Simple windows application text file log config?

[Tom ONeil]

Just trying to get a simple configuration to pickup the text log files from a Windows 2012R2 server.

Been over every doc, reinstalled, worked all night and ZIP.

Blood running in my eyes from smashing forehead on keyboard.

 

I have everything going to logall just to see if it's working but I am lost on how to setup the XXXX_rules.xml files 

Is there some examples or clearer docs on this anywhere? 

Simple config snippet 

 <!-- One entry for each file/Event log to monitor. -->

<localfile>

    <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditActivity_Repository.txt</location>

    <log_format>syslog</log_format>

  </localfile>  

<localfile>

    <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditSecurity_Repository.txt</location>

    <log_format>syslog</log_format>

  </localfile>

[dan (ddp)]

On Wed, Jun 22, 2016 at 7:42 AM, Tom ONeil <thomas.j...@gmail.com> wrote:
> Just trying to get a simple configuration to pickup the text log files from
> a Windows 2012R2 server.
> Been over every doc, reinstalled, worked all night and ZIP.
> Blood running in my eyes from smashing forehead on keyboard.
>
> I have everything going to logall just to see if it's working but I am lost
> on how to setup the XXXX_rules.xml files
> Is there some examples or clearer docs on this anywhere?
>

So what is working?
Are the logs being shipped to the OSSEC server?

There are plenty of examples of rules in /var/ossec/rules. I believe
there is a page in the documentation on writing rules (and decoders)
as well.
What are you having trouble with specifically?

> Simple config snippet
>

This is on the Windows agent in its ossec.conf, correct?

> <!-- One entry for each file/Event log to monitor. -->
> <localfile>
>
>
> <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditActivity_Repository.txt</location>
>
> <log_format>syslog</log_format>
>
> </localfile>
>
> <localfile>
>
>
> <location>C:\ProgramData\Qlik\Sense\Log\Repository\Audit\AIP-TEST-QSS_AuditSecurity_Repository.txt</location>
>
> <log_format>syslog</log_format>
>
> </localfile>
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Tom ONeil]

Sorry for the slow response, finally slept for a decent length.

 

We are getting everything from the Windows Event logs by default just fine where they should be.

Logall is grabbing everything else into archives.

 

What I need is the contents of the  mentioned text files into, especially changes in role or configuration and the user that made them.

 

What I cannot get a handle on is why they don't show up at all.

I have read the docs, and tried to modify local_rules.xml to grab all the content from those and it fails config check with not enough explanations as to why.

 

<group name="QlikSense Roles">

    <rule id="100001" level="7">

        <srcip>192.168.2.10</srcip>

    <description>Example of rule that will grab role changes</description>

    <description>Role Change from IP 192.168.2.10</description>

  </rule>

[Jesus Linares]

Hi Tom,

If you need to monitor a file (changes, permissions) you must to use syscheck. You can't know who made the change.

In case you need to generate an alert according to each new line added to a file (event), you need log monitoring. So, you will need to create:

• decoders: The goal of decoding is to extract information from the events that you can use in the rules. If your log has a field with the user or the IP you can extract it here to use it in the rules.
• rules: The goal is convert an event (archives.log) in an alert.

Share here the events and we can help you to create some decoders and rules.

I hope it helps.

[dan (ddp)]

On Wed, Jun 22, 2016 at 9:11 PM, Tom ONeil <thomas.j...@gmail.com> wrote:
> Sorry for the slow response, finally slept for a decent length.
>
>
>
> We are getting everything from the Windows Event logs by default just fine
> where they should be.
>
> Logall is grabbing everything else into archives.
>

Ok, so Windows event logs aren't an issue.

>
>
> What I need is the contents of the mentioned text files into, especially

But you are not getting the log events from the text file in your archives.log?
If that's true: Is the configuration snippet you included in your
original email present on the agents? Did you restart the OSSEC
service after making that change to the config file?
Are there any mentions of the log file in the agent's ossec.log file?

> changes in role or configuration and the user that made them.
>

Are these bits of information included in the logs inside that text file?

>
>
> What I cannot get a handle on is why they don't show up at all.
>
> I have read the docs, and tried to modify local_rules.xml to grab all the
> content from those and it fails config check with not enough explanations as
> to why.
>
>
>
> <group name="QlikSense Roles">
>
> <rule id="100001" level="7">
>
> <srcip>192.168.2.10</srcip>
>
> <description>Example of rule that will grab role changes</description>
>
> <description>Role Change from IP 192.168.2.10</description>
>
> </rule>
>

This rule doesn't do very much. It looks for any log message that has
decoded the IP "192.168.2.10" from its content.
It is not looking at logs from that IP address, just logs caused by
that IP address.
You also have 2 descriptions, and nothing really limiting what log
events this rule would apply to.
If you could provide a log sample, it'd be a lot easier to help you
create a rule.

[Tom ONeil]

We are getting everything in archives with logall. 

The entries I want to catch are 

User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin  (from one logfile)

Stream with name 'Test' added by user 'AIPTEST\qssadmin (from another logfile)

[Jesus Linares]

Hi Tom,

first of all, you need a decoder to capture the events. It seems that there is no a common part in the logs, so I suggest you to add a tag at the beginning of the log. Examples:

local_decoder.xml:

<decoder name="tom_decoder">

    <prematch>^TomTag: </prematch>

</decoder>

<decoder name="tom_decoder-log1">

    <parent>tom_decoder</parent>

    <prematch>updated</prematch>

    <regex offset="after_parent">User '(\S+)' updated by '(\S+)</regex>

    <order>srcuser,dstuser</order>

</decoder>

<decoder name="tom_decoder-log2">

    <parent>tom_decoder</parent>

    <prematch offset="after_parent">^Stream</prematch>

    <regex offset="after_parent">Stream with name '(\S+)' added by user '(\S+)</regex>

    <order>url,user</order>

</decoder>

local_rules.xml:

<group name="tom_group,">

    <rule id="10002" level="0">
        <decoded_as>tom_decoder</decoded_as>
        <description>Tom: messages grouped</description>
    </rule>


    <rule id="10003" level="0">
        <if_sid>10002</if_sid>
        <match>updated</match>
        <description>Tom: Updated event</description>
    </rule>

    <rule id="10004" level="0">
        <if_sid>10002</if_sid>
        <match>added</match>
        <description>Tom: Added event</description>
    </rule>

</group>

ossec-logtest:

TomTag: User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin


**Phase 1: Completed pre-decoding.
       full event: 'TomTag: User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin'
       hostname: 'LinMV'
       program_name: '(null)'
       log: 'TomTag: User 'AIPTEST\some.user' updated by 'AIPTEST\qssadmin'


**Phase 2: Completed decoding.
       decoder: 'tom_decoder'
       srcuser: 'AIPTEST\some.user'
       dstuser: 'AIPTEST\qssadmin'


**Phase 3: Completed filtering (rules).
       Rule id: '10003'
       Level: '0'
       Description: 'Tom: Updated event'

TomTag: Stream with name 'Test' added by user 'AIPTEST\qssadmin

**Phase 1: Completed pre-decoding.

       full event: 'TomTag: Stream with name 'Test' added by user 'AIPTEST\qssadmin'

       hostname: 'LinMV'

       program_name: '(null)'

       log: 'TomTag: Stream with name 'Test' added by user 'AIPTEST\qssadmin'

**Phase 2: Completed decoding.

       decoder: 'tom_decoder'

       url: 'Test'

       dstuser: 'AIPTEST\qssadmin'

**Phase 3: Completed filtering (rules).

       Rule id: '10004'

       Level: '0'

       Description: 'Tom: Added event'

Regards.