Hi, I give you some examples with SSH logins. If you want an email when users logout, in local_rules.xml overwrite the rule 5502 and add the option alert by mail: <group name="test,"> <rule id="5502" level="3" overwrite="yes"> <if_sid>5500</if_sid> <options>alert_by_email</options> <match>session closed for user </match> <description>Login session closed.</description> <group>pci_dss_10.2.5,</group> </rule> </group>
Also, you should configure your email options: http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html If the session duration is not in a log is hard to know it. Anyway you can run some utility or program as "*last* username" to get the session duration. OSSEC allows run commands using local_file <http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.localfile.html> . Also, you could try to write the session duration in a log (with *logger*) and create a decoder/rules for that. I guess you could write a script to get the time between 2 alerts: ** Alert 1455888353.7570: - pam,syslog,authentication_success,pci_dss_10.2.5 , 2016 Feb 19 13:25:53 LinMV->/var/log/auth.log Rule: 5501 (level 3) -> 'Login session opened.' Feb 19 13:25:52 LinMV sshd[1237]: pam_unix(sshd:session): session opened for user root by (uid=0) ** Alert 1455888359.7841: - pam,syslog,pci_dss_10.2.5, 2016 Feb 19 13:25:59 LinMV->/var/log/auth.log Rule: 5502 (level 3) -> 'Login session closed.' Feb 19 13:25:59 LinMV sshd[1235]: pam_unix(sshd:session): session closed for user root If you are using "ELK <http://wazuh-documentation.readthedocs.org/en/latest/ossec_elk.html>" probably you can create a query to get the time. I don't know how to do it exactly, but here you have some ideas ;). Regards. Jesus Linares. On Friday, February 19, 2016 at 10:09:03 AM UTC+1, Maxim Surdu wrote: > > Hi Jesus Linares > > i have Linux like centos, ubuntu, and Windows Server > > if it is possible to alert me with all types of login > > joi, 18 februarie 2016, 13:04:15 UTC+2, Jesus Linares a scris: >> >> Hi Maxim, >> >> what is the OS of your agents?. >> >> What kind of login you want to alert?. ssh, ftp, normal login? >> >> Regards. >> >> On Thursday, February 18, 2016 at 10:14:32 AM UTC+1, Maxim Surdu wrote: >>> >>> Hi dear community, >>> >>> i install and configure about 10 agents, and of course i have a lot of >>> users, i have logs when they are login and logout can i create a rule to >>> show me the length of time the user logged in and when they logout rule >>> send me mail. >>> >>> i appreciate your help and a lot of respect for developers and community! >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.