On Wed, Dec 22, 2010 at 3:17 PM, carlopmart <[email protected]> wrote: > On 12/22/2010 08:44 PM, dan (ddp) wrote: >> >> I don't have access to ossec-logtest right now, so you'll have to do >> some testing with that on your own. >> Everything I'm writing in this mail is untested. ;) >> >> On Wed, Dec 22, 2010 at 12:41 PM, carlopmart<[email protected]> wrote: >>> >>> Hi all, >>> >>> I am trying to decode auditd messages using OSSEC under RHEL6 host. To >>> do >>> this I followed this howto: >>> >>> http://securestate.blogspot.com/2010/09/getting-ossec-to-parse-auditd.html. >>> >>> My local_decoder.xml file is: >>> >> >> This decoder doesn't look quite right for your samples. >> >>> <decoder name="auditd"> >>> <prematch>type=\S+ msg=audit</prematch> >>> <regex offset="after_prematch">msg=</regex> >> >> I'm not sure what the above really serves. >> >>> <regex>'PAM: \.+ acct="(\S+)" : exe="(\S+)" \(hostname=(\S+), addr=(\S+), >>> terminal=(\S+) res=(\S+)\)'</regex> >> >> The single quotes in this regex don't seem quite right. In the samples >> the first single quote comes before op=PAM, not just PAM. >> Also, the stray ":" and "," seem odd. >> >>> <order>user, extra_data, srcip, dstip, id, status</order> >>> </decoder> >>> >> >> Let's try to simplifying it a bit: >> <decoder name="auditd> >> <prematch>^type=\S+ msg=audit</prematch> >> <regex offset="after_prematch>op=PAM:\S+ acct="(\S+)" exe="(\S+)" >> hostname=(\S+) addr=(\S+) terminal=(\S+) res=(\S+)'$</regex> >> <order>user,extra_data,srcip,dstip,id,status</order> >> </decoder> >> >> Put that in local_decoder.xml, run /var/ossec/bin/ossec-logtest, and >> paste in one of the audit log messages. If it doesn't seem to work, >> and you need help tweaking, reply with the output. >> >> > > Ok, my local_decoder.xml look like this now: > > <decoder name="auditd"> > <prematch>^type=\S+ msg=audit</prematch> > <regex offset="after_prematch">msg=</regex> > <regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)" hostname=(\S+) addr=(\S+) > terminal=(\S+) res=(\S+)'$</regex> > <order>user,extra_data,srcip,dstip,id,status</order> > </decoder> > > And ossec-logtest output: > > 2010/12/22 21:15:14 ossec-testrule: INFO: Reading local decoder file. > 2010/12/22 21:15:14 ossec-testrule: INFO: Started (pid: 20934). > ossec-testrule: Type one log per line. > > type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453 uid=0 > auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" > exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' > > > **Phase 1: Completed pre-decoding. > full event: 'type=USER_ACCT msg=audit(1293048061.159:164): user > pid=20453 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting > acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron > res=success'' > hostname: 'laptop' > program_name: '(null)' > log: 'type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453 > uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" > exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'' > > **Phase 2: Completed decoding. > decoder: 'auditd' > > ... but alert, it isn't generated ... > > > -- > CL Martinez > carlopmart {at} gmail {d0t} com >
You'll have to play around with the <regex> a bit. It looks like the right decoder is being chosen (decoder: 'auditd'), but the fields aren't being populated. So, simplify again. Change the auditd decoder to look like this: <decoder name="auditd"> <prematch>^type=\S+ msg=audit</prematch> <regex>op=PAM:\S+ acct="(\S+)"</regex> <order>user</order> </decoder> If that works (populates the user field in Phase 2), change the regex to include the next part: <regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)"</regex> If that works, add the next section, if not adjust until it does: <regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)" hostname=(\S+)</regex> If that works, add the next section. If not adjust until it does then add the next section: <regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)" hostname=(\S+) addr=(\S+)</regex> ossec-logtest is your best tool for getting this to work. I don't have access to it at the moment, so all I can do is toss things out until it works.
