My decoders work well, i need correlate some logs. Example:
type=PATH msg=audit(12/16/2013 17:46:15.030:9813) : item=0 name=/etc/group.tmpIiCTBq inode=5 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(12/16/2013 17:46:15.030:9813) : cwd=/var/ossec/etc type=SYSCALL msg=audit(12/16/2013 17:46:15.030:9813) : arch=x86_64 syscall=unlink success=no exit=-2(No such file or directory) a0=7ffff9be25b0 a1=7ffff9be2590 a2=7f9f68427ef8 a3=7f9f694b47a0 items=1 ppid=26163 pid=27938 auid=proob uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=491 comm=useradd exe=/usr/sbin/useradd key=identity Any "Type" is a log, can i create composite rules with the "same_id" attribute? Example: <rule="1" level="0"> <decoded_as>auditd</decoded_as> <description>All auditd rules</description> <rule="2" level="8" frequency="3" timeframe="5"> <same_id /> <description>xxxx</description> Thanks for your help! El lunes, 16 de diciembre de 2013 17:21:06 UTC-3, Michael Starks escribió: > > On 2013-12-16 11:52, Leonel Algaré wrote: > > Hi guys, > > > > Can someone tell me how i can create rules based in the auditd > > decoders that i had wrote? > > Did the existing auditd decoder not work well for you? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
