Hello all,
I’m tracking bash commands through syslogging and the logs look like this:
Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH CONNECTION
INFO]: [THE BASH COMMAND]
The command to save these logs is:
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p
local6.debug -t "bash $USER[$$] $SSH_CONNECTION")'
The logs are saved thusly (hostnames and IPs edited):
Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: cd
jskains
Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: tar
-cvf chef-dev.tar *.pem
Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX 22:
traceroute bing.com
Here’s what I’m doing right now, and my mind is telling me that I’m going
down the wrong path.
<decoder name="bash">
<program_name>^bash</program_name>
</decoder>
<decoder name="bash-activity">
<parent>bash</parent>
<regex>???</regex>
</decoder>
Can anyone help me figure out how to get OSSEC watching these logs so I can
then create alerts if I see certain commands executed? I want to know the
time, the host, the user, the ssh connection info, and then the command.
Thank you in advance (and likely afterwards)!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
