Dan, thank you. I guess I need to take a step back. I'm not able to define this new parent, bash.
<decoder name="bash"> I've tried <program_name>^bash</program_name> <program_name>bash</program_name> <program_name>\sbash\s</program_name> <program_name>\bbash</program_name> <prematch>^bash</prematch> <prematch>bash</prematch> <prematch>\bbash</prematch> <prematch>\sbash\s</prematch> And none of them will change the program_name: '(null)' in logtest to program_name: bash Any suggestions on how to create a new parent? --Sean On Tuesday, January 28, 2014 1:57:21 PM UTC-7, Sean Jackson wrote: > > Hello all, > > I’m tracking bash commands through syslogging and the logs look like this: > > Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH CONNECTION > INFO]: [THE BASH COMMAND] > > The command to save these logs is: > PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p > local6.debug -t "bash $USER[$$] $SSH_CONNECTION")' > > > The logs are saved thusly (hostnames and IPs edited): > Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: cd > jskains > Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: tar > -cvf chef-dev.tar *.pem > Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX 22: > traceroute bing.com > > Here’s what I’m doing right now, and my mind is telling me that I’m going > down the wrong path. > > <decoder name="bash"> > > <program_name>^bash</program_name> > > </decoder> > > > > <decoder name="bash-activity"> > > <parent>bash</parent> > > <regex>???</regex> > > </decoder> > > > > Can anyone help me figure out how to get OSSEC watching these logs so I > can then create alerts if I see certain commands executed? I want to know > the time, the host, the user, the ssh connection info, and then the command. > > > Thank you in advance (and likely afterwards)! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
