OSSEC custom rules not generating alerts
1,053 views
Skip to first unread message
Jason B
Jun 25, 2018, 3:22:11 PM6/25/18
to security-onion
I have scoured the internet and can not find a solution to the problem, and would greatly appreciate any and all help in this matter. I am trying to have ossec generate an alert for the following (this is taken from Kibana, so the event is reaching so):
2018 Jun 25 18:19:22 (*****-DC) 10.*.*.*->WinEvtLog 2018 Jun 25 05:21:00 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: AD01.*****.local: Process Create: UtcTime: 2018-06-25 12:21:00.203 ProcessGuid: {C18F344F-DE2C-5B30-0000-0010FB5BB603} ProcessId: 6768 Image: C:\Windows\System32\cmd.exe FileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation CommandLine: cmd.exe /Q /c echo test CurrentDirectory: C:\Users\*****.da\Desktop\ User: *****\*****.da LogonGuid: {C18F344F-F44C-5B28-0000-0020E9676B00} LogonId: 0x6B67E9 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B ParentProcessGuid: {C18F344F-64D9-5B2B-0000-001012B48701} ParentProcessId: 1476 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "cmd.exe" /s /k pushd "C:\Users\*****.da\Desktop"
I have attached so-stat, local_rules.xml, local_decoder.xml.
I tested the log against ossec-logtest and it generates and alert:
**Phase 2: Completed decoding.
decoder: 'Sysmon-EventID#1'
**Phase 3: Completed filtering (rules).
Rule id: '100022'
Level: '12'
Description: 'Sysmon - Suspicious Process - cmd.exe QuietMode'
**Alert to be generated.
With the -a flag, it works and generates an alert number.
Please help, I can't figure out why it isn't working.
I have restarted the system numerous times, this a stand alone installation and there are no remote sensors or the sort.
2018 Jun 25 18:19:22 (*****-DC) 10.*.*.*->WinEvtLog 2018 Jun 25 05:21:00 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: AD01.*****.local: Process Create: UtcTime: 2018-06-25 12:21:00.203 ProcessGuid: {C18F344F-DE2C-5B30-0000-0010FB5BB603} ProcessId: 6768 Image: C:\Windows\System32\cmd.exe FileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation CommandLine: cmd.exe /Q /c echo test CurrentDirectory: C:\Users\*****.da\Desktop\ User: *****\*****.da LogonGuid: {C18F344F-F44C-5B28-0000-0020E9676B00} LogonId: 0x6B67E9 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B ParentProcessGuid: {C18F344F-64D9-5B2B-0000-001012B48701} ParentProcessId: 1476 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "cmd.exe" /s /k pushd "C:\Users\*****.da\Desktop"
I have attached so-stat, local_rules.xml, local_decoder.xml.
I tested the log against ossec-logtest and it generates and alert:
**Phase 2: Completed decoding.
decoder: 'Sysmon-EventID#1'
**Phase 3: Completed filtering (rules).
Rule id: '100022'
Level: '12'
Description: 'Sysmon - Suspicious Process - cmd.exe QuietMode'
**Alert to be generated.
With the -a flag, it works and generates an alert number.
Please help, I can't figure out why it isn't working.
I have restarted the system numerous times, this a stand alone installation and there are no remote sensors or the sort.
Jason B
Jun 25, 2018, 3:26:00 PM6/25/18
to security-onion
I should also add that I have checked alerts.log and the alert is not showing up.
Wes Lambert
Jun 26, 2018, 8:07:21 AM6/26/18
to securit...@googlegroups.com
Have you checked log_alert_level in ossec.conf to make sure it is set correctly?
Thanks.,
Wes
On Mon, Jun 25, 2018 at 3:26 PM Jason B <jab...@gmail.com> wrote:
I should also add that I have checked alerts.log and the alert is not showing up.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Jason B
Jun 26, 2018, 9:36:16 AM6/26/18
to security-onion
yes it is set to 5, I have also played with the alert levels in the rules to see if the number was changing anything. Set anywhere from 5 to 12 in the local_rules
Kevin Branch
Jun 26, 2018, 5:57:21 PM6/26/18
to securit...@googlegroups.com
Hi Jason,
Are you receiving any alerts at all in /var/ossec/logs/alerts/alerts.log?
How are you conveying these Sysmon events from the Windows system to the SO system? Via OSSEC agent? Winlogbeat?
What do you see in the location, tags, and syslog-tags fields of in Kibana for that Sysmon example record?
Kevin
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Jason B
Jun 27, 2018, 7:45:15 AM6/27/18
to security-onion
Hi Kevin,
Yes I am receiving all of the default rule alerts, just not custom ones. I have checked and the local_rules.xml is listed in the config. I have attached it below.
