Manual: Reporting tool http://www.ossec.

net/main/manual/manual-reporting-tool/

Home
About
Documentation
Downloads
Support
Our Team

Manual: Reporting tool

This entry in the manual shows how to run the reporting tool.

1-Show all IP addresses/users that logged in during the day

# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Logins

summary” -f group authentication_success

Report ‘Logins summary’ completed.

————————————————
->Processed alerts: 145557
->Post-filtering alerts: 401
->First alert: ..
->Last alert: ..

Top entries for ‘Source ip’:

————————————————
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |

Top entries for ‘Username’:

————————————————
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |

2-Show all IP addresses/users that logged in during the day and related srcips
locations for each user

# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Logins

summary” -f group authentication_success -r user srcip -r user location

1 of 6 23/04/2009 11:53 AM
Manual: Reporting tool http://www.ossec.net/main/manual/manual-reporting-tool/

Top entries for ‘Source ip’:

————————————————
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |

Top entries for ‘Username’:

————————————————
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |

Related entries for ‘Username’:

————————————————
dcid |336 |
location: ‘enigma->/var/log/authlog’
srcip: ‘192.168.2.15′
srcip: ‘192.168.2.10′
srcip: ‘127.0.0.1′
srcip: ‘192.168.2.17′
srcip: ‘192.168.2.26′
aabbcxx |46 |
location: ‘enigma->/var/log/authlog’
srcip: ‘192.168.2.10′
root |9 |
location: ‘enigma->/var/log/authlog’
srcip: ‘127.0.0.1′
srcip: ‘192.168.2.15′
srcip: ‘192.168.2.26′
srcip: ‘(none)’
__vmware_user__ |4 |
location: ‘(lili3win) 192.168.2.0->WinEvtLog’
srcip: ‘(none)’
vpxuser |2 |
location: ‘(vmesx51) any->/var/log/messages’
location: ‘(vmesx51) any->/var/log/vmware/hostd.log’
srcip: ‘127.0.0.1′
Administrator |1 |
location: ‘(win2003-tbv4) any->WinEvtLog’
srcip: ‘(none)’
lac |1 |
location: ‘(lili3win) 192.168.2.0->WinEvtLog’
srcip: ‘(none)’

3-Show all multiple authentication failures (brute force attacks)

# # cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Failures

summary” -f group authentication_failures

2 of 6 23/04/2009 11:53 AM
Manual: Reporting tool http://www.ossec.net/main/manual/manual-reporting-tool/

Top entries for ‘Source ip’:

————————————————
127.0.0.1 |5 |
218.56.61.114 |5 |
117.36.192.75 |2 |
219.90.103.44 |2 |
121.22.8.148 |1 |
122.141.177.51 |1 |
203.171.227.18 |1 |
211.156.250.179 |1 |
222.73.0.101 |1 |
85.24.137.233 |1 |

Top entries for ‘Username’:

————————————————
root |7 |
dcid |5 |

Top entries for ‘Rule’:

————————————————
5720 - Multiple SSHD authentication failures. |12 |
5712 - SSHD brute force trying to get access.. |8 |

4-Show a summary for the month (or day)

# # zcat /var/ossec/logs/alerts/2008/Nov/*.gz | ./src/monitord/ossec-reportd -n “Month

Summary”

Report ‘Month Summary’ completed.

————————————————
->Processed alerts: 274744
->Post-filtering alerts: 274744
->First alert: 2008 Nov 01 00:00:03
->Last alert: 2008 Nov 25 21:00:03

Top entries for ‘Level’:

————————————————
Severity 4 |236552 |
Severity 10 |33194 |
Severity 3 |2219 |
Severity 7 |1649 |
Severity 5 |999 |
Severity 8 |57 |
Severity 6 |42 |
Severity 2 |25 |
Severity 12 |5 |
Severity 9 |2 |

Top entries for ‘Group’:

————————————————
windows |270107 |
syslog |2694 |
ossec |1798 |
syscheck |1624 |
pam |1339 |

3 of 6 23/04/2009 11:53 AM
Manual: Reporting tool http://www.ossec.net/main/manual/manual-reporting-tool/

authentication_success |1321 |
sshd |953 |
errors |378 |
system_error |318 |
authentication_failed |161 |
invalid_login |120 |
vmware |117 |
recon |42 |
authentication_failures |32 |
win_authentication_failed |25 |
account_changed |24 |
stats |17 |
time_changed |17 |
service_availability |16 |
accesslog |10 |
web |10 |
su |9 |
access_control |8 |
access_denied |8 |
rootcheck |5 |
attacks |4 |
policy_changed |4 |
low_diskspace |3 |
sudo |3 |
logs_cleared |2 |
postgresql_log |1 |
system_shutdown |1 |

Top entries for ‘Location’:

