On Mon, Dec 16, 2013 at 4:15 PM, Leonel Algaré <[email protected]> wrote: > My decoders work well, i need correlate some logs. > > Example: > > type=PATH msg=audit(12/16/2013 17:46:15.030:9813) : item=0 > name=/etc/group.tmpIiCTBq inode=5 dev=fd:02 mode=dir,755 ouid=root ogid=root > rdev=00:00 > type=CWD msg=audit(12/16/2013 17:46:15.030:9813) : cwd=/var/ossec/etc > type=SYSCALL msg=audit(12/16/2013 17:46:15.030:9813) : arch=x86_64 > syscall=unlink success=no exit=-2(No such file or directory) a0=7ffff9be25b0 > a1=7ffff9be2590 a2=7f9f68427ef8 a3=7f9f694b47a0 items=1 ppid=26163 pid=27938 > auid=proob uid=root gid=root euid=root suid=root fsuid=root egid=root > sgid=root fsgid=root tty=pts1 ses=491 comm=useradd exe=/usr/sbin/useradd > key=identity > > Any "Type" is a log, can i create composite rules with the "same_id" > attribute? >
If "same_id" exists, then yes. I don't think it exists, but I'm ready to update the docs if I'm wrong! > Example: > > <rule="1" level="0"> > <decoded_as>auditd</decoded_as> > <description>All auditd rules</description> > > <rule="2" level="8" frequency="3" timeframe="5"> > <same_id /> > <description>xxxx</description> > > Thanks for your help! > > > El lunes, 16 de diciembre de 2013 17:21:06 UTC-3, Michael Starks escribió: >> >> On 2013-12-16 11:52, Leonel Algaré wrote: >> > Hi guys, >> > >> > Can someone tell me how i can create rules based in the auditd >> > decoders that i had wrote? >> >> Did the existing auditd decoder not work well for you? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
