Subject: Re: [ossec-list] Alert ID not present JSON logs,
feature request?



On Mon, Jan 9, 2017 at 10:01 AM, Adam Tworkowski
<[email protected]> wrote:
> Hi,
>
> I am collecting OSSEC logs via JSON on several log collection systems (ELK,
> Graylog2) and am attempting to accomplish some basic reporting with respects
> to determining which host triggered an Active Response. For example, if I
> have an alert id (i.e. 1483628458.3576646) from an AR alert
> (firewall-drop.sh), i.e.:
>
> ** Alert 1483628460.3579808: mail -
> local,syslog,active_response,pci_dss_11.4,
> 2017 Jan 05 10:01:00 (server2)
> 192.xx.xx.11->/var/ossec/logs/active-responses.log
> Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response'
> Src IP: 123.30.37.44
> Thu Jan 5 10:00:58 EST 2017
> /var/ossec/active-response/bin/firewall-drop.sh add - 123.30.37.44
> 1483628458.3576646 5712
>
> ...I am able to search alerts.log for all instances of the Alert ID which
> will include other AR alerts plus the "originating" alert with the alert ad
> following (** Alert <Alert ID>:):
>
> ** Alert 1483628458.3576646: mail -
> syslog,sshd,authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,
> 2017 Jan 05 10:00:58 (server1) 192.xx.xx.10->/var/log/messages
> Rule: 5712 (level 10) -> 'SSHD brute force trying to get access to the
> system.'
> Src IP: 123.30.37.44
> Jan 5 10:00:58 server1 sshd[17432]: Invalid user pi from 123.30.37.44
> Jan 5 10:00:56 server1 sshd[17430]: Failed password for invalid user admin
> from 123.30.37.44 port 50770 ssh2
> Jan 5 10:00:55 server1 sshd[17430]: Failed none for invalid user admin from
> 123.30.37.44 port 50770 ssh2
> Jan 5 10:00:49 server1 sshd[17428]: Failed password for invalid user root
> from 123.30.37.44 port 63117 ssh2
> Jan 5 10:00:49 server1 sshd[17428]: Failed none for invalid user root from
> 123.30.37.44 port 63117 ssh2
> Jan 5 10:00:42 server1 sshd[17425]: Failed password for invalid user user
> from 123.30.37.44 port 50598 ssh2
> Jan 5 10:00:42 server1 sshd[17425]: Failed none for invalid user user from
> 123.30.37.44 port 50598 ssh2
> Jan 5 10:00:42 server1 sshd[17425]: Invalid user user from 123.30.37.44
>
> In this case I know that server2 triggered the alert for server1 (and any
> number of other hosts including server1).
>
> So while I can make these correlations from within the alerts.log for, it
> does not transpose to the JSON version of the log as json.log does not
> include the the alert id and therefore not in the remote logging tools.
> Would anyone find this useful enough for inclusion in OSSEC? I am not a
> coder so this is above my head but I would welcome any assistance. I would
> also be interested to hear if anyone has devised other ways to achieve
> similar reporting.
>

It's something I keep meaning to look at, but low on the priority list.

> Thank you,
>
> Adam
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]
For more options, visit https://groups.google.com/d/optout.


Programming list archiving by: Enterprise Git Hosting