do_not_group question
285 views
Skip to first unread message
Tim Boyer
Aug 31, 2013, 12:47:34 PM8/31/13
to ossec...@googlegroups.com
Running 2.6.15 on a RHEL5 server, and the do_not_group is not working the way I expect. I assume that that is a problem with my expectations, but just in case...
ossec.conf looks like so:
<email_alerts>
<email_to>WINDOWS</email_to>
<level>5</level>
<event_location>192.168.42|192.168.43|192.168.44|192.168.45|192.168.46|192.168.52|192.168.53|192.168.21|192.168.19|192.168.17|192.168.17|192.168.18.40|172.25.17.40|</event_location>
<do_not_group />
</email_alerts>
but 'Multiple Windows error events' continues to group messages, like so:
Received From: (REMOTEDEV03) 192.168.53.52->WinEvtLog
Rule: 18154 fired (level 10) -> "Multiple Windows error events."
Portion of the log(s):
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(1055): Microsoft-Windows-GroupPolicy: SYSTEM: NT AUTHORITY: REMOTECON01.timboyer.org: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
I believe this is only happening with the 'Multiple Windows' alert. Is this a limitation in do_not_group, or is there something I'm doing wrong?
Thanks,
Tim
ossec.conf looks like so:
<email_alerts>
<email_to>WINDOWS</email_to>
<level>5</level>
<event_location>192.168.42|192.168.43|192.168.44|192.168.45|192.168.46|192.168.52|192.168.53|192.168.21|192.168.19|192.168.17|192.168.17|192.168.18.40|172.25.17.40|</event_location>
<do_not_group />
</email_alerts>
but 'Multiple Windows error events' continues to group messages, like so:
Received From: (REMOTEDEV03) 192.168.53.52->WinEvtLog
Rule: 18154 fired (level 10) -> "Multiple Windows error events."
Portion of the log(s):
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: %%1058
WinEvtLog: System: ERROR(1055): Microsoft-Windows-GroupPolicy: SYSTEM: NT AUTHORITY: REMOTECON01.timboyer.org: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
I believe this is only happening with the 'Multiple Windows' alert. Is this a limitation in do_not_group, or is there something I'm doing wrong?
Thanks,
Tim
dan (ddp)
Aug 31, 2013, 1:06:10 PM8/31/13
to ossec...@googlegroups.com
On Aug 31, 2013 1:01 PM, "Tim Boyer" <boy...@gmail.com> wrote:
>
> Running 2.6.15 on a RHEL5 server, and the do_not_group is not working the way I expect. I assume that that is a problem with my expectations, but just in case...
>
The email you provided only includes 1 alert, not a group of alerts. The alert happens to include multiple log messages, but it is still just 1 alert.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Tim Boyer
Aug 31, 2013, 3:01:02 PM8/31/13
to ossec...@googlegroups.com
Dan -
But it's an alert from three different servers. If you go into REMOTEDEV03's logs, you can find where it's having this problem - but you have to go into the logs of the other two servers to find those error messages. Why is it being aggregated into one error message?
Thanks,
Tim
But it's an alert from three different servers. If you go into REMOTEDEV03's logs, you can find where it's having this problem - but you have to go into the logs of the other two servers to find those error messages. Why is it being aggregated into one error message?
Thanks,
Tim
Tim Boyer
Aug 31, 2013, 3:23:18 PM8/31/13
to ossec...@googlegroups.com
... and a few minutes searching through email gave me this from a 219KB email message. Couple of hundred of the 'Audit policy changed' from one server, followed by a web server error from another:
OSSEC HIDS Notification.
2013 Aug 31 14:56:13
Received From: (TABJUMP01) 192.168.17.142->WinEvtLog
Rule: 18113 fired (level 8) -> "Windows Audit Policy changed."
Portion of the log(s):
WinEvtLog: Security: AUDIT_SUCCESS(4719):
Microsoft-Windows-Security-Auditing: (no user): no domain:
TABJUMP01.timboyer.org: System audit policy was changed. Subject: Security ID:
S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID: 0x3e7
Audit Policy Change: Category: %%8273 Subcategory: %%12549 Subcategory
GUID: {0CCE9219-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451
--END OF NOTIFICATION
OSSEC HIDS Notification.
2013 Aug 31 14:56:13
Received From: (TABJUMP01) 192.168.17.142->WinEvtLog
Rule: 18113 fired (level 8) -> "Windows Audit Policy changed."
