{"id":142,"date":"2008-11-26T21:53:21","date_gmt":"2008-11-26T21:53:21","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=142"},"modified":"2020-07-02T21:54:37","modified_gmt":"2020-07-02T21:54:37","slug":"ossec-reports-v1-7-preview","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2008\/11\/ossec-reports-v1-7-preview\/","title":{"rendered":"OSSEC Reports (v1.7 preview)"},"content":{"rendered":"\n

One of the most asked features in OSSEC<\/a> is some kind of built-in reporting mechanism. For v1.7, we plan to have that included and we need some comments and ideas on what kind of features and formats would be most useful.<\/p>\n\n\n\n

To get started, we created a standalone reporting tool so we can get the ideas flying. If you want to try it out, download the latest snapshot<\/a> and look at the ossec-reportd<\/strong> tool. Here are some of the reports I am doing:<\/p>\n\n\n\n

*the html is messing up with the output of the reports, so they will look a bit better in the terminal.<\/em><\/p>\n\n\n\n

1-Show all IP addresses\/users that logged in during the day<\/h3>\n\n\n\n

# cat \/var\/ossec\/logs\/alerts\/alerts.log | .\/src\/monitord\/ossec-reportd -n \u201cLogins summary\u201d -f group authentication_success<\/strong><\/p>

Report \u2018Logins summary\u2019 completed.
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
->Processed alerts: 145557
->Post-filtering alerts: 401
->First alert: ..
->Last alert: ..<\/p>

Top entries for \u2018Source ip\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |<\/p>

Top entries for \u2018Username\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |<\/p><\/blockquote>\n\n\n\n

2-Show all IP addresses\/users that logged in during the day and related srcips locations for each user<\/h3>\n\n\n\n

# cat \/var\/ossec\/logs\/alerts\/alerts.log | .\/src\/monitord\/ossec-reportd -n \u201cLogins summary\u201d -f group authentication_success -r user srcip -r user location<\/strong><\/p>

Top entries for \u2018Source ip\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |<\/p>

Top entries for \u2018Username\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |<\/p>

Related entries for \u2018Username\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
dcid |336 |
location: \u2018enigma->\/var\/log\/authlog\u2019
srcip: \u2019192.168.2.15\u2032
srcip: \u2019192.168.2.10\u2032
srcip: \u2019127.0.0.1\u2032
srcip: \u2019192.168.2.17\u2032
srcip: \u2019192.168.2.26\u2032
aabbcxx |46 |
location: \u2018enigma->\/var\/log\/authlog\u2019
srcip: \u2019192.168.2.10\u2032
root |9 |
location: \u2018enigma->\/var\/log\/authlog\u2019
srcip: \u2019127.0.0.1\u2032
srcip: \u2019192.168.2.15\u2032
srcip: \u2019192.168.2.26\u2032
srcip: \u2018(none)\u2019
__vmware_user__ |4 |
location: \u2018(lili3win) 192.168.2.0->WinEvtLog\u2019
srcip: \u2018(none)\u2019
vpxuser |2 |
location: \u2018(vmesx51) any->\/var\/log\/messages\u2019
location: \u2018(vmesx51) any->\/var\/log\/vmware\/hostd.log\u2019
srcip: \u2019127.0.0.1\u2032
Administrator |1 |
location: \u2018(win2003-tbv4) any->WinEvtLog\u2019
srcip: \u2018(none)\u2019
lac |1 |
location: \u2018(lili3win) 192.168.2.0->WinEvtLog\u2019
srcip: \u2018(none)\u2019<\/p><\/blockquote>\n\n\n\n

3-Show all multiple authentication failures (brute force attacks)<\/h3>\n\n\n\n

# cat \/var\/ossec\/logs\/alerts\/alerts.log | .\/src\/monitord\/ossec-reportd -n \u201cFailures summary\u201d -f group authentication_failures<\/strong><\/p>

Top entries for \u2018Source ip\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
127.0.0.1 |5 |
218.56.61.114 |5 |
117.36.192.75 |2 |
219.90.103.44 |2 |
121.22.8.148 |1 |
122.141.177.51 |1 |
203.171.227.18 |1 |
211.156.250.179 |1 |
222.73.0.101 |1 |
85.24.137.233 |1 |<\/p>

