• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Parsing logs

snvsnv

New Life Form
Hello,

The problem is next:
The assets ip address in WebUI is displayed with ip 0.0.0.0. 
I think that the problem is connect with parsing log by the plugin. Example plugin below.

2018-11-16 03:01:03,286 Detector [DEBUG]: redhat-audit[1704] Match rule: [0099 - RedHat-Audit - Generic] -> Nov 16 03:01:01 pds2 audispd: node=pds2.dom.ru type=EOE msg=audit(1542326461.430:6843438):
2018-11-16 03:01:03,290 Detector [WARNING]: redhat-audit[1704] Event's field src_ip pds2.dom.ru is not a valid IP.v4/IP.v6 address, falling back to default: 0.0.0.0


/var/log/redhat-audit.log
Nov  1 22:10:53 pds2 audispd: node=pds2.zenit.ru type=SYSCALL msg=audit(1541099453.133:6158165): arch=c000003e syscall=49 
success=yes exit=0 a0=6 a1=7ffecca85d00 a2=c a3=0 items=0 ppid=79533 pid=32752 auid=200 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=182166 comm="sshd" exe="/usr/sbin/sshd" key="root"

/etc/ossim/agent/plugins/redhat-audit.cfg.local
[0001 - RedHat-Audit - SYSCALL]
event_type=event
precheck="SYSCALL"
regexp="(?P<date>\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d) (?P<sensor>\S+) \S+ node=(?P<src_ip>\IPV4) type=(?P<sid>SYSCALL)\s*(?:(?!
success)\S+\s+)+success=(?P<success>\S+)\s(?:(?!auid)\S+\s+)+auid=(?P<auid>\S+)\suid=(?P<uid>\S+)\s.*?(name|exe|cwd)="(?
P<filename>[^"]+)(?:(?!subj)\S+\s+)+subj=(?P<subject>\S+)\skey=(?:\(null\)|"?(?P<key>[^"\s]+)"?)"
date={normalize_date($date)}
device={resolv($sensor)}
plugin_sid=1
src_ip={resolv($src)}
userdata1={$src}
plugin_sid={translate($sid)}
filename={$filename}
userdata2={$auid}
userdata3={$uid}
userdata4={$subject}
userdata5={$key}

Share post:

Answers

  • snv,

    Have you confirmed that this hostname actually resolves? you would need to test from the sensor on which the plugin is enabled to confirm it can obtain the IP address for that host.
  • Hello @snv,

     Your RedHat log is using the FQDN; the REGEX within the OSSIM rule is looking for an IPv4 address :: 

     RawLog :: node=pds2.zenit.ru

     REGEX :: node=(?P<src_ip>\IPV4)


       Can you validate that your USM is using your internal DNS server(s) and that you have forward and reverse DNS entries for "pds2.zenit.ru"  ? 


       Regards,

    - kratos 
  • I have one sensor whitch is ossim server. The ossim server host is resolved pds2 host ip normaly both by short name and FQDN 
  • Please try adding a #host entry for 'pds2' on your OSSIM system. 

    # /etc/hosts/

       Regards,

    - kratos
Sign In or Register to comment.