Feeding ossec-logtest

55 views
Skip to first unread message

Dave S

unread,
Jan 8, 2010, 2:34:23 PM1/8/10
to ossec-list
I want to reprocess log entries that have already been received, so
I'm pulling lines from ./logs/archives/archives.log and piping them
into the tool. However, I'm not getting output from the tool that
matches in any way how OSSEC originally interpreted the data.

I'm presuming I'm not feeding the correct data to the tool. Is raw
data from archives.log the place to go for this data?

- Dave

Dave S

unread,
Jan 16, 2010, 6:00:13 PM1/16/10
to ossec-list
I want to be able to reproduce an event for testing modifications to
rules.

Is grabbing a line out of archives.log and sending it to ossec-logtest
the way to do this?

dan (ddp)

unread,
Jan 18, 2010, 4:41:34 PM1/18/10
to ossec...@googlegroups.com
Try pulling the log message out of the syslog file that it is stored to.
For example, if the message goes to /var/log/messages, pull it out of there.
I don't know if the archives messages are the same, for some reason that file
is empty on my server...

Dave S

unread,
Jan 19, 2010, 9:58:28 AM1/19/10
to ossec-list
Dan,
I think the reason you have no archive.log is because you need to add

<global>
<logall>yes</logall>
</global>

to ossec.conf. Great way when you're debugging to get a thorough
record of all events sent to the server.

Unfortunately, the event I'm trying to reproduce is a Windows Event
log record, so I've no file (that I know of) where I can retrieve the
raw log entry.

- Dave

dan (ddp)

unread,
Jan 22, 2010, 10:21:55 AM1/22/10
to ossec...@googlegroups.com

Wow, that worked. Thanks!

Ok, I have a Windows event log or two in there now. Here's an example:
2010 Jan 19 17:56:24 (bunny) 192.168.17.0->WinEvtLog WinEvtLog:
System: INFORMATION(7036): Service Control Manager: (no user): no
domain: Bunny-PC: Windows Modules Installer running

It's a short example (there are long ones in there too, but this
seemed easier).
If I paste the whole line into ossec-logtest I get back bad results:
**Phase 1: Completed pre-decoding.
full event: '2010 Jan 19 17:56:24 (bunny)
192.168.17.0->WinEvtLog WinEvtLog: System: INFORMATION(7036): Service
Control Manager: (no user): no domain: Bunny-PC: Windows Modules
Installer running'
hostname: 'ix'
program_name: '(null)'
log: '2010 Jan 19 17:56:24 (bunny) 192.168.17.0->WinEvtLog
WinEvtLog: System: INFORMATION(7036): Service Control Manager: (no
user): no domain: Bunny-PC: Windows Modules Installer running'

**Phase 2: Completed decoding.
No decoder matched.

However, if I paste everything after "192.168.17.0->WinEvtLog", the
results are much better:
WinEvtLog: System: INFORMATION(7036): Service Control Manager: (no
user): no domain: Bunny-PC: Windows Modules Installer running


**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: System: INFORMATION(7036): Service
Control Manager: (no user): no domain: Bunny-PC: Windows Modules
Installer running'
hostname: 'ix'
program_name: '(null)'
log: 'WinEvtLog: System: INFORMATION(7036): Service Control
Manager: (no user): no domain: Bunny-PC: Windows Modules Installer
running'

**Phase 2: Completed decoding.
decoder: 'windows'
status: 'INFORMATION'
id: '7036'
extra_data: 'Service Control Manager'
dstuser: '(no user)'
system_name: 'Bunny-PC'

**Phase 3: Completed filtering (rules).
Rule id: '18101'
Level: '0'
Description: 'Windows informational event.'

Not perfect, since the wrong hostname is used (that's my ossec
server), but better.

HTH,
dan

Reply all
Reply to author
Forward
0 new messages