{"id":66,"date":"2010-01-29T18:41:00","date_gmt":"2010-01-29T18:41:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=66"},"modified":"2020-07-01T18:43:56","modified_gmt":"2020-07-01T18:43:56","slug":"using-ossec-for-the-forensic-analysis-of-log-files","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2010\/01\/using-ossec-for-the-forensic-analysis-of-log-files\/","title":{"rendered":"Using OSSEC for the forensic analysis of log files"},"content":{"rendered":"\n<p><a href=\"http:\/\/www.ossec.net\/\">OSSEC<\/a>&nbsp;works well for real time analysis of log files. However, if you have one old log file that you want to check or if you are doing a forensics analysis of a box and wants to check the logs with OSSEC, we now have a solution too.<\/p>\n\n\n\n<p><em>*the feature mentioned in here is only available on&nbsp;<a href=\"http:\/\/www.ossec.net\/files\/snapshots\">latest snapshots<\/a><\/em><\/p>\n\n\n\n<p>Let\u2019s say you have a file \/var\/log\/secure that you want to analyze with OSSEC. You need to use the&nbsp;<strong>ossec-logtest<\/strong>&nbsp;tool with the \u201c-a\u201d flag to reproduce the alerts:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># cat \/var\/log\/secure | \/var\/ossec\/bin\/ossec-logtest -a\n\n** Alert 1264788284.11: \u2013 syslog,sshd,authentication_success,\n2010 Jan 29 14:04:44 enigma->stdin\nRule: 5715 (level 3) -> \u2018SSHD authentication success.\u2019\nSrc IP: a.b.2.15\nUser: dcid\nJan 15 10:25:01 enigma sshd&#91;17594]: Accepted password for dcid from a.b.2.15 port 47526 ssh2\n\n** Alert 1264788284.12: \u2013 syslog,sshd,authentication_success,\n2010 Jan 29 14:04:44 enigma->stdin\nRule: 5715 (level 3) -> \u2018SSHD authentication success.\u2019\nSrc IP: 127.0.0.1\nUser: dcid\nJan 15 11:19:20 enigma sshd&#91;18853]: Accepted publickey for dcid from 127.0.0.1 port 6725 ssh2<\/code><\/pre>\n\n\n\n<p>You will get the alerts just like you would at&nbsp;<em>\/var\/ossec\/logs\/alerts.log<\/em>. The benefit now is that you can pipe this output to ossec-reported to get a better view of what is going on:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># cat \/var\/log\/secure | \/var\/ossec\/bin\/ossec-logtest -a |\/var\/ossec\/bin\/ossec-reported\nReport completed. ==\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n->Processed alerts: 522\n->Post-filtering alerts: 522\n\nTop entries for \u2018Source ip\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n89.200.169.170 |41 |\n127.0.0.1 |33 |\n83.170.106.142 |20 |\n204.232.206.109 |16 |\n..\n\nTop entries for \u2018Username\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nroot |247 |\n\nTop entries for \u2018Level\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nSeverity 5 |406 |\nSeverity 3 |41 |\nSeverity 10 |32 |\n\nTop entries for \u2018Group\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nsyslog |522 |\nsshd |509 |\nauthentication_failed |369 |\ninvalid_login |146 |\n\nTop entries for \u2018Rule\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n5716 \u2013 SSHD authentication failed. |223 |\n5710 \u2013 Attempt to login using a non-existent.. |146 |\n5715 \u2013 SSHD authentication success. |41 |\n5702 \u2013 Reverse lookup error (bad ISP or atta.. |37 |<\/code><\/pre>\n\n\n\n<p>To get a report of all brute force attacks (for example) that scanned my box:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># cat \/var\/log\/secure | \/var\/ossec\/bin\/ossec-logtest -a |\/var\/ossec\/bin\/ossec-reported -f group authentication_failures\n\nReport completed. ==\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n->Processed alerts: 522\n->Post-filtering alerts: 25\n\nTop entries for \u2018Source ip\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n83.170.106.142 |2 |\n89.200.169.170 |2 |\n114.255.100.163 |1 |\n117.135.138.183 |1 |\n124.205.62.36 |1 |\n173.45.108.230 |1 |\n200.182.99.59 |1 |\n202.63.160.50 |1 |\n210.21.225.202 |1 |\n211.151.64.220 |1 |\n213.229.70.12 |1 |\n218.30.19.48 |1 |\n221.12.12.3 |1 |\n59.3.239.114 |1 |\n61.168.227.12 |1 |\n61.233.42.47 |1 |\n67.43.61.80 |1 |\n72.52.75.228 |1 |\n77.245.148.196 |1 |\n79.125.35.214 |1 |\n85.21.83.170 |1 |\n92.240.75.6 |1 |\n94.198.49.185 |1 |\n\nTop entries for \u2018Username\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nroot |24 |\n\nTop entries for \u2018Level\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nSeverity 10 |25 |\n\nTop entries for \u2018Group\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nauthentication_failures |25 |\nsshd |25 |\nsyslog |25 |\n\nTop entries for \u2018Location\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nenigma->stdin |25 |\n\nTop entries for \u2018Rule\u2019:\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\n5720 \u2013 Multiple SSHD authentication failures. |24 |\n5712 \u2013 SSHD brute force trying to get access.. |1 |<\/code><\/pre>\n\n\n\n<p>Thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OSSEC&nbsp;works well for real time analysis of log files. However, if you have one old log file that you want to check or if you are doing a forensics analysis of a box and wants to check the logs with OSSEC, we now have a solution too. *the feature mentioned in here is only available [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/66"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":2,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/66\/revisions"}],"predecessor-version":[{"id":68,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/66\/revisions\/68"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=66"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=66"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}