Top entries for \u2018Username\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
root |7 |
dcid |5 |<\/p>

Top entries for \u2018Rule\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
5720 \u2013 Multiple SSHD authentication failures. |12 |
5712 \u2013 SSHD brute force trying to get access.. |8 |<\/p><\/blockquote>\n\n\n\n

4-Show a summary for the month (or day)<\/h3>\n\n\n\n

# zcat \/var\/ossec\/logs\/alerts\/2008\/Nov\/*.gz | .\/src\/monitord\/ossec-reportd -n \u201cMonth Summary\u201d<\/strong><\/p>

Report \u2018Month Summary\u2019 completed.
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
->Processed alerts: 274744
->Post-filtering alerts: 274744
->First alert: 2008 Nov 01 00:00:03
->Last alert: 2008 Nov 25 21:00:03<\/p>

Top entries for \u2018Level\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
Severity 4 |236552 |
Severity 10 |33194 |
Severity 3 |2219 |
Severity 7 |1649 |
Severity 5 |999 |
Severity 8 |57 |
Severity 6 |42 |
Severity 2 |25 |
Severity 12 |5 |
Severity 9 |2 |<\/p>

Top entries for \u2018Group\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
windows |270107 |
syslog |2694 |
ossec |1798 |
syscheck |1624 |
pam |1339 |
authentication_success |1321 |
sshd |953 |
errors |378 |
system_error |318 |
authentication_failed |161 |
invalid_login |120 |
vmware |117 |
recon |42 |
authentication_failures |32 |
win_authentication_failed |25 |
account_changed |24 |
stats |17 |
time_changed |17 |
service_availability |16 |
accesslog |10 |
web |10 |
su |9 |
access_control |8 |
access_denied |8 |
rootcheck |5 |
attacks |4 |
policy_changed |4 |
low_diskspace |3 |
sudo |3 |
logs_cleared |2 |
postgresql_log |1 |
system_shutdown |1 |<\/p>

Top entries for \u2018Location\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
(lili3win) 192.168.2.0->WinEvtLog |269806 |
(esqueleto2) 192.168.2.99->\/var\/log\/auth.log |1338 |
(lili3win) 192.168.2.0->syscheck |1301 |
enigma->\/var\/log\/authlog |960 |
enigma->\/var\/log\/messages |321 |
(lili3win) 192.168.2.0->syscheck-registry |281 |
(win2003-tbv4) any->WinEvtLog |279 |
(vmesx51) any->\/var\/log\/vmware\/hostd.log |100 |
enigma->ossec-logcollector |80 |
(vmesx51) any->\/var\/log\/messages |53 |
(win2003-tbv3) any->WinEvtLog |39 |
enigma->ossec-monitord |29 |
(win2003-tbv4) any->syscheck-registry |26 |
(esqueleto2) 192.168.2.99->\/var\/log\/messages |24 |
(lili3win) 192.168.2.0->ossec |22 |
(esqueleto2) 192.168.2.99->ossec-logcollector |15 |
(vmesx51) any->ossec-logcollector |15 |
(esqueleto2) 192.168.2.99->\/var\/log\/syslog |10 |
enigma->\/var\/www\/logs\/access_log |10 |
enigma->syscheck |7 |
(win2003-tbv4) any->syscheck |6 |
(vmesx51) any->\/var\/log\/secure |4 |
(vmesx51) any->ossec |3 |
(win2003-tbv4) any->ossec |3 |
(lili3win) 192.168.2.0->rootcheck |2 |
(vmesx51) any->syscheck |2 |
(esqueleto2) 192.168.2.99->\/var\/log\/postgres.. |1 |
(esqueleto2) 192.168.2.99->ossec |1 |
(esqueleto2) 192.168.2.99->rootcheck |1 |
(win2003-tbv3) any->ossec |1 |
(win2003-tbv4) any->rootcheck |1 |
enigma->\/var\/log\/secure |1 |
enigma->dcid@127.0.0.1->syscheck |1 |
enigma->rootcheck |1 |<\/p>