Yes I am using the OSSEC agent and have updated the config appropriately. It is also attached below.
location (****-DC), (****-DC)
syslog-tags .source.s_ossec
tags syslogng, syslog, process_creation, internal_source
Please let me know if you need anything else.
<!-- OSSEC example config -->
<ossec_config>
<global>
<email_notification>no</email_notification>
<logall>yes</logall>
</global>
<syslog_output>
<server>127.0.0.1</server>
</syslog_output>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>securityonion_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed -->
<frequency>25200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">/var/ossec/etc</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>15</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>15</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.err</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/other_vhosts_access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/snorby_access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/snorby_error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/ssl_access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/xplico_access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/xplico_error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>/usr/sbin/sostat-interface</command>
<alias>packets_received</alias>
<frequency>600</frequency>
</localfile>
<!--Address 10.10.0.0/16 added by /usr/sbin/so-allow on Tue Jun 19 15:06:18 UTC 2018-->
<global>
<white_list>10.10.0.0/16</white_list>
</global>
</ossec_config>
<!-- OSSEC-HIDS Win32 Agent Configuration.
- This file is composed of 3 main sections:
- - Client config - Settings to connect to the OSSEC server
- - Localfile - Files/Event logs to monitor
- - syscheck - System file/Registry entries to monitor
-->
<!-- READ ME FIRST. If you are configuring OSSEC-HIDS for the first time,
- try to use the "Manage_Agent" tool. Go to Control Panel->OSSEC Agent
- to execute it.
-
- First, add a server-ip entry with the real IP of your server.
- Second, and optionally, change the settings of the files you want
- to monitor. Look at our Manual and FAQ for more information.
- Third, start the Agent and enjoy.
-
- Example of server-ip:
- <client> <server-ip>1.2.3.4</server-ip> </client>
-->
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
<directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-ip>10.*.*.*</server-ip>
</client>
</ossec_config>
Yes I am receiving all of the default rule alerts, just not custom ones. I have checked and the local_rules.xml is listed in the config. I have attached it below.
Yes I am using the OSSEC agent and have updated the config appropriately. It is also attached below.
location (****-DC), (****-DC)
syslog-tags .source.s_ossec
tags syslogng, syslog, process_creation, internal_source
Please let me know if you need anything else.
<!-- OSSEC example config -->
<ossec_config>
<global>
<email_notification>no</email_notification>
<logall>yes</logall>
</global>
<syslog_output>
<server>127.0.0.1</server>
</syslog_output>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
<include>sysmon_rules.xml</include>
<include>securityonion_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed -->
<frequency>25200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">/var/ossec/etc</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>15</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>15</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.err</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/other_vhosts_access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/snorby_access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/snorby_error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/ssl_access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/xplico_access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/xplico_error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>/usr/sbin/sostat-interface</command>
<alias>packets_received</alias>
<frequency>600</frequency>
</localfile>
<!--Address 10.10.0.0/16 added by /usr/sbin/so-allow on Tue Jun 19 15:06:18 UTC 2018-->
<global>
<white_list>10.10.0.0/16</white_list>
</global>
</ossec_config>
<!-- OSSEC-HIDS Win32 Agent Configuration.
- This file is composed of 3 main sections:
- - Client config - Settings to connect to the OSSEC server
- - Localfile - Files/Event logs to monitor
- - syscheck - System file/Registry entries to monitor
-->
<!-- READ ME FIRST. If you are configuring OSSEC-HIDS for the first time,
- try to use the "Manage_Agent" tool. Go to Control Panel->OSSEC Agent
- to execute it.
-
- First, add a server-ip entry with the real IP of your server.
- Second, and optionally, change the settings of the files you want
- to monitor. Look at our Manual and FAQ for more information.
- Third, start the Agent and enjoy.
-
- Example of server-ip:
- <client> <server-ip>1.2.3.4</server-ip> </client>
-->
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
<directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-ip>10.*.*.*</server-ip>
</client>
</ossec_config>
Jason B
Jun 27, 2018, 8:02:56 AM6/27/18
to security-onion
As an addendum, it is showing up in archives.log
Kevin Branch
Jun 27, 2018, 2:53:40 PM6/27/18
to securit...@googlegroups.com
That is perplexing, Jason. I run a Wazuh 3.3.1/ElasticStack 6.2.4 server here (Wazuh is a fork of OSSEC) and used your decoders/rules to catch your example event with your specific rule. Here is what I did:
I added your custom decoders and rules to my Wazuh manager, with a small tweak of one of the <if_sid> values to align it with the richer Wazuh ruleset that already has some Sysmon-specific rules in it.
