[prelude-user] ntsyslog events detection failed
Veaceslav Grecea
veaceslav.grecea at gmail.com
Wed Dec 2 16:25:45 CET 2009
Hello.
I've installed prelude which works excellent with unix syslog format,
but not with ntsyslog logs which come from Windows servers.
My prelude-lml.conf:
include = /etc/prelude/default/idmef-client.conf
[prelude]
server-addr = 127.0.0.1
[format=syslog]
time-format = "%b %d %H:%M:%S".
prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+)
(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
file = /var/log/syslog/messages
[format=ntsyslog]
time-format = "%b %d %H:%M:%S".
prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+)
(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?".
file = /var/log/windows/security.log
[Pcre=syslog]
ruleset=/etc/prelude/prelude-lml/ruleset/ssh.rules
ruleset=/etc/prelude/prelude-lml/ruleset/su.rules
ruleset=/etc/prelude/prelude-lml/ruleset/sudo.rules
ruleset=/etc/prelude/prelude-lml/ruleset/pam.rules
[Pcre=ntsyslog]
ruleset=/etc/prelude/prelude-lml/ruleset/ntsyslog.rules
plugins.rules config:
/var/log/syslog/messages Pcre[syslog] .*
/var/log/windows/security.log Pcre[ntsyslog] .*
My guessing is that, prefix-regex is not correct for ntsyslog section,
or ntsyslog.rules don't has rules for this log format:
Dec 2 17:17:30 1.1.1.1 NODE NT: <Security;F529;NT AUTHORITY\SYSTEM>
Logon Failure: Reason:Unknown user name or bad password User
Name:username Domain:dname Logon Type:3 Logon Process:NtLmSsp
Authentication Package:NTLM Workstation Name:376K4 Caller User
Name:- Caller Domain:- Caller Logon ID:- Caller Process ID:-
Transited Services:- Source Network Address:1.1.2.4 Source Port:0
Is prefix-regexp the problem of that ? Or something else ?
Thanks for the help.
--
slavutich
More information about the Prelude-user
mailing list