Portion of the log(s):
WinEvtLog: Security: AUDIT_SUCCESS(4719):
Microsoft-Windows-Security-Auditing: (no user): no domain:
TABJUMP01.timboyer.org: System audit policy was changed. Subject: Security ID:
S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID: 0x3e7
Audit Policy Change: Category: %%8273 Subcategory: %%12550 Subcategory
GUID: {0CCE921A-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451
--END OF NOTIFICATION
<1758 lines with the same error skipped>
OSSEC HIDS Notification.
2013 Aug 31 14:56:36
Received From: (TABAPP01)
192.168.51.165->\WINDOWS\System32\LogFiles\W3SVC1\ex130831.log
Rule: 31151 fired (level 10) -> "Multiple web server 400 error codes from
same source ip."
Portion of the log(s):
2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
/web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1
/Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
/EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
/http://TABtestlb.timboyer.org/web372/TAB
/TABtestlb.timboyer.org 401 1 0 1988 525 0
2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
//web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1
//Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
//EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
//http://TABtestlb.timboyer.org/web372/TAB
//TABtestlb.timboyer.org 401 2 2148074254 1872 442 78
2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
/web372/themes/main.css - 80 - 192.168.17.145 HTTP/1.1
/Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
/EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
/http://TABtestlb.timboyer.org/web372/TAB
OSSEC HIDS Notification.
2013 Aug 31 14:56:13
Received From: (TABJUMP01) 192.168.17.142->WinEvtLog
Rule: 18113 fired (level 8) -> "Windows Audit Policy changed."
Portion of the log(s):
WinEvtLog: Security: AUDIT_SUCCESS(4719):
Microsoft-Windows-Security-Auditing: (no user): no domain:
TABJUMP01.timboyer.org: System audit policy was changed. Subject: Security ID:
S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID: 0x3e7
Audit Policy Change: Category: %%8273 Subcategory: %%12549 Subcategory
GUID: {0CCE9219-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451
--END OF NOTIFICATION
OSSEC HIDS Notification.
2013 Aug 31 14:56:13
Received From: (TABJUMP01) 192.168.17.142->WinEvtLog
Rule: 18113 fired (level 8) -> "Windows Audit Policy changed."
Portion of the log(s):
WinEvtLog: Security: AUDIT_SUCCESS(4719):
Microsoft-Windows-Security-Auditing: (no user): no domain:
TABJUMP01.timboyer.org: System audit policy was changed. Subject: Security ID:
S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID: 0x3e7
Audit Policy Change: Category: %%8273 Subcategory: %%12550 Subcategory
GUID: {0CCE921A-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451
--END OF NOTIFICATION
<1758 lines with the same error skipped>
OSSEC HIDS Notification.
2013 Aug 31 14:56:36
Received From: (TABAPP01)
192.168.51.165->\WINDOWS\System32\LogFiles\W3SVC1\ex130831.log
Rule: 31151 fired (level 10) -> "Multiple web server 400 error codes from
same source ip."
Portion of the log(s):
2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
/web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1
/Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
/EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
/http://TABtestlb.timboyer.org/web372/TAB
/TABtestlb.timboyer.org 401 1 0 1988 525 0
2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
//web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1
//Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
//EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
//http://TABtestlb.timboyer.org/web372/TAB
//TABtestlb.timboyer.org 401 2 2148074254 1872 442 78
2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
/web372/themes/main.css - 80 - 192.168.17.145 HTTP/1.1
/Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
/EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
/http://TABtestlb.timboyer.org/web372/TAB
dan (ddp)
Aug 31, 2013, 8:56:28 PM8/31/13
to ossec...@googlegroups.com
On Aug 31, 2013 8:55 PM, "Tim Boyer" <boy...@gmail.com> wrote:
>
> Dan -
>
> But it's an alert from three different servers. If you go into REMOTEDEV03's logs, you can find where it's having this problem - but you have to go into the logs of the other two servers to find those error messages. Why is it being aggregated into one error message?
>
That alert is happening whether it is emailed out or not. The do not group option is for the email, not the alert.
dan (ddp)
Aug 31, 2013, 10:33:43 PM8/31/13
to ossec...@googlegroups.com
On Aug 31, 2013 10:32 PM, "Tim Boyer" <boy...@gmail.com> wrote:
>
> ... and a few minutes searching through email gave me this from a 219KB email message. Couple of hundred of the 'Audit policy changed' from one server, followed by a web server error from another:
>
My guess would be that you hit the max emails per hour limit and this is a wrap up.
Tim Boyer
Sep 1, 2013, 10:13:45 AM9/1/13
to ossec...@googlegroups.com
Aha! That makes sense; I'll bump it up. Thanks much!
Reply all
Reply to author
Forward
0 new messages