Top entries for \u2018Rule\u2019:
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014
18105 \u2013 Windows audit failure event. |236165 |
18153 \u2013 Multiple Windows audit failure events. |33140 |
550 \u2013 Integrity checksum changed. |1484 |
5501 \u2013 Login session opened. |666 |
5502 \u2013 Login session closed. |666 |
5715 \u2013 SSHD authentication success. |580 |
18108 \u2013 Failed attempt to perform a privileg.. |354 |
18103 \u2013 Windows error event. |318 |
1005 \u2013 Syslogd restarted. |313 |
5716 \u2013 SSHD authentication failed. |155 |
551 \u2013 Integrity checksum changed again (2nd .. |121 |
5710 \u2013 Attempt to login using a non-existent.. |119 |
591 \u2013 Log file rotated. |110 |
19104 \u2013 VMware ESX warning message. |47 |
5706 \u2013 SSH insecure connection attempt (scan). |42 |
503 \u2013 Ossec agent started. |29 |
19110 \u2013 VMWare ESX authentication success. |28 |
5704 \u2013 Timeout while logging in (sshd). |28 |
1002 \u2013 Unknown problem somewhere in the syst.. |25 |
1006 \u2013 Syslogd restarted. |25 |
18130 \u2013 Logon Failure \u2013 Unknown user or bad .. |25 |
504 \u2013 Ossec agent disconnected. |25 |
18111 \u2013 User account changed. |24 |
18151 \u2013 Multiple failed attempts to perform .. |19 |
552 \u2013 Integrity checksum changed again (3rd .. |19 |
11 \u2013 Excessive number of events (above norma.. |17 |
18107 \u2013 Windows Logon Success. |17 |
18140 \u2013 System time changed. |17 |
19112 \u2013 VMWare ESX user login. |17 |
5720 \u2013 Multiple SSHD authentication failures. |17 |
1004 \u2013 Syslogd exiting (logging stopped). |12 |
19120 \u2013 Virtual machine state changed to OFF. |12 |
5712 \u2013 SSHD brute force trying to get access.. |12 |
31101 \u2013 Web server 400 error code. |10 |
5303 \u2013 User successfully changed UID to root. |9 |
2503 \u2013 Connection blocked by Tcp Wrappers. |8 |
18147 \u2013 Application Installed. |6 |
18149 \u2013 Windows User Logoff. |6 |
5503 \u2013 User login failed. |6 |
18113 \u2013 Windows Audit Policy changed. |4 |
19103 \u2013 VMware ESX error message. |4 |
40112 \u2013 Multiple authentication failures fol.. |4 |
502 \u2013 Ossec server started. |4 |
510 \u2013 Host-based anomaly detection event (ro.. |4 |
1007 \u2013 File system full. |3 |
18152 \u2013 Multiple Windows Logon Failures. |3 |
19121 \u2013 Virtual machine being turned ON. |3 |
19122 \u2013 Virtual machine state changed to ON. |3 |
19150 \u2013 Multiple VMWare ESX warning messages. |3 |
18118 \u2013 Windows audit log was cleared. |2 |
18119 \u2013 First time this user logged in this .. |2 |
18126 \u2013 Remote access login success. |2 |
5402 \u2013 Successful sudo to ROOT executed |2 |
18109 \u2013 Session reconnected\/disconnected to .. |1 |
18117 \u2013 Windows is shutting down. |1 |
18146 \u2013 Application Uninstalled. |1 |
501 \u2013 New ossec agent connected. |1 |
50521 \u2013 Database shutdown messge. |1 |
512 \u2013 Windows Audit event. |1 |
5403 \u2013 First time user executed sudo. |1 |
5504 \u2013 Attempt to login with an invalid user. |1 |<\/p><\/blockquote>\n\n\n\n

Comments and suggestions are welcome. We plan to make it a part of monitord to be able to do daily or hourly reports for certain options.<\/p>\n","protected":false},"excerpt":{"rendered":"

One of the most asked features in OSSEC is some kind of built-in reporting mechanism. For v1.7, we plan to have that included and we need some comments and ideas on what kind of features and formats would be most useful. To get started, we created a standalone reporting tool so we can get the ideas flying. […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,4],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/142"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=142"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/142\/revisions"}],"predecessor-version":[{"id":143,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/142\/revisions\/143"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}