On 12/22/2010 08:44 PM, dan (ddp) wrote:
I don't have access to ossec-logtest right now, so you'll have to do
some testing with that on your own.
Everything I'm writing in this mail is untested. ;)
On Wed, Dec 22, 2010 at 12:41 PM, carlopmart<[email protected]> wrote:
Hi all,
I am trying to decode auditd messages using OSSEC under RHEL6 host. To do
this I followed this howto:
http://securestate.blogspot.com/2010/09/getting-ossec-to-parse-auditd.html.
My local_decoder.xml file is:
This decoder doesn't look quite right for your samples.
<decoder name="auditd">
<prematch>type=\S+ msg=audit</prematch>
<regex offset="after_prematch">msg=</regex>
I'm not sure what the above really serves.
<regex>'PAM: \.+ acct="(\S+)" : exe="(\S+)" \(hostname=(\S+), addr=(\S+),
terminal=(\S+) res=(\S+)\)'</regex>
The single quotes in this regex don't seem quite right. In the samples
the first single quote comes before op=PAM, not just PAM.
Also, the stray ":" and "," seem odd.
<order>user, extra_data, srcip, dstip, id, status</order>
</decoder>
Let's try to simplifying it a bit:
<decoder name="auditd>
<prematch>^type=\S+ msg=audit</prematch>
<regex offset="after_prematch>op=PAM:\S+ acct="(\S+)" exe="(\S+)"
hostname=(\S+) addr=(\S+) terminal=(\S+) res=(\S+)'$</regex>
<order>user,extra_data,srcip,dstip,id,status</order>
</decoder>
Put that in local_decoder.xml, run /var/ossec/bin/ossec-logtest, and
paste in one of the audit log messages. If it doesn't seem to work,
and you need help tweaking, reply with the output.
Ok, my local_decoder.xml look like this now:
<decoder name="auditd">
<prematch>^type=\S+ msg=audit</prematch>
<regex offset="after_prematch">msg=</regex>
<regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)" hostname=(\S+) addr=(\S+)
terminal=(\S+) res=(\S+)'$</regex>
<order>user,extra_data,srcip,dstip,id,status</order>
</decoder>
And ossec-logtest output:
2010/12/22 21:15:14 ossec-testrule: INFO: Reading local decoder file.
2010/12/22 21:15:14 ossec-testrule: INFO: Started (pid: 20934).
ossec-testrule: Type one log per line.
type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453 uid=0 auid=4294967295
ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=?
addr=? terminal=cron res=success'
**Phase 1: Completed pre-decoding.
full event: 'type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453
uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success''
hostname: 'laptop'
program_name: '(null)'
log: 'type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453 uid=0
auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success''
**Phase 2: Completed decoding.
decoder: 'auditd'
... but alert, it isn't generated ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
