Sending Windows Event Logs with nxlog

[zen....@gmail.com]

Hello,

is it possible to send Windows logs with other agent than ossec-agent which is included with OSSEC?

I try to send logs in syslog format with nxlog, in nxlog.conf is:

<Extension syslog>
    Module xm_syslog
</Extension>

<Extension json>
    Module xm_json
</Extension>

<Input in>
    Module      im_msvistalog
    Exec $Message = to_json(); to_syslog_bsd();
</Input>

<Output out>
    Module      om_tcp
    Host        10.10.10.70    - example IP
    Port        514

</Output>

<Route r>
    Path        in => out
</Route>

when I start the service in Windows I receive such error:

2015-04-14 14:47:59 INFO connecting to 10.10.10.70:514
2015-04-14 14:47:59 INFO nxlog-ce-2.9.1347 started
2015-04-14 14:48:00 INFO reconnecting in 1 seconds
2015-04-14 14:48:00 ERROR couldn't connect to tcp socket on 10.10.10.70:514; No connection could be made because the target machine actively refused it. 

Probably I should change some configuration file in OSSEC server but I don't know which one, could you help me?

[dan (ddp)]

In the remote section on the manager you need to enable tcp syslog.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[zen....@gmail.com]

could you be a little bit precise? do you mean ossec.conf in /var/ossec/etc in ossec server?

[dan (ddp)]

On Tue, Apr 14, 2015 at 9:56 AM, <zen....@gmail.com> wrote:
> could you be a little bit precise? do you mean ossec.conf in /var/ossec/etc
> in ossec server?
>

Sorry, I was on my phone and answered quickly instread of thoroughly.
Is there another ossec.conf on the manager?

Near the existing <remote> section of the file
'/var/ossec/etc/ossec.conf' on the OSSEC manager, you may need to add
the following information:

<remote>
<connection>syslog</connection> <!-- listen for syslog -->
<port>514</port> <!-- You have configured
the client to send to port 514 -->
<protocol>tcp</protocol> <!-- You have configured the
client to use tcp -->
<allowed-ips>IP_OF_SYSLOG_CLIENT</allowed-ips> <!-- This should be
changed to the actual IP of the client you want to send syslog
messages from -->
</remote>

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.remote.html

[zen....@gmail.com]

Thank you, it works !!!

I have one more question, in OSSEC server in the event description is: "Non standard syslog message (size too large)" what does it mean?

[dan (ddp)]

OSSEC has a built in limit for syslog messages. It's either 1024 or
2048 bytes. The messages it is receiving are larger than this.

[zen....@gmail.com]

It was easy cake for you, maybe you could help with my other problem, I was looking for in the Internet but my searching was unsuccessful, here is my post https://groups.google.com/forum/#!topic/elastichq/2Jv3klNsFNM

[dan (ddp)]

I don't use ElasticHQ.

[zen....@gmail.com]

I just wonder, what do you use instead of ElastiHQ to visualize events collecting?

[dan (ddp)]

On Tue, Apr 14, 2015 at 3:21 PM, <zen....@gmail.com> wrote:
> I just wonder, what do you use instead of ElastiHQ to visualize events
> collecting?
>

I don't currently use OSSEC in a professional setting. I have used
graylog2, logstash/kibana, and splunk in the past though.

[zen....@gmail.com]

before I started using OSSEC I installed graylog2 but it turned out too difficult for me to configure it, IMO I think OSSEC is a little bit easier and almost everything works after installation.

I installed this machine by import virtual image to my ESXi, so it had installed all applications to monitoring.

Of course I still try to - lets say - personalize the interface logstash/kibana but it I have problem that I mentioned in earlier post.

[Daniil Svetlov]

Hi!

You can install LighSIEM (https://github.com/dsvetlov/lightsiem). It use Elasticsearch, logstash and Kibana to parse logs of OSSEC and visualize them.

LightSIEM contains all patterns for OSSEC (and Snort too). I can help with any questions and problems with LightSIEM.

вторник, 14 апреля 2015 г., 22:43:27 UTC+3 пользователь zen....@gmail.com написал:

[Daniil Svetlov]

Hi!

