Trying to determine why I didn't get notified for a certain rule

16 views
Skip to first unread message

Marc Esher

unread,
Jan 5, 2012, 3:46:24 PM1/5/12
to ossec-list
Greetings all,

Typical "Brand new to ossec" post here.

I have a ossec manager server, with a minimally modified standard
ossec.conf file. It monitors two Windows agents. I see in the agent
log files that it is correctly picking up the IIS log files each day
as they rotate.

I see entries in the IIS log related to the ZmEu scanner (just like
this one, which is successfully using ossec to punt these attempts:
http://itscblog.tamu.edu/protecting-web-servers-with-ossec/).

However, I was never notified of these scan attempts by ossec. I have
all manner of information in the nightly log emails I receive, but
nothing related to "Mutiple web server 400 error codes from same
source ip"

I'm assuming I have something misconfigured, but I don't know what
that is.

What would cause me not to be notified of these scan attempts?

Thanks for guidance.

Marc

dan (ddp)

unread,
Jan 5, 2012, 4:16:50 PM1/5/12
to ossec...@googlegroups.com

I don't see log samples in that blog post. So you'll have to do some work.

Run a log message through ossec-logtest. See how it's parsed. See what
alert is triggered.

Run a bunch of log messages through ossec-logtest. See what alert is
triggered then.

Marc Esher

unread,
Jan 5, 2012, 4:31:05 PM1/5/12
to ossec...@googlegroups.com
Great. Thanks for the starting point, Dan.

dan (ddp)

unread,
Jan 6, 2012, 9:17:07 AM1/6/12
to ossec...@googlegroups.com
On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <marc....@gmail.com> wrote:
> Great. Thanks for the starting point, Dan.
>

If you continue to have issues, posting a log sample might help.

Marc Esher

unread,
Jan 6, 2012, 9:41:29 AM1/6/12
to ossec...@googlegroups.com
On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <marc....@gmail.com> wrote:
>> Great. Thanks for the starting point, Dan.
>>
>
> If you continue to have issues, posting a log sample might help.


Thanks Dan. I narrowed it down to the fact that the IIS log settings
were not set to log cookies. Consequently, the parser was not
correctly identifying the status-code field. Turning on all logging
fixed that.

However, there's still something strange: I have an email alert rule
set up to email me for log-level 10.

<email_alerts>
<email_to>my email....</email_to>
<level>10</level>
</email_alerts>


<email_alerts>
<email_to>my email...</email_to>
<rule_id>31151</rule_id>
</email_alerts>

I triggered the multiple 404 error codes rule, and I see it in the alert log:


** Alert 1325859327.297377: mail - web,accesslog,web_scan,recon,
2012 Jan 06 09:15:27 (yyyy) XXXX->\inetpub\logs\LogFiles\W3SVC\u_ex120106.log
Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from
same source ip.'
.....

My understanding of this is that the rule is triggered, and due to
"mail" being in the log message, it should be sending the email as
configured. In fact, I imagine it should send two emails, 1 for
reaching a log-level of 10, and the other for matching rule 31151

However, when I tail /var/log/maillog, I see no evidence of mail being
sent (and obviously I didn't receive any emails).

Thoughts?

Thanks again.

Marc

dan (ddp)

unread,
Jan 6, 2012, 9:58:57 AM1/6/12
to ossec...@googlegroups.com
On Fri, Jan 6, 2012 at 9:41 AM, Marc Esher <marc....@gmail.com> wrote:
> On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <ddp...@gmail.com> wrote:
>> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <marc....@gmail.com> wrote:
>>> Great. Thanks for the starting point, Dan.
>>>
>>
>> If you continue to have issues, posting a log sample might help.
>
>
> Thanks Dan. I narrowed it down to the fact that the IIS log settings
> were not set to log cookies. Consequently, the parser was not
> correctly identifying the status-code field. Turning on all logging
> fixed that.
>
> However, there's still something strange: I have an email alert rule
> set up to email me for log-level 10.
>
>  <email_alerts>
>    <email_to>my email....</email_to>
>    <level>10</level>
>  </email_alerts>
>
>
>  <email_alerts>
>   <email_to>my email...</email_to>
>   <rule_id>31151</rule_id>
>  </email_alerts>
>

You should have an email setup in the <global section>, not just the
granular email setups.

<ossec_config>
<global>


  <email_to>my email....</email_to>
   <level>10</level>

<email_notification>yes</email_notification>
<smtp_server>127.0.0.1</smtp_server>
<email_from>oss...@example.com</email_from>
<email_maxperhour>100</email_maxperhour>
</global>

Marc Esher

unread,
Jan 6, 2012, 10:19:34 AM1/6/12
to ossec...@googlegroups.com
On Fri, Jan 6, 2012 at 9:58 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Fri, Jan 6, 2012 at 9:41 AM, Marc Esher <marc....@gmail.com> wrote:
>> On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <ddp...@gmail.com> wrote:
>>> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <marc....@gmail.com> wrote:
>>>> Great. Thanks for the starting point, Dan.
>>>>
>>>
>>> If you continue to have issues, posting a log sample might help.
>>
>>
>> Thanks Dan. I narrowed it down to the fact that the IIS log settings
>> were not set to log cookies. Consequently, the parser was not
>> correctly identifying the status-code field. Turning on all logging
>> fixed that.
>>
>> However, there's still something strange: I have an email alert rule
>> set up to email me for log-level 10.
>>
>>  <email_alerts>
>>    <email_to>my email....</email_to>
>>    <level>10</level>
>>  </email_alerts>
>>
>>
>>  <email_alerts>
>>   <email_to>my email...</email_to>
>>   <rule_id>31151</rule_id>
>>  </email_alerts>
>>

Can't imagine why I'd need that. Nonetheless, I added it as you
suggested, and I get an error on ossec restart indicating <level> is
invalid in the global config.

