Ok, so this is where I am now:
<!-- bash commands -->
<decoder name="bash">
<prematch>^bash</prematch>
</decoder>
<decoder name="bash-command">
<parent>bash</parent>
<regex offset="after_parent">^(\w+)\[\d+] .*: (.*)$</regex>
<order>user, action</order>
</decoder>
but I"m getting "2014/01/31 16:28:46 ossec-analysisd(1450): ERROR: Syntax
error on regex: '^(\w+)\[\d+] .*: (.*)$': 6." in ossec-logtest.
I was trying to get the pre-decoder to pick up on 'bash' but then I saw the
decoder was recognizing "decoder: 'bash'" so I'll run with that.
The pre-decoder is also picking up the hostname, so I don't need to get
that from the decoder, right? Assuming that, the word "bash" in the log
file is just arbitrary, something I put there in the bashrc command so I
could grep for it. So using the offset, I'm saying to ignore everything
before- and up to- 'bash'. From there, get the first word, but ignore the
bracket, numbers bracket that immediately follow. From there, ignore
everything up until the ':' Then capture everything after it, as 'action'.
Or...that's what I'm trying to do. Where am I going wrong?
Clearly my regex is poor, but I can tell it's improved even just today.
And I know if you don't use it, you'll lose it. Since I'm doing the OSSEC
administration, I might be using it for a while. :)
Thank you again in advance,
Sean
On Tuesday, January 28, 2014 1:57:21 PM UTC-7, Sean Jackson wrote:
>
> Hello all,
>
> I’m tracking bash commands through syslogging and the logs look like this:
>
> Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH CONNECTION
> INFO]: [THE BASH COMMAND]
>
> The command to save these logs is:
> PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p
> local6.debug -t "bash $USER[$$] $SSH_CONNECTION")'
>
>
> The logs are saved thusly (hostnames and IPs edited):
> Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: cd
> jskains
> Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: tar
> -cvf chef-dev.tar *.pem
> Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX 22:
> traceroute bing.com
>
> Here’s what I’m doing right now, and my mind is telling me that I’m going
> down the wrong path.
>
> <decoder name="bash">
>
> <program_name>^bash</program_name>
>
> </decoder>
>
>
>
> <decoder name="bash-activity">
>
> <parent>bash</parent>
>
> <regex>???</regex>
>
> </decoder>
>
>
>
> Can anyone help me figure out how to get OSSEC watching these logs so I
> can then create alerts if I see certain commands executed? I want to know
> the time, the host, the user, the ssh connection info, and then the command.
>
>
> Thank you in advance (and likely afterwards)!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