Ansible download some extra packages from internet. It seems, that it can't access internet to download them.

пн, 20 апр. 2015, 12:14,  <zen....@gmail.com>:

Hello,

it looks nice, I wanted to install this directly on my OSSEC in my test lab but there were some errors, I changed my mind and prepared other server with CentOS 7, I did almost all installations but when I wanted to run ansible-playbook lightsiem-master/lightsiem-install.yml I got this:

[zen....@gmail.com]

I reinstalled all system and it works.

[Daniil Svetlov]

Hi!

Thanks for your report. It was a bug. I have already fixed it.

Hope you are enjoing LightSIEM. You can ask me anything about it.

BR, Daniil.

пн, 20 апр. 2015 г. в 17:23, <zen....@gmail.com>:

I reinstalled all system and it works.

--

[zen....@gmail.com]

Hi,

thanks for fixing a bug. I have other question, maybe you would be able to help me, this is my post https://groups.google.com/forum/#!topic/elastichq/2Jv3klNsFNM

BR, Andrew

[Daniil Svetlov]

Hi, Andrew!

I have never use ElasticHQ and always make query with curl from command line((

But I'll test ElasticHQ, when have time enough.

вт, 21 апр. 2015 г. в 12:27, <zen....@gmail.com>:

Hi,

thanks for fixing a bug. I have other question, maybe you would be able to help me, this is my post https://groups.google.com/forum/#!topic/elastichq/2Jv3klNsFNM

BR, Andrew

--

[zen....@gmail.com]

Hi Daniil,

I would lile to add some diagram to my OSSEC interface but I don't know how.

Among events there are Microsoft-Windows-PrintSpooler[0], in the field Details there are among other things: "AccountName", "Message", "param3", "param4", there are many other but I don't need them.

For example:

"AccountName":"user1", "Message":"Document1 printed on HP, printed pages: 1", "param3":"user1", "param4":"HP"

"AccountName":"user1", "Message":"Document5 printed on HP, printed pages: 4", "param3":"user1", "param4":"HP"

"AccountName":"user2", "Message":"Document2 printed on Canon, printed pages: 1", "param3":"user2", "param4":"Canon"

"AccountName":"user2", "Message":"Document3 printed on HP, printed pages: 1", "param3":"user2", "param4":"HP"

I would like to create such diagram:

AccountName  Printed pages  Printer

user1                5                      HP

user2                1                      Canon

user2                1                      HP

5 is a sum both printout. Is it something possible to do?

[zen....@gmail.com]

Hi Daniil,

in LighSIEM there are two diagrams, they show nothing only denoted symbols are rotating,

[Mustafa Qasim]

Zen.xen3

Didn't you noticed that you do send a same message at least 3 times repeatedly in this thread? Is there any issue with your email client?

[zen....@gmail.com]

There were some problems and now should be fine.

[Daniil Svetlov]

Hi, zen.xen!

A'm not sure, that it is possible only with kibana. You can write script, with will make query to ES, and that insert sum of some fileds back.

чт, 23 апр. 2015 г. в 11:23, <zen....@gmail.com>:

--

[Daniil Svetlov]

Can you check please some different time intervals for events. Are these diagrams show nothing on every time frame or on all of them. I think, that problem is coused, by some events, that contains text in field Alert.Analyzer.Level.Normalyzed. I'll try to make some kind of implicit conversion. 

чт, 23 апр. 2015 г. в 17:23, <zen....@gmail.com>:

Hi Daniil,

in LighSIEM there are two diagrams, they show nothing only denoted symbols are rotating,

[zen....@gmail.com]

Whatever interval time I choose these diagrams are empty.

[zen....@gmail.com]

ok, but is it possible do that without sum, just display?

AccountName  Printed pages  Printer

user1                1                      HP

user1                4                      HP

user2                1                      Canon

user2                1                      HP

[Daniil Svetlov]

Yes, I think it's possible. But you need to have this information parsed from logs.

пн, 27 апр. 2015 г. в 12:01, <zen....@gmail.com>: