh add - 123.30.37.44 1483628458.3576646 5712
...I am able to search alerts.log for all instances of the Alert ID which will include other AR alerts plus the "originating" alert with the alert ad following (** Alert <Alert ID>:):
** Alert 1483628458.3576646: mail - syslog,sshd,authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,
2017 Jan 05 10:00:58 (server1) 192.xx.xx.10->/var/log/messages
Rule: 5712 (level 10) -> 'SSHD brute force trying to get access to the system.'
Src IP: 123.30.37.44
Jan 5 10:00:58 server1 sshd[17432]: Invalid user pi from 123.30.37.44
Jan 5 10:00:56 server1 sshd[17430]: Failed password for invalid user admin from 123.30.37.44 port 50770 ssh2
Jan 5 10:00:55 server1 sshd[17430]: Failed none for invalid user admin from 123.30.37.44 port 50770 ssh2
Jan 5 10:00:49 server1 sshd[17428]: Failed password for invalid user root from 123.30.37.44 port 63117 ssh2
Jan 5 10:00:49 server1 sshd[17428]: Failed none for invalid user root from 123.30.37.44 port 63117 ssh2
Jan 5 10:00:42 server1 sshd[17425]: Failed password for invalid user user from 123.30.37.44 port 50598 ssh2
Jan 5 10:00:42 server1 sshd[17425]: Failed none for invalid user user from 123.30.37.44 port 50598 ssh2
Jan 5 10:00:42 server1 sshd[17425]: Invalid user user from 123.30.37.44
In this case I know that server2 triggered the alert for server1 (and any number of other hosts including server1).
So while I can make these correlations from within the alerts.log for, it does not transpose to the JSON version of the log as json.log does not include the the alert id and therefore not in the remote logging tools. Would anyone find this useful enough for inclusion in OSSEC? I am not a coder so this is above my head but I would welcome any assistance. I would also be interested to hear if anyone has devised other ways to achieve similar reporting.
Thank you,
Adam
dan (ddp)
Jan 9, 2017, 10:08:04 AM1/9/17
to ossec...@googlegroups.com
> Thank you,
>
> Adam
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages