Configuring OSSEC rules

Configuring an OSSEC rule consists of indicating which log files and/or Windows events must be monitored and which decoder file and OSSEC rule to apply to them.

  1. In an audit rule set, click on External events > OSSEC rules.
  2. Click on Add a rule (OSSEC).
  3. If you want to monitor a log file from a third-party application, click on + Monitored file and provide the following information:



    Enter the file path. You can use:

    • Environment variables, only in the folder path up to the last \ of the path,
    • File name specifications in strftime format only at the end of the path, after the last \ of the path.

    EXAMPLE
    If you enter the path %PROGRAMFILES%\Filezilla Server\Logs\fzs-%Y-%m-%d.log, SES Evolution will analyze any log line added to any file with a name in the form fzs-YYYY-MM-DD.log.

     

    Choose the type of encoding expected in the file. This depends on the application that generates logs. The supported encoding formats are:

    • ANSI code pages, depending on the system locale,
    • UTF8,
    • UTF-16LE.

     

    Enter a description (optional). It will not impact the operation of the analysis in any way.

  4. If you want to monitor a log or certain Windows events, click on + Monitored event and provide the following information:

    Enter the name of the Windows log, e.g., System, Microsoft-Windows-Windows Defender/Operational. To find out the name of a log, look up its properties in the Windows Event Viewer.

    NOTE
    Logs that are not enabled in Windows can still be monitored. SES Evolution will automatically enable it. However, this operation may affect the performance of the host.

     

    If needed, enter a filter request to monitor only some events in the log. To obtain a request:

    1. Open the Windows Event Viewer.
    2. Right-click on the log of your choice > Filter the current log.
    3. In the Filter tab, select your filtering options.
    4. Copy the contents of the XML tab and paste it in the Filter request field in the OSSEC rule window.

     

    Enter a description if necessary. It will not impact the operation of the analysis in any way.

  5. Click on + OSSEC decoder and choose your etc/decoder.xml file. With an OSSEC decoder file, you can indicate which types of logs need to be analyzed and which values to extract. For more information, refer to OSSEC documentation
    If you are importing several decoder files, ensure that they are in the right sequence, using the arrows on the left.
  6. Click on + OSSEC rule sets and choose your etc-rules/*.xml files. Ensure that they are in the right sequence. The rules_config.xml file is mandatory and must be the first. It contains OSSEC rules 1 to 7 which must be the first rules declared.
    You can also choose an OSSEC .conf file, in which case you must also specify the folder containing the rule files. Rules will be automatically imported in the same order.
  7. Click on Check the rule to check the consistency of your OSSEC analysis configuration. The following aspects in particular will be checked:
    • Validation of regular expressions found in the decoder files and rule files,
    • Presence of decoders,
    • Presence of rules 1 to 7,
    • Validity of decoder files and rule files,
    • Usage of OSSEC options that are not supported and therefore ignored.

    The result of the verification shows errors, warnings and information messages:

    • If errors are found, they will prevent the OSSEC configuration from being validated,
    • Warnings will not prevent the configuration from being applied but may impact the evaluation of rules.
    • Information messages indicate potential issues in the configuration and how they were resolved.

By default, the OSSEC analysis engine in SES Evolution retrieves Windows events generated when it is not enabled, e.g., when the machine is starting up. However, it does not retrieve log files.