Log Inspection Rules

The OSSEC Log Inspection Engine is integrated into Vulnerability ProtectionVulnerability ProtectionDeep Security Agents and gives Vulnerability ProtectionDeep Security the ability to inspect the logs and events generated by the operating system and applications running on the computer. Log Inspection Rules can be assigned directly to computers or can be made part of a Policy. Like Integrity Monitoring Events, Log Inspection events can be configured to generate Alerts in the Vulnerability ProtectionDeep Security Manager.

Log Inspection icons:

Normal Log Inspection Rules
Log Inspection Rules that have configuration options

From the main page you can:

Create New () Log Inspection Rules from scratch
Import () Log Inspection Rules from an XML file
Examine or modify the Properties of an existing Log Inspection Rule ()
Duplicate (and then modify) existing Log Inspection Rules ()
Delete a Log Inspection Rule ()
Export () one or more Log Inspection Rules to an XML or CSV file. (Either export them all by clicking the Export... button, or choose from the drop-down list to export only those that are selected or displayed)

Log Inspection Rules that are assigned to one or more computers or that are part of a Policy cannot be deleted.

Vulnerability ProtectionDeep Security Manager ships with a standard set of OSSEC Log Inspection Rules. For more information on Log Inspection, see Examining a Log Inspection Rule and Log Inspection. For further assistance in writing your own Log Inspection Rules using the XML-based language, consult the OSSEC documentation or contact your support provider.

Clicking New () or Properties () displays the Log Inspection Rules Properties window.

General

General Information

The name and description of the Log Inspection Rule, and -- if the rule is issued by Trend Micro -- the minimum versions of the Agent and the Vulnerability ProtectionDeep Security Manager that are required for the Rule to function.

Identification

Date when the rule was first issued and when it was last updated, as well as a unique identifier for the rule.

Content

The Content tab only appears for Log Inspection Rules that you create yourself. Log Inspection Rules issued by Trend Micro have a Configuration tab instead that displays the Log Inspection Rule's configuration options (if any). Log Inspection Rules issued by Trend Micro are not editable (although you can duplicate them and then edit the copy.)

Template

In the Content tab, select the "Basic Rule" template.

General Information

Enter a Rule ID. A Rule ID is a unique identifier for the rule. OSSEC defines 100000 - 109999 as the space for User-defined rules. (Vulnerability ProtectionDeep Security Manager will pre-populate the field with a new unique Rule ID.)

Give the rule a level. Zero (0) means the rule never logs an event, although other rules that watch for this rule may fire. (See the dependency fields below.)

Optionally assign the rule to one or more comma-separated groups. This can come into play when dependency is used since you can create rules that fire on the firing of a rule, or a rule that belongs to a specific group.

Pattern Matching

This is the pattern the rule will look for in the logs. The rule will be triggered on a match. Pattern matching supports Regular Expressions or simpler String Patterns. The "String Pattern" pattern type is faster than RegEx but it only supports three special operations:

^ (caret): specifies the beginning of text
$ (dollar sign): specifies the end of text
| (pipe): to create a "OR" between multiple patterns

For information on the regular expression syntax used by the Log Inspection module, see http://www.ossec.net/doc/syntax/regex.html

Composite

Frequency is the number of times the rule has to match within a specific time frame before the rule is triggered.

Time Frame is the period of time in seconds within which the rule has to trigger a certain number of times (the frequency, above) to log an event.

Dependency

Setting a dependency on another rule will cause your rule to only log an event if the rule specified in this area has also triggered.

Files

Type the full path to the file(s) you want your rule to monitor and specify the type of file it is.

Options

Alert

Select whether this rule triggers an alert in the Vulnerability ProtectionDeep Security Manager or not.

The "Alert Minimum Severity" setting is only used if you have written "multiple rules" within your rule -- something that cannot be done using the "Basic" template. However, if after creating your rule using the "Basic' template, you edit the XML of the rule and add additional rules to the XML which have different severity levels, you can use the "Alert Minimum Severity Level" drop-down menu to set the minimum severity from the multiple rules which will trigger an Alert.

Assigned To

Lists which Security Profiles or computers are using this Log Inspection Rule.

Recommendations

Vulnerability ProtectionDeep Security can be configured to perform regular Recommendation Scans which scan a computer and make recommendations about the application of various Security Rules. Selecting this checkbox will automatically assign recommended Log Inspection Rules to the computer and automatically unassign rules that are not required.

To turn the recommendation engine on or off, go to Policy/Computer Editor > Settings > Scanning.