On Fri, Jan 31, 2014 at 6:35 PM, Sean Jackson <[email protected]> wrote: > Ok, so this is where I am now: > > <!-- bash commands --> > > <decoder name="bash"> > <prematch>^bash</prematch> > </decoder> > > <decoder name="bash-command"> > <parent>bash</parent> > <regex offset="after_parent">^(\w+)\[\d+] .*: (.*)$</regex> > <order>user, action</order> > </decoder> > > but I"m getting "2014/01/31 16:28:46 ossec-analysisd(1450): ERROR: Syntax > error on regex: '^(\w+)\[\d+] .*: (.*)$': 6." in ossec-logtest. >
That looks like pcre, not really OSSEC's regex. > I was trying to get the pre-decoder to pick up on 'bash' but then I saw the > decoder was recognizing "decoder: 'bash'" so I'll run with that. > The pre-decoder is also picking up the hostname, so I don't need to get that > from the decoder, right? Assuming that, the word "bash" in the log file is > just arbitrary, something I put there in the bashrc command so I could grep > for it. So using the offset, I'm saying to ignore everything before- and up > to- 'bash'. From there, get the first word, but ignore the bracket, numbers > bracket that immediately follow. From there, ignore everything up until the > ':' Then capture everything after it, as 'action'. > > Or...that's what I'm trying to do. Where am I going wrong? > > Clearly my regex is poor, but I can tell it's improved even just today. And > I know if you don't use it, you'll lose it. Since I'm doing the OSSEC > administration, I might be using it for a while. :) > > Thank you again in advance, > > Sean > > > On Tuesday, January 28, 2014 1:57:21 PM UTC-7, Sean Jackson wrote: >> >> Hello all, >> >> I'm tracking bash commands through syslogging and the logs look like this: >> >> Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH CONNECTION >> INFO]: [THE BASH COMMAND] >> >> The command to save these logs is: >> PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p >> local6.debug -t "bash $USER[$$] $SSH_CONNECTION")' >> >> >> The logs are saved thusly (hostnames and IPs edited): >> Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: cd >> jskains >> Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: tar >> -cvf chef-dev.tar *.pem >> Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX 22: >> traceroute bing.com >> >> Here's what I'm doing right now, and my mind is telling me that I'm going >> down the wrong path. >> >> <decoder name="bash"> >> >> <program_name>^bash</program_name> >> >> </decoder> >> >> >> >> <decoder name="bash-activity"> >> >> <parent>bash</parent> >> >> <regex>???</regex> >> >> </decoder> >> >> >> >> Can anyone help me figure out how to get OSSEC watching these logs so I >> can then create alerts if I see certain commands executed? I want to know >> the time, the host, the user, the ssh connection info, and then the command. >> >> >> Thank you in advance (and likely afterwards)! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
