Menu
▾
▴
[Os-sim-devel] OSSEC Integration questions
|
From: Stephan B. <mai...@st...> - 2008-02-28 06:35:22
|
Hello,
I have added an agent to OSSEC on a brand net OSSIM-1.0.4 installer
image.
The agent shows online and available (it is a Windows 2000 machine).
When I look at /var/ossec/logs/alert/alerts.log I get:
** Alert 1204179624.57051: - windows,authentication_success,
2008 Feb 27 22:20:24 (Win2000test) 192.168.1.10->WinEvtLog
Rule: 18107 (level 3) -> 'Windows Logon Success.'
Src IP: (none)
User: Administrator
WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator:
TESTWIN2000: TESTWIN2000: Successful Logon: User Name:
Administrator Domain:TESTWIN2000 Logon ID:
(0x0,0x2EB97) Logon Type: 2 Logon Process:
User32 Authentication Package: Negotiate Workstation
Name: TESTWIN2000
So all seems good.
I then enabled the ossec plugin on the agent by adding the ossec.cfg
line into config.cfg and restarting the agent.
Now when I look at the /var/log/ossim/agent.log I get:
2008 Feb 27 11:46:42 (Win2000test) 172.16.95.40->WinEvtLog
Rule: 18119 (level 3) -> First time this user logged in this system.
Src IP: (none)
User: Administrator
WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator:
TESTWIN2000: T
ESTWIN2000: Successful Logon: User Name:
Administrator Domain:
TESTWIN2000 Logon ID: (0x0,0xEBC3) Logon
Type: 2
Logon Process: User32 Authentication Package:
Negotiate
Workstation Name: TESTWIN2000"
2008-02-27 11:46:43,746 Conn [ERROR]: Error receiving data from
server: (104, 'C
onnection reset by peer')
2008-02-27 11:46:53,138 Output [INFO]: plugin-process-unknown
plugin_id="1503"
2008-02-27 11:46:53,140 Conn [ERROR]: (32, 'Broken pipe')
2008-02-27 11:46:53,140 Conn [INFO]: Closing server connection..
And on the server.log:
2008-02-27 22:04:12 OSSIM-Message: Session Sensor : REMOVED
2008-02-27 22:04:12 OSSIM-Message: Removed IP:
172.16.95.21
2008-02-27 22:04:12 OSSIM-Message: Session Removed
I suspect that there is an issue with the agent passing the message to
the server but so far I have not been able to fix it.
Any ideas?
Kind regards,
Stephan Buys
|