I then installed Sysmon on my Windows 10 desktop which is already running the Wazuh 3.3.1 fork of OSSEC agent that reports to my Wazuh 3.3.1 manager (server) which writes alerts that end up in Kibana. I used this sysmon config when I installed it
After adding this to my desktop's ossec.conf and restarting the agent
<localfile><location>Microsoft-Windows-Sysmon/Operational</location><log_format>eventchannel</log_format></localfile>
I ran this command from cmd.exe:
cmd.exe /Q /c echo test
and your custom rule 100022
fired.
From your observations, it appears these events really are reaching your OSSEC server where they are not tripping rule 100022 even though the same events when pasted into ossec-logtest do fire that rule. That is so frustrating, I know.
Are you pasting this into ossec-logtest? (note the OSSEC header is stripped off)
Jun 25 05:21:00 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: AD01.*****.local: Process Create: UtcTime: 2018-06-25 12:21:00.203 ProcessGuid: {C18F344F-DE2C-5B30-0000-0010FB5BB603} ProcessId: 6768 Image: C:\Windows\System32\cmd.exe FileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation CommandLine: cmd.exe /Q /c echo test CurrentDirectory: C:\Users\*****.da\Desktop\ User: *****\*****.da LogonGuid: {C18F344F-F44C-5B28-0000-0020E9676B00} LogonId: 0x6B67E9 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B ParentProcessGuid: {C18F344F-64D9-5B2B-0000-001012B48701} ParentProcessId: 1476 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "cmd.exe" /s /k pushd "C:\Users\*****.da\Desktop"
It sounds like you have already rebooted the OSSEC server (or restarted the ossec service on it) since you added the decoders and rules, so that should not be the problem.
I have run into the "it only works with ossec-logtest" scenario before, though it has been a long time since I last had trouble with it. I suspect you may be dealing with one of the bugs in OSSEC that have been fixed in the Wazuh fork which I switched completely over to years ago.
It is already on the SO roadmap to switch to Wazuh. In the mean time, it is possible to run Wazuh manager on Security Onion in place of OSSEC. I do so on all my SO standalone installs. Reach out if you want to try that.
Kevin Branch
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Jason B
Jun 27, 2018, 4:04:46 PM6/27/18
to security-onion
Hi Kevin,
Thank you very much for your detailed reply and validation! Since I have made this post, I have been attempting to figure out how to integrate Wazuh into my SO installation and found your previous posts saying that you do it, but none that detail the process. Could you please let me know how you do that? Do you have a separate Wazuh instance or do you integrate it directly onto the SO install? Do you have SO running Kibana and have it all funnel there? I tried installing the plugin into the SO Kibana and it causes it to crash. Scripts would be greatly appreciated!
I found the install guide on Wazuh to be somewhat outdated and couldn't get it to function.
To answer your other question, yes that is what I was pasting into the ossec-logtest without the OSSEC header. I never actually had the ossec header because the alert didn't trigger in the logs, I guess I could have tried the alert generated by logtest, but I didn't do that.
Out of curiosity, do you a rough timeline for Wazuh integration to SO?
Thank you very much for your help!
Jason
Thank you very much for your detailed reply and validation! Since I have made this post, I have been attempting to figure out how to integrate Wazuh into my SO installation and found your previous posts saying that you do it, but none that detail the process. Could you please let me know how you do that? Do you have a separate Wazuh instance or do you integrate it directly onto the SO install? Do you have SO running Kibana and have it all funnel there? I tried installing the plugin into the SO Kibana and it causes it to crash. Scripts would be greatly appreciated!
I found the install guide on Wazuh to be somewhat outdated and couldn't get it to function.
To answer your other question, yes that is what I was pasting into the ossec-logtest without the OSSEC header. I never actually had the ossec header because the alert didn't trigger in the logs, I guess I could have tried the alert generated by logtest, but I didn't do that.
Out of curiosity, do you a rough timeline for Wazuh integration to SO?
Thank you very much for your help!
Jason
Kevin Branch
Jun 27, 2018, 10:32:45 PM6/27/18
to securit...@googlegroups.com
In most of my environments, I have an SO system and a separate Wazuh system. I replace OSSEC HIDS Server on the SO system with Wazuh Agent 3.3.1 and have it report to the separate Wazuh Manager that writes events to a Wazuh-dedicated Elasticsearch cluster for viewing by a Wazuh-dedicated Kibana instance. I have also tested replacing OSSEC HIDS Server on SO with Wazuh Manager and it works that way as well. In both cases, some special considerations need to be taken to make sure that subsequent runs of sosetup or soup do not break and are not broken by the fact that Wazuh is now living in /var/ossec/ instead of OSSEC. I've been doing it that way for years and it continues to work well for me.
I have not yet tried installing the Wazuh Kibana App on SO's Kibana docker container, since I always put that on a separate Elastic Stack system from the one in SO.
