collect all logs and add OpenVPN logs

[ecanm...@gmail.com]

hi,

First I want that ossec collects all logs.

I have put the logall options and

log alertlevel is even at 0

<global>

        <logall>yes</logall>

  </global>

 <alerts>

    <log_alert_level>0</log_alert_level>

    <email_alert_level>0</email_alert_level>

  </alerts>

stil I don't get all log information, i usually get logs regarding event 3 (mostly or higher).

what else do I need to do, so OSSEC will log all events?

Second question is about OpenVPN

Can I gather openvpn events to OSSEC?

I tried the rules and decoders but thats just time wasting,

I really don't understand the OSSEC has not standard rules for such a widely used program !!

anyway, what I want is that ossec also collects information from openvpn, for example, who logged on , which ip adress, failed logon attempts etc.

Thx

[dan (ddp)]

On Wed, Apr 1, 2015 at 7:37 AM, <ecanm...@gmail.com> wrote:
> hi,
>
> First I want that ossec collects all logs.
> I have put the logall options and
> log alertlevel is even at 0
>
>
> <global>
> <logall>yes</logall>
> </global>
>
>
>
> <alerts>
> <log_alert_level>0</log_alert_level>
> <email_alert_level>0</email_alert_level>
> </alerts>
>
>
> stil I don't get all log information, i usually get logs regarding event 3
> (mostly or higher).
>
> what else do I need to do, so OSSEC will log all events?
>

All log messages received by OSSEC should be in
/var/ossec/logs/archives/archives.log. Not all log messages trigger an
alert.

> Second question is about OpenVPN
>
> Can I gather openvpn events to OSSEC?

If it logs to a file you can.

> I tried the rules and decoders but thats just time wasting,

Why is it a wate of time?

> I really don't understand the OSSEC has not standard rules for such a widely
> used program !!

Would you like to know why we don't have rules and decoders for
OpenVPN? It's an easy answer: No one has written and contributed any.
No one has bothered to even contribute log samples. I don't use it.
None of the devs I've chatted with have mentioned it. It's hard to
support something I don't have access to.

Send me log samples, I'll do some work with it.Submit a pull request
with decoders and rules, and I'll make sure they get in. Whine and
I'll do nothing.

> anyway, what I want is that ossec also collects information from openvpn,
> for example, who logged on , which ip adress, failed logon attempts etc.
>
> Thx
>
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[ecanm...@gmail.com]

On Wednesday, April 1, 2015 at 1:47:03 PM UTC+2, dan (ddpbsd) wrote:

On Wed, Apr 1, 2015 at 7:37 AM,  <ecanm...@gmail.com> wrote:
> hi,
>
> First I want that ossec collects all logs.
> I have put the logall options and
> log alertlevel is even at 0
>
>
> <global>
>         <logall>yes</logall>
>   </global>
>
>
>
>  <alerts>
>     <log_alert_level>0</log_alert_level>
>     <email_alert_level>0</email_alert_level>
>   </alerts>
>
>
> stil I don't get all log information, i usually get logs regarding event 3
> (mostly or higher).
>
> what else do I need to do, so OSSEC will log all events?
>

All log messages received by OSSEC should be in
/var/ossec/logs/archives/archives.log. Not all log messages trigger an
alert.

I see what you mean.

 

> Second question is about OpenVPN
>
> Can I gather openvpn events to OSSEC?

If it logs to a file you can.

yes, it's ;logs the information I need, so it's just reading the openvpnlog 

> I tried the rules and decoders but thats just time wasting,

Why is it a wate of time?

Because I spend a lot of time figuring this out and without results.  

> I really don't understand the OSSEC has not standard rules for such a widely
> used program !!

Would you like to know why we don't have rules and decoders for
OpenVPN? It's an easy answer: No one has written and contributed any.
No one has bothered to even contribute log samples. I don't use it.
None of the devs I've chatted with have mentioned it. It's hard to
support something I don't have access to.

Send me log samples, I'll do some work with it.Submit a pull request
with decoders and rules, and I'll make sure they get in. Whine and
I'll do nothing.

Sorry, I am not whining , it's just frustrating.

OpenVPN is widely used and I expected it to be in the list for the rules.

Anyway, I have a list of decoders and rules for openvpn, I can send them also if you want,

but I would like to know if there is an easy way for OSSEC to read the openvpn log files

I have even added the openvpn directory for the agent.

ANyway let me know if you need the decoders or rules and thx for the quick reply.

[dan (ddp)]

Add localfile options pointing to the logfiles in the system's
ossec.conf. Then restart the OSSEC processes.

> I have even added the openvpn directory for the agent.
> ANyway let me know if you need the decoders or rules and thx for the quick
> reply.
>

If you want them included in OSSEC, submit a pull request on github
(https://github.com/ossec/ossec-hids). Please include log samples, and
if you have time a test file in contrib/ossec-testing/tests
If you don't github, send them to me. I'll get them in.

