Maybe this is a dumb question, but i am not quite understand with the ossec-logtest documentation. For example, i want to debug the rule id 11210 , alert level 10 and decoder name proftpd i debug this using this command
/var/ossec/bin/ossec-logtest -U 11210:10:proftpd
In my Wazuh manager kibana dashboard, wazuh were produce these log with id 11210, but ossec-logtest still looks like this.
root@debian:/home/debian# /var/ossec/bin/ossec-logtest -U 11210:10:proftpd
2018/07/01 03:01:41 ossec-testrule: INFO: Started (pid: 25385).
ossec-testrule: Type one log per line.
How's exactly do i use ossec-logtest?
Regards
Fathin
Hi @gagantous,
The ossec-logtest tool helps debugging decoders and rules by accepting input strings just like the manager would receive from the agent.
This is an example for the rule 11210: ProFTPD may write a log like this:
May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded
So, if you want to test this log in the manager, you can either run ossec-logtest and type the input string just like it appears in the log, or use an input file or pipe. For instance:
echo May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded | /var/ossec/bin/ossec-logtest
This is a running example for the log above, that would produce an alert of rule 11210:
# /var/ossec/bin/ossec-logtest
2018/07/01 12:56:08 ossec-testrule: INFO: Started (pid: 5366).
ossec-testrule: Type one log per line.
May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded
**Phase 1: Completed pre-decoding.
full event: 'May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded'
timestamp: 'May 31 10:53:25'
hostname: 'mail'
program_name: 'proftpd'
log: 'xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded'
**Phase 2: Completed decoding.
decoder: 'proftpd'
srcip: '::ffff:192.168.0.213'
**Phase 3: Completed filtering (rules).
Rule id: '11210'
Level: '10'
Description: 'proftpd: Multiple failed login attempts.'
**Alert to be generated.
Hope it help.
Best regards.
Hi @vikman90
Thanks for the replies!
Where could i find such as these lines ?
May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:192.168.0.213[::ffff:192.168.0.213]) - Maximum login attempts (3) exceeded
i have checked my "alerts.log" and couldnt find it like those logs. these are my logs data.
** Alert 1530374436.0: - pam,syslog,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,
2018 Jul 01 00:00:36 (Debian004) 192.168.56.204->/var/log/auth.log
Rule: 5503 (level 5) -> 'PAM: User login failed.'
Src IP: 112.85.42.146
User: root
Jun 30 23:58:37 debian sshd[13444]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.146 user=root
uid: 0
euid: 0
tty: ssh
** Alert 1530374438.423: - syslog,sshd,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,
2018 Jul 01 00:00:38 (Debian004) 192.168.56.204->/var/log/auth.log
Rule: 5716 (level 5) -> 'sshd: authentication failed.'
Src IP: 112.85.42.146
Src Port: 56969
User: root
Jun 30 23:58:38 debian sshd[13444]: Failed password for root from 112.85.42.146 port 56969 ssh2
** Alert 1530374438.793: - pam,syslog,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,
2018 Jul 01 00:00:38 (Debian004) 192.168.56.204->/var/log/auth.log
Rule: 5503 (level 5) -> 'PAM: User login failed.'
Src IP: 112.85.42.146
User: root
Jun 30 23:58:39 debian sshd[13446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.146 user=root
uid: 0
euid: 0
tty: ssh
** Alert 1530374439.1218: - syslog,sshd,invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,gpg13_7.1,
2018 Jul 01 00:00:39 (Ubuntu002) 192.168.56.202->/var/log/auth.log
Rule: 5710 (level 5) -> 'sshd: Attempt to login using a non-existent user'
Src IP: 177.53.41.199
Jun 30 23:59:18 ubuntu sshd[26734]: Invalid user jessica from 177.53.41.199
which log string that you used ?
Oh i got it! this is what i am looking for
Jun 30 23:58:38 debian sshd[13444]: Failed password for root from 112.85.42.146 port 56969 ssh2
Thanks @vikman90
Best regards
Fathin
Most helpful comment
Hi @gagantous,
The
ossec-logtesttool helps debugging decoders and rules by accepting input strings just like the manager would receive from the agent.This is an example for the rule 11210: ProFTPD may write a log like this:
So, if you want to test this log in the manager, you can either run
ossec-logtestand type the input string just like it appears in the log, or use an input file or pipe. For instance:This is a running example for the log above, that would produce an alert of rule 11210:
Hope it help.
Best regards.