On Tue, Jan 28, 2014 at 3:57 PM, Sean Jackson <[email protected]> wrote: > Hello all, > > I'm tracking bash commands through syslogging and the logs look like this: > > Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH CONNECTION > INFO]: [THE BASH COMMAND] > > The command to save these logs is: > PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p local6.debug > -t "bash $USER[$$] $SSH_CONNECTION")' > > > The logs are saved thusly (hostnames and IPs edited): > Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: cd > jskains > Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: tar > -cvf chef-dev.tar *.pem > Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX 22: > traceroute bing.com > > Here's what I'm doing right now, and my mind is telling me that I'm going > down the wrong path. > > <decoder name="bash"> > > <program_name>^bash</program_name> > > </decoder> > > > > <decoder name="bash-activity"> > > <parent>bash</parent> > > <regex>???</regex> > > </decoder> >
This is completely untested: <decoder name="bash-activity"> <parent>bash</parent> <regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+): (\.+)$</regex> <order>srcuser, extra_info, extra_info</order> </decoder> > > > Can anyone help me figure out how to get OSSEC watching these logs so I can > then create alerts if I see certain commands executed? I want to know the > time, the host, the user, the ssh connection info, and then the command. > > > Thank you in advance (and likely afterwards)! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