[ecanm...@gmail.com]

you mean something like this and the information will be collected by OSSEC agent (the openvpn is installed on a different server, managed by the client)?

<ossec_config>

    <localfile>

        <-- /etc/openvpn/logs/open-vpn.log

      

        -->

    </localfile>

</ossec_config>

[dan (ddp)]

On Wed, Apr 1, 2015 at 8:11 AM, <ecanm...@gmail.com> wrote:
>> you mean something like this and the information will be collected by
>> OSSEC agent (the openvpn is installed on a different server, managed by the
>> client)?
>

Something like that, yes. It needs to be on the system that the log
file exists on.

>
>
>
> <ossec_config>
> <localfile>
> <-- /etc/openvpn/logs/open-vpn.log
>
> -->
> </localfile>
> </ossec_config>
>

[ecanm...@gmail.com]

well I will test this and let you know.

thx Dan !!

[ecanm...@gmail.com]

Hello Dan,

sorry, this is the correct format:

<localfile>
    <log_format>syslog</log_format>
    <location>/etc/openvpn/log/openvpn.log</location>
  </localfile>

the ossec services has been started (without any errors), but still I dont get any messages relating to the openvpn log,

I double checked the file and it was generating messages after I restarted ossec

does ossec look only for erros and discard other information?

[dan (ddp)]

On Wed, Apr 1, 2015 at 8:38 AM, <ecanm...@gmail.com> wrote:
> Hello Dan,
>
> sorry, this is the correct format:
>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/etc/openvpn/log/openvpn.log</location>
> </localfile>
>
>
>
> the ossec services has been started (without any errors), but still I dont
> get any messages relating to the openvpn log,
> I double checked the file and it was generating messages after I restarted
> ossec
> does ossec look only for erros and discard other information?
>

No, it should send all log messages the agent receives. Double check
the archives.log file for the log messages, and check the ossec.log on
the agent for errors concerning openvpn.log.

>
> On Wednesday, April 1, 2015 at 2:33:49 PM UTC+2, ecanm...@gmail.com wrote:
>>
>> well I will test this and let you know.
>>
>> thx Dan !!
>>
>>>

[Santiago Bassett]

Also it might help to run "lsof /etc/openvpn/log/openvpn.log" to confirm ossec-logcollector process is reading that file. As well check that the logs are written in syslog format.

[ecanm...@gmail.com]

Oke, this is what I found in the ossec.log

 ERROR: Unable to open file '/etc/openvpn/log/openvpn.log'

 INFO: File not available, ignoring it: '/etc/openvpn/log/openvpn.log'

just to double check, I did an ls on the file and it does exist 

the openvpn.log doesn't reside on the ossec server but on a client, maybe the ossec server was checking local 

or should I put this rule on client config file?

[dan (ddp)]

On Wed, Apr 1, 2015 at 9:13 AM, <ecanm...@gmail.com> wrote:
> Oke, this is what I found in the ossec.log
>
> ERROR: Unable to open file '/etc/openvpn/log/openvpn.log'
>
> INFO: File not available, ignoring it: '/etc/openvpn/log/openvpn.log'
>
> just to double check, I did an ls on the file and it does exist
> the openvpn.log doesn't reside on the ossec server but on a client, maybe
> the ossec server was checking local
> or should I put this rule on client config file?
>

As I've said a number of times now, the localfile configuration must
be in the ossec.conf of the system that hosts the log file
(or in agents.conf, but that's a bit advanced at this point). If the
log file exists on a different system, how do you expect
ossec-logcollector to read it?

>>
>>
>> No, it should send all log messages the agent receives. Double check
>> the archives.log file for the log messages, and check the ossec.log on
>> the agent for errors concerning openvpn.log.
>>
>>

[ecanm...@gmail.com]

what use is this solution then? wasn't the point of OSSEC to have a centralized management....

in my case we don't have so much servers running, but for enterprise environment this is not suitable

anyway, what you just said, I already figured it out and yes I am getting now alerts from the openvpnlog

for example:

Wed Apr  1 15:36:35 2015 us=196958 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

I don't get messages like who is logged on or logged off or as in the case above: which connection is refused

spend again much time on this and again at the end no results

sorry but OSSEC is definitely not ready for deployment , OSSEC misses so much and even easy things are so complicated 

but I guess that's a common issue with open source , opensource is not for business environment, maybe for hobbies t at home

hope you now understand what I mean and its not whining 

[Santiago Bassett]

OSSEC supports centralized configuration management: http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html

Thousands of Open Source solutions are used daily in production environments, so I assume Open Source is ready for business, but maybe not for people that doesn't read the documentation...

[Inaki Rodriguez]

Hi!

