So confusing. I'm doing exactly as you are. I dropped the logs into a file. I *copied and pasted* your decoders. I ran the same command.
I'm getting the same response I posed earlier. I'll continue beating my head against it, but if you have any ideas, I'd enjoy some enlightenment. On Monday, February 3, 2014 9:40:07 AM UTC-7, dan (ddpbsd) wrote: > > On Mon, Feb 3, 2014 at 11:25 AM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Mon, Feb 3, 2014 at 10:58 AM, Sean Jackson > > <[email protected]<javascript:>> > wrote: > >> Hope everyone had a good weekend. > >> > >> I'm wondering if ossec is actually parsing the regex now. Here's what > I > >> have in decoder.xml: > >> > >> > >> <decoder name="bash"> > >> <prematch>^bash</prematch> > >> </decoder> > >> > >> <decoder name="bash-command"> > >> <parent>bash</parent> > >> <regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+) \d+: > >> (\.+)$</regex> > >> <order>user, extra_data, action</order> > >> </decoder> > >> > >> Here are the logs I'm running through logtest (just found out I don't > need > >> to restart ossec-control to do that, just save decoder.xml): > >> > >> Jan 29 17:07:41 clu bash sjackson[11132] 10.207.50.143 40313 > 10.207.53.15 > >> 22: vim /etc/sysconfig/iptables-config > >> > >> > >> > >> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: > ssh > >> aws-control1 > >> > >> > >> > >> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts > >> > >> > >> > >> Jan 29 17:03:26 clu bash jtanner[11132] 10.207.50.143 40313 > 10.207.53.15 22: > >> service iptables stop > >> > >> > >> And then this is what I see in ossec-logtest: > >> > >> > >> Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 > 22: > >> vim /etc/sysconfig/iptables-config > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 > 40313 > >> 10.207.53.15 22: vim /etc/sysconfig/iptables-config' > >> hostname: 'clu' > >> program_name: '(null)' > >> log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: vim > >> /etc/sysconfig/iptables-config' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'bash' > >> > >> > >> > >> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: > ssh > >> aws-control1 > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 > 15374 > >> 10.7.20.28 22: ssh aws-control1' > >> hostname: 'clu' > >> program_name: '(null)' > >> log: 'bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh > >> aws-control1' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'bash' > >> > >> > >> > >> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'Jan 29 17:04:14 clu bash update-users[12773] : cat > >> known_hosts' > >> hostname: 'clu' > >> program_name: '(null)' > >> log: 'bash update-users[12773] : cat known_hosts' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'bash' > >> > >> > >> > >> Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 > 22: > >> service iptables stop > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 > 40313 > >> 10.207.53.15 22: service iptables stop' > >> hostname: 'clu' > >> program_name: '(null)' > >> log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: > service > >> iptables stop' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'bash' > >> > >> > >> Am I correct that the regex isn't being parsed at all? > >> > > > > Probably not. It's probably being parsed, just not matching for some > reason. > > > > What follows will be the log samples I used, the output of > ossec-logtest, and then the decoders in local_decoder.xml: > > # cat /tmp/logsamples > Jan 29 17:07:41 clu bash sjackson[11132] 10.207.50.143 40313 > 10.207.53.15 22: vim /etc/sysconfig/iptables-config > Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: > ssh aws-control1 > Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts > Jan 29 17:03:26 clu bash jtanner[11132] 10.207.50.143 40313 > 10.207.53.15 22: service iptables stop > > # cat /tmp/logsamples | /var/ossec/ossec-hybrid/bin/ossec-logtest 2>&1 | > more > 2014/02/03 11:39:32 ossec-testrule: INFO: Reading local decoder file. > 2014/02/03 11:39:32 ossec-testrule: INFO: Started (pid: 14749). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 29 17:07:41 clu bash sjackson[11132] > 10.207.50.143 40313 10.207.53.15 22: vim > /etc/sysconfig/iptables-config' > hostname: 'clu' > program_name: '(null)' > log: 'bash sjackson[11132] 10.207.50.143 40313 10.207.53.15 22: > vim /etc/sysconfig/iptables-config' > > **Phase 2: Completed decoding. > decoder: 'bash' > srcuser: 'sjackson' > extra_data: '10.207.50.143 40313 10.207.53.15' > extra_data: 'vim /etc/sysconfig/iptables-config' > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 > 15374 10.7.20.28 22: ssh aws-control1' > hostname: 'clu' > program_name: '(null)' > log: 'bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh > aws-control1' > > **Phase 2: Completed decoding. > decoder: 'bash' > srcuser: 'root' > extra_data: '64.55.86.101 15374 10.7.20.28' > extra_data: 'ssh aws-control1' > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 29 17:04:14 clu bash update-users[12773] : cat > known_hosts' > hostname: 'clu' > program_name: '(null)' > log: 'bash update-users[12773] : cat known_hosts' > > **Phase 2: Completed decoding. > decoder: 'bash' > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 29 17:03:26 clu bash jtanner[11132] > 10.207.50.143 40313 10.207.53.15 22: service iptables stop' > hostname: 'clu' > program_name: '(null)' > log: 'bash jtanner[11132] 10.207.50.143 40313 10.207.53.15 22: > service iptables stop' > > **Phase 2: Completed decoding. > decoder: 'bash' > srcuser: 'jtanner' > extra_data: '10.207.50.143 40313 10.207.53.15' > extra_data: 'service iptables stop' > > > <decoder name="bash"> > <prematch>^bash </prematch> > </decoder> > > <decoder name="bash2"> > <parent>bash</parent> > <regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+) \d+: > (\.+)$</regex> > <order>srcuser,extra_data, extra_data</order> > </decoder> > > > > > >> --Sean > >> > >> > >> > >> > >> > >> On Tuesday, January 28, 2014 1:57:21 PM UTC-7, Sean Jackson wrote: > >>> > >>> Hello all, > >>> > >>> I'm tracking bash commands through syslogging and the logs look like > this: > >>> > >>> Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH > CONNECTION > >>> INFO]: [THE BASH COMMAND] > >>> > >>> The command to save these logs is: > >>> PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p > >>> local6.debug -t "bash $USER[$$] $SSH_CONNECTION")' > >>> > >>> > >>> The logs are saved thusly (hostnames and IPs edited): > >>> Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: > cd > >>> jskains > >>> Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX 22: > tar > >>> -cvf chef-dev.tar *.pem > >>> Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX > 22: > >>> traceroute bing.com > >>> > >>> Here's what I'm doing right now, and my mind is telling me that I'm > going > >>> down the wrong path. > >>> > >>> <decoder name="bash"> > >>> > >>> <program_name>^bash</program_name> > >>> > >>> </decoder> > >>> > >>> > >>> > >>> <decoder name="bash-activity"> > >>> > >>> <parent>bash</parent> > >>> > >>> <regex>???</regex> > >>> > >>> </decoder> > >>> > >>> > >>> > >>> Can anyone help me figure out how to get OSSEC watching these logs so > I > >>> can then create alerts if I see certain commands executed? I want to > know > >>> the time, the host, the user, the ssh connection info, and then the > command. > >>> > >>> > >>> Thank you in advance (and likely afterwards)! > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
