Wonder of wonders, etc. I caught that you had a space after the ^bash in the first decoder. I added it. Huzzah, it works.
Thank you Dan. Thank you very much. --Sean On Monday, February 3, 2014 10:25:33 AM UTC-7, Sean Jackson wrote: > > So confusing. I'm doing exactly as you are. I dropped the logs into a > file. I *copied and pasted* your decoders. I ran the same command. > > I'm getting the same response I posed earlier. > > I'll continue beating my head against it, but if you have any ideas, I'd > enjoy some enlightenment. > > > On Monday, February 3, 2014 9:40:07 AM UTC-7, dan (ddpbsd) wrote: >> >> On Mon, Feb 3, 2014 at 11:25 AM, dan (ddp) <[email protected]> wrote: >> > On Mon, Feb 3, 2014 at 10:58 AM, Sean Jackson <[email protected]> >> wrote: >> >> Hope everyone had a good weekend. >> >> >> >> I'm wondering if ossec is actually parsing the regex now. Here's what >> I >> >> have in decoder.xml: >> >> >> >> >> >> <decoder name="bash"> >> >> <prematch>^bash</prematch> >> >> </decoder> >> >> >> >> <decoder name="bash-command"> >> >> <parent>bash</parent> >> >> <regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+) \d+: >> >> (\.+)$</regex> >> >> <order>user, extra_data, action</order> >> >> </decoder> >> >> >> >> Here are the logs I'm running through logtest (just found out I don't >> need >> >> to restart ossec-control to do that, just save decoder.xml): >> >> >> >> Jan 29 17:07:41 clu bash sjackson[11132] 10.207.50.143 40313 >> 10.207.53.15 >> >> 22: vim /etc/sysconfig/iptables-config >> >> >> >> >> >> >> >> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: >> ssh >> >> aws-control1 >> >> >> >> >> >> >> >> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts >> >> >> >> >> >> >> >> Jan 29 17:03:26 clu bash jtanner[11132] 10.207.50.143 40313 >> 10.207.53.15 22: >> >> service iptables stop >> >> >> >> >> >> And then this is what I see in ossec-logtest: >> >> >> >> >> >> Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 >> 22: >> >> vim /etc/sysconfig/iptables-config >> >> >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'Jan 29 17:07:41 clu bash root[11132] 10.207.50.143 >> 40313 >> >> 10.207.53.15 22: vim /etc/sysconfig/iptables-config' >> >> hostname: 'clu' >> >> program_name: '(null)' >> >> log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: vim >> >> /etc/sysconfig/iptables-config' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'bash' >> >> >> >> >> >> >> >> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: >> ssh >> >> aws-control1 >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 >> 15374 >> >> 10.7.20.28 22: ssh aws-control1' >> >> hostname: 'clu' >> >> program_name: '(null)' >> >> log: 'bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh >> >> aws-control1' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'bash' >> >> >> >> >> >> >> >> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'Jan 29 17:04:14 clu bash update-users[12773] : cat >> >> known_hosts' >> >> hostname: 'clu' >> >> program_name: '(null)' >> >> log: 'bash update-users[12773] : cat known_hosts' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'bash' >> >> >> >> >> >> >> >> Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 40313 10.207.53.15 >> 22: >> >> service iptables stop >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'Jan 29 17:03:26 clu bash root[11132] 10.207.50.143 >> 40313 >> >> 10.207.53.15 22: service iptables stop' >> >> hostname: 'clu' >> >> program_name: '(null)' >> >> log: 'bash root[11132] 10.207.50.143 40313 10.207.53.15 22: >> service >> >> iptables stop' >> >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'bash' >> >> >> >> >> >> Am I correct that the regex isn't being parsed at all? >> >> >> > >> > Probably not. It's probably being parsed, just not matching for some >> reason. >> > >> >> What follows will be the log samples I used, the output of >> ossec-logtest, and then the decoders in local_decoder.xml: >> >> # cat /tmp/logsamples >> Jan 29 17:07:41 clu bash sjackson[11132] 10.207.50.143 40313 >> 10.207.53.15 22: vim /etc/sysconfig/iptables-config >> Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 15374 10.7.20.28 22: >> ssh aws-control1 >> Jan 29 17:04:14 clu bash update-users[12773] : cat known_hosts >> Jan 29 17:03:26 clu bash jtanner[11132] 10.207.50.143 40313 >> 10.207.53.15 22: service iptables stop >> >> # cat /tmp/logsamples | /var/ossec/ossec-hybrid/bin/ossec-logtest 2>&1 | >> more >> 2014/02/03 11:39:32 ossec-testrule: INFO: Reading local decoder file. >> 2014/02/03 11:39:32 ossec-testrule: INFO: Started (pid: 14749). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 29 17:07:41 clu bash sjackson[11132] >> 10.207.50.143 40313 10.207.53.15 22: vim >> /etc/sysconfig/iptables-config' >> hostname: 'clu' >> program_name: '(null)' >> log: 'bash sjackson[11132] 10.207.50.143 40313 10.207.53.15 22: >> vim /etc/sysconfig/iptables-config' >> >> **Phase 2: Completed decoding. >> decoder: 'bash' >> srcuser: 'sjackson' >> extra_data: '10.207.50.143 40313 10.207.53.15' >> extra_data: 'vim /etc/sysconfig/iptables-config' >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 29 17:10:56 clu bash root[13365] 64.55.86.101 >> 15374 10.7.20.28 22: ssh aws-control1' >> hostname: 'clu' >> program_name: '(null)' >> log: 'bash root[13365] 64.55.86.101 15374 10.7.20.28 22: ssh >> aws-control1' >> >> **Phase 2: Completed decoding. >> decoder: 'bash' >> srcuser: 'root' >> extra_data: '64.55.86.101 15374 10.7.20.28' >> extra_data: 'ssh aws-control1' >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 29 17:04:14 clu bash update-users[12773] : cat >> known_hosts' >> hostname: 'clu' >> program_name: '(null)' >> log: 'bash update-users[12773] : cat known_hosts' >> >> **Phase 2: Completed decoding. >> decoder: 'bash' >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 29 17:03:26 clu bash jtanner[11132] >> 10.207.50.143 40313 10.207.53.15 22: service iptables stop' >> hostname: 'clu' >> program_name: '(null)' >> log: 'bash jtanner[11132] 10.207.50.143 40313 10.207.53.15 22: >> service iptables stop' >> >> **Phase 2: Completed decoding. >> decoder: 'bash' >> srcuser: 'jtanner' >> extra_data: '10.207.50.143 40313 10.207.53.15' >> extra_data: 'service iptables stop' >> >> >> <decoder name="bash"> >> <prematch>^bash </prematch> >> </decoder> >> >> <decoder name="bash2"> >> <parent>bash</parent> >> <regex offset="after_parent">^(\S+)[\d+] (\S+ \d+ \S+) \d+: >> (\.+)$</regex> >> <order>srcuser,extra_data, extra_data</order> >> </decoder> >> >> >> > >> >> --Sean >> >> >> >> >> >> >> >> >> >> >> >> On Tuesday, January 28, 2014 1:57:21 PM UTC-7, Sean Jackson wrote: >> >>> >> >>> Hello all, >> >>> >> >>> I'm tracking bash commands through syslogging and the logs look like >> this: >> >>> >> >>> Jan 27 15:33:46 [HOSTNAME] bash [USERNAME] [SESSION ID] [SSH >> CONNECTION >> >>> INFO]: [THE BASH COMMAND] >> >>> >> >>> The command to save these logs is: >> >>> PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p >> >>> local6.debug -t "bash $USER[$$] $SSH_CONNECTION")' >> >>> >> >>> >> >>> The logs are saved thusly (hostnames and IPs edited): >> >>> Jan 27 15:29:54 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX >> 22: cd >> >>> jskains >> >>> Jan 27 15:33:46 XXX bash root[25411] 64.55.41.120 4635 XX.XX.XX.XX >> 22: tar >> >>> -cvf chef-dev.tar *.pem >> >>> Jan 28 10:47:48 XXX bash root[25510] 64.55.41.120 40348 XX.XX.XX.XX >> 22: >> >>> traceroute bing.com >> >>> >> >>> Here's what I'm doing right now, and my mind is telling me that I'm >> going >> >>> down the wrong path. >> >>> >> >>> <decoder name="bash"> >> >>> >> >>> <program_name>^bash</program_name> >> >>> >> >>> </decoder> >> >>> >> >>> >> >>> >> >>> <decoder name="bash-activity"> >> >>> >> >>> <parent>bash</parent> >> >>> >> >>> <regex>???</regex> >> >>> >> >>> </decoder> >> >>> >> >>> >> >>> >> >>> Can anyone help me figure out how to get OSSEC watching these logs so >> I >> >>> can then create alerts if I see certain commands executed? I want to >> know >> >>> the time, the host, the user, the ssh connection info, and then the >> command. >> >>> >> >>> >> >>> Thank you in advance (and likely afterwards)! >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