Sorry but I have deployed OSSEC on more than 400 servers, with the config centralized. Probably the problem is not OSSEC (maybe a RTFM related problem). You can specify the log files on your central server with some granularity and you can see who logs on your servers. You can even get events from hardware appliance using ssh or telnet. Even OSSIM use OSSEC and it is deployed on some big companies. Give it a chance :P

El 01/04/15 a las 16:11, ecanm...@gmail.com escribió:

[ecanm...@gmail.com]

Hello Santiago, 

Just because a lot of people use a certain product, doesn't mean it's a good product.

The main reason people use open source is because its free.

anyway, I see great potential for OSSEC, but it's has drastically need to be improved and more user user friendly

 thank you for the link and I am relieved that you can manage it centrally

but the documentation tells me nothing else

for example, how can I read all information from a certain log file in ossec?

so not just alerts, but all the information in a log (this log file generates very few)

[ecanm...@gmail.com]

Thx Inaki,

I doing my best to get it working, it's just taking a lot of time and frustrating

and  it is working, but just need to fine tune a couple of things...

[ecanm...@gmail.com]

can you get ossec to get all information from a certain log file and report it?

have you tried using this command: /var/ossec/bin/util.sh addfile

this is also handy, but how to revert it back now...

On Wednesday, April 1, 2015 at 5:30:52 PM UTC+2, Inaki Rodriguez wrote:

[Inaki Rodriguez]

My contribution:

<!-- Wed Apr  1 11:18:26 2015 91.126.130.4:63972 TLS: Username/Password authentication succeeded for username 'USERNAME' -->
<decoder name="openvpn-success">
  <prematch>Password authentication succeeded </prematch>
  <regex offset="after_prematch">^for username '(\S+)'</regex>
  <order>user</order>
</decoder>

<!-- AUTH-PAM: BACKGROUND: user 'USERNAME' failed to authenticate: Authentication failure -->
<decoder name="openvpn-pam-failed">
  <prematch>AUTH-PAM: BACKGROUND: </prematch>
  <regex offset="after_prematch">^user '(\S+)' failed to authenticate</regex>
  <order>user</order>
</decoder>


This is the decoder for using the PAM authentication.

Cheers

El 01/04/15 a las 17:16, ecanm...@gmail.com escribió:

[dan (ddp)]

On Wed, Apr 1, 2015 at 10:11 AM, <ecanm...@gmail.com> wrote:
> what use is this solution then? wasn't the point of OSSEC to have a
> centralized management....

It does, in the agent.conf. But you seemed to be having enough issues
with basic configuration that I didn't want to toss that into the mix
as well.
I personally (as in this is not the project's point of view) think
that configuration management systems like puppet or chef are an even
better place to handle these types of configurations.

> in my case we don't have so much servers running, but for enterprise
> environment this is not suitable
> anyway, what you just said, I already figured it out and yes I am getting
> now alerts from the openvpnlog
> for example:
>
> Wed Apr 1 15:36:35 2015 us=196958 read UDPv4 [ECONNREFUSED]: Connection
> refused (code=111)
>
> I don't get messages like who is logged on or logged off or as in the case
> above: which connection is refused
>
> spend again much time on this and again at the end no results
>

That log is from the OpenVPN software, right? If so, that's a problem
with their logging.
As I've admitted, I'm not familiar with OpenVPN, so please excuse me
if this is a stupid question (I'm full of them). Does the "us=196958"
field and value relate to a particular session? If so, the accumulator
decoder feature might assist in making more sense of events that span
multiple log messages.

> sorry but OSSEC is definitely not ready for deployment , OSSEC misses so
> much and even easy things are so complicated
>

I'm sorry you see it that way. I don't find it particularly difficult,
and neither do the other 3 or 4 users.

> but I guess that's a common issue with open source , opensource is not for
> business environment, maybe for hobbies t at home
>

Ha! Oh ok.

If you want better OpenVPN support you have a few options:
1. Step up and make it so.
2. Provide me with the information I'd need to do the work for your
company for free.
3. Hire someone to do the work.

If you don't, and are ready to move on, I wish you the best of luck in
your endeavors.

[dan (ddp)]

On Wed, Apr 1, 2015 at 11:16 AM, <ecanm...@gmail.com> wrote:
> Hello Santiago,
> Just because a lot of people use a certain product, doesn't mean it's a good
> product.
> The main reason people use open source is because its free.
> anyway, I see great potential for OSSEC, but it's has drastically need to be
> improved and more user user friendly
> thank you for the link and I am relieved that you can manage it centrally
> but the documentation tells me nothing else
> for example, how can I read all information from a certain log file in
> ossec?
> so not just alerts, but all the information in a log (this log file
> generates very few)
>

Add a localfile option to read that log file. That will read all of
the information and submit it to the server for analysis.

>
>
>
> On Wednesday, April 1, 2015 at 4:51:07 PM UTC+2, Santiago Bassett wrote:
>>
>> OSSEC supports centralized configuration management:
>> http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html
>>
>> Thousands of Open Source solutions are used daily in production
>> environments, so I assume Open Source is ready for business, but maybe not
>> for people that doesn't read the documentation...
>>
>>