I do not know when Wazuh will replace OSSEC in SO. It appears in the SO roadmap to be slated for some time after July 2018. See: https://github.com/Security-Onion-Solutions/security-onion/issues/708.
Doug or Wes, what is your feel about timing for swapping in Wazuh at this point? I'd be happy to assist as I have time available to do so. I really don't think it would would be that hard.
Give me some time to pull the details together, and I will share how to replace OSSEC HIDS Server on SO with Wazuh 3.3.1 Manager or Agent on a standalone SO system.
Kevin
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Wes Lambert
Jun 28, 2018, 8:15:48 AM6/28/18
to securit...@googlegroups.com
Hi Kevin,
We're actively working on a Wazuh Docker container at the moment, and working out some integration points with the Elastic Stack, which should be resolved soon. As mentioned before, we haven't set a hard deadline, but hope to have it ready as soon as possible. We'll keep the community updated as things change.
Thanks,
Wes
Kevin Branch
Jun 28, 2018, 10:42:18 PM6/28/18
to securit...@googlegroups.com
This process is not officially supported by Security Onion, but for anyone wanting to try out swapping in Wazuh Manager in place of OSSEC Server in your Security Onion standalone installation, I have a write up and supporting scripts here:
Actually the process to swap in Wazuh Agent in place of OSSEC Server on SO is far simpler, but that presumes you have a Wazuh Manager somewhere else for SO to report to. If anyone wants that process, just let me know.
Kevin
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Jason B
Jul 2, 2018, 9:59:50 AM7/2/18
to security-onion
With that script, did you find a way to integrate the Wazuh kibana plugin following the steps at https://github.com/Security-Onion-Solutions/security-onion/wiki/Kibana?
When I attempted to load any plugin, kibana refuses to launch following those steps.
Jason
When I attempted to load any plugin, kibana refuses to launch following those steps.
Jason
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
>
> https://securityonion.net/
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
Kevin Branch
Jul 2, 2018, 2:36:15 PM7/2/18
to securit...@googlegroups.com
Jason,
Sorry, that is not something I have tried yet. The script really does not have anything directly to do with Elastic Stack. It should work the same with an ELSA or ElasticStack-based Security Onion standalone server.
I am curious about the Kibana launch failure. Did you see any error messages during the plugin install process? Did you restart the Kibana container after installing the plugin? Any insights in /var/log/kibana/kibana.log ?
Looking closer at the link you cited, I am skeptical that the Wazuh Kibana App can just be unzipped into a folder. I think there is a more involved installation process involved going on with this app. I install it like this (Docker not involved)
Kevin
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Kevin Branch
Jul 2, 2018, 2:46:26 PM7/2/18
to securit...@googlegroups.com
Sorry sent too soon. I was saying
I install it like this (Docker not involved)
The "kibana-plugin install" process is doing much more than just unzipping the file.
Making the Kibana Docker image mount /nsm/kibana/plugins for the sake of persistence of the plugin is good, but I would suggest you try doing that without putting anything manually into /nsm/kibana/plugins, and that after restarting the Kibana container to make it pick up the mount, that you shell into the Kibana container and run these two commands:
- export NODE_OPTIONS="--max-old-space-size=3072"
- /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.3.1_6.2.4.zip
Note that the name of the zip file needs to have the exact version number of Wazuh you are using and the exact version of Elastic Stack as well, so adjust the above if needed.
Kevin
Jason B
Jul 5, 2018, 9:38:47 AM7/5/18
to security-onion
Kevin,
The alert is triggering on the Wazuh install! Thank you so much for your help!
> > > > > > To post to this group, send email to securit...@googlegrou...
The alert is triggering on the Wazuh install! Thank you so much for your help!
Kevin Branch
Jul 5, 2018, 10:00:12 AM7/5/18
to securit...@googlegroups.com
I am delighted to hear that. You are very welcome!
Kevin
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Brandon Stephens
Jul 20, 2018, 1:53:21 PM7/20/18
to security-onion
I am curious, have you found a way to remedy this archive issue? I am testing an ossec deployment and see logs coming in to archive. I can't seem to get them to populate any of the sysmon or HIDS dashboards I assume because of this. Did you possibly find a solution?
thanks,
Brandon
Kevin Branch
Jul 23, 2018, 1:16:52 PM7/23/18
to securit...@googlegroups.com
Brandon,
I believe /var/ossec/logs/archives/archives.log is exactly were all raw logs collected by OSSEC agents should be appearing. Syslog-ng then reads that file in real time and relays it to Logstash which should parse the log records and insert them into Elasticsearch which you can mine via Kibana.
Can you find any Sysmon events in archives.log? If so, then can you find any of them in the Discover tab of Kibana?
Kevin
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages