Hi All,
We have issues configuring Ossec server to receive Netscreen firewall logs. Logs are decoded as syslog not netscreen firewall.
Here are my configuration steps;
First, firewalls are configured sending audit logs via syslog.
We changed ossec.conf file as below to allow syslog;
<remote>
<connection>syslog</connection>
<allowed-ips>firewall ip</allowed-ips>
</remote>
Ossec services restarted without problem.
I checked with tcpdump that firewall syslog traffic is received by Ossec Server.
Here is my sample log.
Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)
/var/ossec/bin/ossec-logtest shows logs from netscreen device decoded properly.
**Phase 1: Completed pre-decoding.
full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
hostname: '1.1.1.1'
program_name: 'SSG350M'
log: 'NetScreen device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
**Phase 2: Completed decoding.
decoder: 'netscreenfw'
action: 'warning'
id: '00518'
**Phase 3: Completed filtering (rules).
Rule id: '4502'
Level: '9'
Description: 'Netscreen warning message.'
**Alert to be generated.
No logs/alerts occured on /var/ossec/logs/firewall/firewall.log.
I checked /var/ossec/logs/alerts/alerts.log and a log about syslog process. It seems log is decoded as syslog.
** Alert 1345026945.197836: - syslog,access_control,authentication_failed,
2012 Aug 15 13:35:45 logyon->1.1.1.1
Rule: 2501 (level 5) -> 'User authentication failure.'
SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: ADM: Local admin authentication failed for login name userid: invalid password (2012-08-15 14:39:22)
I couldn’t find what I am missing. Any help would be greatly appreciated..
Regards,
Ozgur
Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun dosyalar sadece gondericisi tarafindan almasi amaclanan yetkili kisinin kullanimi icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla ulasmissa, icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili e-postayi mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz. The information in this message and/or attachments is intended solely for the attention and use of the named addressee and may be confidential. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error and that any use of it is strictly prohibited. In such a case please delete this message and kindly notify the sender accordingly. |
On Apr 2, 2014 7:54 AM, "Daniel Kertby" <ker...@gmail.com> wrote:
>
> Hi all,
>
> Im experience the same issue when trying to setup ossec monitoring for a Juniper Netscreen SSG-320M.
> Failed web user login is hitting the 1002 rule, info from archives.log provided below:
>
> 014 Apr 02 23:59:59 #ossec-hostname# -> #FW_IP# #FW_hostname#: NetScreen device_id=#FW_hostname# [Root]system-warning-00518: Admin user "#username#" login attempt for Web(https) management (port 47873) from #client_IP#:54031 failed. (2014-04-02 23:59:59)
>
Maybe it's the hashes?
Have you tried using ossec-logtest to see how ossec is parsing the log message?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/IwCVDT6cuN8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.