Subject: [ossec-list] Alert ID not present JSON logs,
I am collecting OSSEC logs via JSON on several log collection systems (ELK, Graylog2) and am attempting to accomplish some basic reporting with respects to determining which host triggered an Active Response. For example, if I have an alert id (i.e. 1483628458.3576646) from an AR alert (firewall-drop.sh), i.e.:
** Alert 1483628460.3579808: mail - local,syslog,active_response,pci_dss_11.4,
2017 Jan 05 10:01:00 (server2) 192.xx.xx.11->/var/ossec/logs/active-responses.log
Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response'
Src IP: 220.127.116.11
Thu Jan 5 10:00:58 EST 2017 /var/ossec/active-response/bin/firewall-drop.sh add - 18.104.22.168 1483628458.3576646
...I am able to search alerts.log for all instances of the Alert ID which will include other AR alerts plus the "originating" alert with the alert ad following (** Alert <Alert ID>:):
** Alert 1483628458.3576646
: mail - syslog,sshd,authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,
2017 Jan 05 10:00:58 (server1) 192.xx.xx.10->/var/log/messages
Rule: 5712 (level 10) -> 'SSHD brute force trying to get access to the system.'
Src IP: 22.214.171.124
Jan 5 10:00:58 server1 sshd: Invalid user pi from 126.96.36.199
Jan 5 10:00:56 server1 sshd: Failed password for invalid user admin from 188.8.131.52 port 50770 ssh2
Jan 5 10:00:55 server1 sshd: Failed none for invalid user admin from 184.108.40.206 port 50770 ssh2
Jan 5 10:00:49 server1 sshd: Failed password for invalid user root from 220.127.116.11 port 63117 ssh2
Jan 5 10:00:49 server1 sshd: Failed none for invalid user root from 18.104.22.168 port 63117 ssh2
Jan 5 10:00:42 server1 sshd: Failed password for invalid user user from 22.214.171.124 port 50598 ssh2
Jan 5 10:00:42 server1 sshd: Failed none for invalid user user from 126.96.36.199 port 50598 ssh2
Jan 5 10:00:42 server1 sshd: Invalid user user from 188.8.131.52
In this case I know that server2 triggered the alert for server1 (and any number of other hosts including server1).
So while I can make these correlations from within the alerts.log for, it does not transpose to the JSON version of the log as json.log does not include the the alert id and therefore not in the remote logging tools. Would anyone find this useful enough for inclusion in OSSEC? I am not a coder so this is above my head but I would welcome any assistance. I would also be interested to hear if anyone has devised other ways to achieve similar reporting.
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]
For more options, visit https://groups.google.com/d/optout