————————————————
(lili3win) 192.168.2.0->WinEvtLog |269806 |
(esqueleto2) 192.168.2.99->/var/log/auth.log |1338 |
(lili3win) 192.168.2.0->syscheck |1301 |
enigma->/var/log/authlog |960 |
enigma->/var/log/messages |321 |
(lili3win) 192.168.2.0->syscheck-registry |281 |
(win2003-tbv4) any->WinEvtLog |279 |
(vmesx51) any->/var/log/vmware/hostd.log |100 |
enigma->ossec-logcollector |80 |
(vmesx51) any->/var/log/messages |53 |
(win2003-tbv3) any->WinEvtLog |39 |
enigma->ossec-monitord |29 |
(win2003-tbv4) any->syscheck-registry |26 |
(esqueleto2) 192.168.2.99->/var/log/messages |24 |
(lili3win) 192.168.2.0->ossec |22 |
(esqueleto2) 192.168.2.99->ossec-logcollector |15 |
(vmesx51) any->ossec-logcollector |15 |
(esqueleto2) 192.168.2.99->/var/log/syslog |10 |
enigma->/var/www/logs/access_log |10 |
enigma->syscheck |7 |
(win2003-tbv4) any->syscheck |6 |
(vmesx51) any->/var/log/secure |4 |
(vmesx51) any->ossec |3 |
(win2003-tbv4) any->ossec |3 |
(lili3win) 192.168.2.0->rootcheck |2 |

4 of 6 23/04/2009 11:53 AM
Manual: Reporting tool http://www.ossec.net/main/manual/manual-reporting-tool/

(vmesx51) any->syscheck |2 |
(esqueleto2) 192.168.2.99->/var/log/postgres.. |1 |
(esqueleto2) 192.168.2.99->ossec |1 |
(esqueleto2) 192.168.2.99->rootcheck |1 |
(win2003-tbv3) any->ossec |1 |
(win2003-tbv4) any->rootcheck |1 |
enigma->/var/log/secure |1 |
enigma->dcid@127.0.0.1->syscheck |1 |
enigma->rootcheck |1 |

Top entries for ‘Rule’:

————————————————
18105 - Windows audit failure event. |236165 |
18153 - Multiple Windows audit failure events. |33140 |
550 - Integrity checksum changed. |1484 |
5501 - Login session opened. |666 |
5502 - Login session closed. |666 |
5715 - SSHD authentication success. |580 |
18108 - Failed attempt to perform a privileg.. |354 |
18103 - Windows error event. |318 |
1005 - Syslogd restarted. |313 |
5716 - SSHD authentication failed. |155 |
551 - Integrity checksum changed again (2nd .. |121 |
5710 - Attempt to login using a non-existent.. |119 |
591 - Log file rotated. |110 |
19104 - VMware ESX warning message. |47 |
5706 - SSH insecure connection attempt (scan). |42 |
503 - Ossec agent started. |29 |
19110 - VMWare ESX authentication success. |28 |
5704 - Timeout while logging in (sshd). |28 |
1002 - Unknown problem somewhere in the syst.. |25 |
1006 - Syslogd restarted. |25 |
18130 - Logon Failure - Unknown user or bad .. |25 |
504 - Ossec agent disconnected. |25 |
18111 - User account changed. |24 |
18151 - Multiple failed attempts to perform .. |19 |
552 - Integrity checksum changed again (3rd .. |19 |
11 - Excessive number of events (above norma.. |17 |
18107 - Windows Logon Success. |17 |
18140 - System time changed. |17 |
19112 - VMWare ESX user login. |17 |
5720 - Multiple SSHD authentication failures. |17 |
1004 - Syslogd exiting (logging stopped). |12 |
19120 - Virtual machine state changed to OFF. |12 |
5712 - SSHD brute force trying to get access.. |12 |
31101 - Web server 400 error code. |10 |
5303 - User successfully changed UID to root. |9 |
2503 - Connection blocked by Tcp Wrappers. |8 |
18147 - Application Installed. |6 |
18149 - Windows User Logoff. |6 |
5503 - User login failed. |6 |
18113 - Windows Audit Policy changed. |4 |
19103 - VMware ESX error message. |4 |
40112 - Multiple authentication failures fol.. |4 |
502 - Ossec server started. |4 |

5 of 6 23/04/2009 11:53 AM
Manual: Reporting tool http://www.ossec.net/main/manual/manual-reporting-tool/

510 - Host-based anomaly detection event (ro.. |4 |

1007 - File system full. |3 |
18152 - Multiple Windows Logon Failures. |3 |
19121 - Virtual machine being turned ON. |3 |
19122 - Virtual machine state changed to ON. |3 |
19150 - Multiple VMWare ESX warning messages. |3 |
18118 - Windows audit log was cleared. |2 |
18119 - First time this user logged in this .. |2 |
18126 - Remote access login success. |2 |
5402 - Successful sudo to ROOT executed |2 |
18109 - Session reconnected/disconnected to .. |1 |
18117 - Windows is shutting down. |1 |
18146 - Application Uninstalled. |1 |
501 - New ossec agent connected. |1 |
50521 - Database shutdown messge. |1 |
512 - Windows Audit event. |1 |
5403 - First time user executed sudo. |1 |
5504 - Attempt to login with an invalid user. |1 |

Recent Entries
>Rootcheck updated to v2.0Mar 6
>OSSEC v2.0 releasedFeb 27
>v2.0 - What is comingJan 20
>OSSEC v1.6.1 releasedOct 9
(Archives)

Shortcuts
>Getting Started
>First steps
>Manual | Wiki
>Commercial Support

News/Announcements
>Join OSSEC Linked-in Group
>Join Mailing List

All Content © 2008,2009 Third Brigade, Inc.

6 of 6 23/04/2009 11:53 AM