Menu
▾
▴
Re: [Os-sim-devel] OSSEC Integration questions
|
From: Alberto R. L. <al...@os...> - 2008-02-28 09:36:49
|
Hello Stephan, Please, could you post here or send to me the (almost) complete server.log file? I'll try to reproduce the problem but I would need the exact event as it arrives to server. Thanks! Alberto. El Jueves, 28 de Febrero de 2008 07:34, Stephan Buys escribió: > Hello, > > I have added an agent to OSSEC on a brand net OSSIM-1.0.4 installer > image. > The agent shows online and available (it is a Windows 2000 machine). > > When I look at /var/ossec/logs/alert/alerts.log I get: > > ** Alert 1204179624.57051: - windows,authentication_success, > 2008 Feb 27 22:20:24 (Win2000test) 192.168.1.10->WinEvtLog > Rule: 18107 (level 3) -> 'Windows Logon Success.' > Src IP: (none) > User: Administrator > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator: > TESTWIN2000: TESTWIN2000: Successful Logon: User Name: > Administrator Domain:TESTWIN2000 Logon ID: > (0x0,0x2EB97) Logon Type: 2 Logon Process: > User32 Authentication Package: Negotiate Workstation > Name: TESTWIN2000 > > So all seems good. > > I then enabled the ossec plugin on the agent by adding the ossec.cfg > line into config.cfg and restarting the agent. > > Now when I look at the /var/log/ossim/agent.log I get: > > 2008 Feb 27 11:46:42 (Win2000test) 172.16.95.40->WinEvtLog > Rule: 18119 (level 3) -> First time this user logged in this system. > Src IP: (none) > User: Administrator > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator: > TESTWIN2000: T > ESTWIN2000: Successful Logon: User Name: > Administrator Domain: > TESTWIN2000 Logon ID: (0x0,0xEBC3) Logon > Type: 2 > Logon Process: User32 Authentication Package: > Negotiate > Workstation Name: TESTWIN2000" > 2008-02-27 11:46:43,746 Conn [ERROR]: Error receiving data from > server: (104, 'C > onnection reset by peer') > 2008-02-27 11:46:53,138 Output [INFO]: plugin-process-unknown > plugin_id="1503" > 2008-02-27 11:46:53,140 Conn [ERROR]: (32, 'Broken pipe') > 2008-02-27 11:46:53,140 Conn [INFO]: Closing server connection.. > > And on the server.log: > > 2008-02-27 22:04:12 OSSIM-Message: Session Sensor : REMOVED > 2008-02-27 22:04:12 OSSIM-Message: Removed IP: > 172.16.95.21 > 2008-02-27 22:04:12 OSSIM-Message: Session Removed > > I suspect that there is an issue with the agent passing the message to > the server but so far I have not been able to fix it. > > Any ideas? > > Kind regards, > Stephan Buys > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Os-sim-devel mailing list > Os-...@li... > https://lists.sourceforge.net/lists/listinfo/os-sim-devel |