Thoughts?

dan (ddp)

unread,
Jan 6, 2012, 10:41:50 AM1/6/12
to ossec...@googlegroups.com
On Fri, Jan 6, 2012 at 10:19 AM, Marc Esher <marc....@gmail.com> wrote:
> On Fri, Jan 6, 2012 at 9:58 AM, dan (ddp) <ddp...@gmail.com> wrote:
>> On Fri, Jan 6, 2012 at 9:41 AM, Marc Esher <marc....@gmail.com> wrote:
>>> On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <ddp...@gmail.com> wrote:
>>>> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <marc....@gmail.com> wrote:
>>>>> Great. Thanks for the starting point, Dan.
>>>>>
>>>>
>>>> If you continue to have issues, posting a log sample might help.
>>>
>>>
>>> Thanks Dan. I narrowed it down to the fact that the IIS log settings
>>> were not set to log cookies. Consequently, the parser was not
>>> correctly identifying the status-code field. Turning on all logging
>>> fixed that.
>>>
>>> However, there's still something strange: I have an email alert rule
>>> set up to email me for log-level 10.
>>>
>>>  <email_alerts>
>>>    <email_to>my email....</email_to>
>>>    <level>10</level>
>>>  </email_alerts>
>>>
>>>
>>>  <email_alerts>
>>>   <email_to>my email...</email_to>
>>>   <rule_id>31151</rule_id>
>>>  </email_alerts>
>>>
>
> Can't imagine why I'd need that. Nonetheless, I added it as you

Having a global email section is always necessary.

> suggested, and I get an error on ossec restart indicating <level> is
> invalid in the global config.
>

Ok, I'll fix it:


<ossec_config>
<global>
<email_to>my email....</email_to>

<email_notification>yes</email_notification>
<smtp_server>127.0.0.1</smtp_server>
<email_from>oss...@example.com</email_from>

</global>


<email_alerts>
<email_to>my email...</email_to>
<rule_id>31151</rule_id>
</email_alerts>

<!-- XXX This is probably already in your ossec.conf, you should modify it -->
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>10</email_alert_level>
</alerts>

> Thoughts?
>

Troubleshooting should be part of your job description.

Marc Esher

unread,
Jan 6, 2012, 12:11:39 PM1/6/12
to ossec...@googlegroups.com
On Fri, Jan 6, 2012 at 10:41 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Fri, Jan 6, 2012 at 10:19 AM, Marc Esher <marc....@gmail.com> wrote:
>> On Fri, Jan 6, 2012 at 9:58 AM, dan (ddp) <ddp...@gmail.com> wrote:
>>> On Fri, Jan 6, 2012 at 9:41 AM, Marc Esher <marc....@gmail.com> wrote:
>>>> On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <ddp...@gmail.com> wrote:
>>>>> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <marc....@gmail.com> wrote:
>>>>>> Great. Thanks for the starting point, Dan.
>>>>>>
>>>>>
>>>>> If you continue to have issues, posting a log sample might help.
>>>>
>>>>
>>>> Thanks Dan. I narrowed it down to the fact that the IIS log settings
>>>> were not set to log cookies. Consequently, the parser was not
>>>> correctly identifying the status-code field. Turning on all logging
>>>> fixed that.
>>>>
>>>> However, there's still something strange: I have an email alert rule
>>>> set up to email me for log-level 10.
>>>>
>>>>  <email_alerts>
>>>>    <email_to>my email....</email_to>
>>>>    <level>10</level>
>>>>  </email_alerts>
>>>>
>>>>
>>>>  <email_alerts>
>>>>   <email_to>my email...</email_to>
>>>>   <rule_id>31151</rule_id>
>>>>  </email_alerts>
>>>>
>>
>> Can't imagine why I'd need that. Nonetheless, I added it as you
>
> Having a global email section is always necessary.

Got it. I had that, but I only had the server and "from" configured,
not the "to". Frankly, even with the log level set to 10, it's just
way too noisy -- I get all manner of windows audit junk that I don't
care about (not in real-time, anyway), and I haven't dug in to figure
out how to filter them out yet.

Ideally, I just want to get notifications on certain classes of rules
-- like the web rules for example.

Interestingly enough, in the last several hours, the "404" rule has
quit working as it was previously. I no longer see any entries in the
alerts log. Using logtest shows that the same entries, when pasted
into stdin, do trigger the alert. But the log monitoring on the agent
server isn't picking them up. Weird.

Reply all
Reply to author
Forward
0 new messages