Netscreen Firewall Logs
Ozgur Orhan
Hi All,
We have issues configuring Ossec server to receive Netscreen firewall logs. Logs are decoded as syslog not netscreen firewall.
Here are my configuration steps;
First, firewalls are configured sending audit logs via syslog.
We changed ossec.conf file as below to allow syslog;
<remote>
<connection>syslog</connection>
<allowed-ips>firewall ip</allowed-ips>
</remote>
Ossec services restarted without problem.
I checked with tcpdump that firewall syslog traffic is received by Ossec Server.
Here is my sample log.
Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)
/var/ossec/bin/ossec-logtest shows logs from netscreen device decoded properly.
**Phase 1: Completed pre-decoding.
full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
hostname: '1.1.1.1'
program_name: 'SSG350M'
log: 'NetScreen device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
**Phase 2: Completed decoding.
decoder: 'netscreenfw'
action: 'warning'
id: '00518'
**Phase 3: Completed filtering (rules).
Rule id: '4502'
Level: '9'
Description: 'Netscreen warning message.'
**Alert to be generated.
No logs/alerts occured on /var/ossec/logs/firewall/firewall.log.
I checked /var/ossec/logs/alerts/alerts.log and a log about syslog process. It seems log is decoded as syslog.
** Alert 1345026945.197836: - syslog,access_control,authentication_failed,
2012 Aug 15 13:35:45 logyon->1.1.1.1
Rule: 2501 (level 5) -> 'User authentication failure.'
SSG350M: NetScreen device_id=Juniper111 [Root]system-warning-00518: ADM: Local admin authentication failed for login name userid: invalid password (2012-08-15 14:39:22)
I couldn’t find what I am missing. Any help would be greatly appreciated..
Regards,
Ozgur
Bu e-posta icindeki bilgiler ve/veya mesajla iletilen butun dosyalar sadece gondericisi tarafindan almasi amaclanan yetkili kisinin kullanimi icindir ve gizlilik icerebilir. Eger bu e-posta size yanlislikla ulasmissa, icerigini hicbir sekilde kullanmayiniz. Bu durumda lutfen ilgili e-postayi mesaj kutunuzdan siliniz ve gonderen kisiyi uyariniz. The information in this message and/or attachments is intended solely for the attention and use of the named addressee and may be confidential. If you are not the intended recipient, you are hereby notified that you have received this transmittal in error and that any use of it is strictly prohibited. In such a case please delete this message and kindly notify the sender accordingly. |
dan (ddp)
message you tested above. This log message doesn't have the timestamp
at the beginning.
**Phase 1: Completed pre-decoding.
full event: 'SSG350M: NetScreen device_id=Juniper111
hostname: 'arrakis'
program_name: '(null)'
log: 'SSG350M: NetScreen device_id=Juniper111
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Level: '5'
Description: 'User authentication failure.'
**Alert to be generated.
dan (ddp)
> hi Dan,
>
> Thank you for your reply.
>
> The original netscreen log message has timestamp. Log is taken from another
> syslog server.
>
According to your alert.log entry the log message does not have a timestamp.
An example of an alert.log entry complete with a timestamp:
** Alert 1336394319.2684: - syslog,sudo
2012 May 07 08:38:39 arrakis->/var/log/secure
Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
User: ddp
2012-05-07T08:38:38.338172-04:00 arrakis sudo: ddp : TTY=ttyp1 ;
PWD=/home/ddp ; USER=root ; COMMAND=/sbin/ifconfig em0 down
You can enable the logall option to make sure though.
Looking at the sample you gave me though (the one in alerts.log since
I don't trust the other one), I can see why it isn't decoded as a
netscreen entry. The decoder thinks the first parts of the log will
be "NetScreen device_id." In your sample it starts with: "SSG350M:
NetScreen device_id." So find out why the SSG350M is showing up
instead of a timestamp and you should be golden.
Otherwise if the log sample you provided is incorrect, post a sample
from the archives.log so we can try and track this down.
>
> "
>
> Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111
> [Root]system-warning-00518: Admin user "userid" login attempt for Web(http)
> management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)
>
> "
>
>
> here is my Logtest results..but we are still unable to decode it. Any idea?
>
> Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen device_id=Juniper111
> [Root]system-warning-00518: Admin user "userid" login attempt for Web(http)
> management (port 20480) from 1.1.1.1:22560 failed. (2012-08-15 11:33:36)
>
>
> full event: 'Aug 15 10:30:14 136.10.247.130 SSG350M: NetScreen
> device_id=Juniper111 [Root]system-warning-00518: Admin user "userid" login
> attempt for Web(http) management (port 20480) from 1.1.1.1:22560 failed.
> (2012-08-15 11:33:36)'
> program_name: 'SSG350M'
> log: 'NetScreen device_id=Juniper111 [Root]system-warning-00518:
> Admin user "userid" login attempt for Web(http) management (port 20480) from
> 1.1.1.1:22560 failed. (2012-08-15 11:33:36)'
>
> **Phase 2: Completed decoding.
> decoder: 'netscreenfw'
> action: 'warning'
> id: '00518'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '4502'
> Level: '9'
> Description: 'Netscreen warning message.'
> **Alert to be generated.
>
>
>
>
Daniel Kertby
Im experience the same issue when trying to setup ossec monitoring for a Juniper Netscreen SSG-320M.
Failed web user login is hitting the 1002 rule, info from archives.log provided below:
014 Apr 02 23:59:59 #ossec-hostname# -> #FW_IP# #FW_hostname#: NetScreen device_id=#FW_hostname# [Root]system-warning-00518: Admin user "#username#" login attempt for Web(https) management (port 47873) from #client_IP#:54031 failed. (2014-04-02 23:59:59)
Any help appreciated!
Regards,
Daniel
dan (ddp)
On Apr 2, 2014 7:54 AM, "Daniel Kertby" <ker...@gmail.com> wrote:
>
> Hi all,
>
> Im experience the same issue when trying to setup ossec monitoring for a Juniper Netscreen SSG-320M.
> Failed web user login is hitting the 1002 rule, info from archives.log provided below:
>
> 014 Apr 02 23:59:59 #ossec-hostname# -> #FW_IP# #FW_hostname#: NetScreen device_id=#FW_hostname# [Root]system-warning-00518: Admin user "#username#" login attempt for Web(https) management (port 47873) from #client_IP#:54031 failed. (2014-04-02 23:59:59)
>
Maybe it's the hashes?
Have you tried using ossec-logtest to see how ossec is parsing the log message?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Daniel Kertby
I tried the ossec-logtest now and pasted infro from "NetScreen device_id=", skipped the first part of the info the archives.log file, a bit unsure what should be included.
-----------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------
dan (ddp)
the issue is to find out why it isn't being decoded.
It looks like the version of OSSEC in the ancient post you replied to
decoded it. What version of OSSEC are you using?
Daniel Kertby
sorry for a delayed reply.
I had accidentally installed 2.6 but upgraded to 2.7.1.
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/IwCVDT6cuN8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.