Hi,
I give you some examples with SSH logins. If you want an email when users
logout, in local_rules.xml overwrite the rule 5502 and add the option alert
by mail:
<group name="test,">
<rule id="5502" level="3" overwrite="yes">
<if_sid>5500</if_sid>
<options>alert_by_email</options>
<match>session closed for user </match>
<description>Login session closed.</description>
<group>pci_dss_10.2.5,</group>
</rule>
</group>
Also, you should configure your email options:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html
If the session duration is not in a log is hard to know it. Anyway you can
run some utility or program as "*last* username" to get the session
duration. OSSEC allows run commands using local_file
<http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.localfile.html>
.
Also, you could try to write the session duration in a log (with *logger*)
and create a decoder/rules for that.
I guess you could write a script to get the time between 2 alerts:
** Alert 1455888353.7570: - pam,syslog,authentication_success,pci_dss_10.2.5
,
2016 Feb 19 13:25:53 LinMV->/var/log/auth.log
Rule: 5501 (level 3) -> 'Login session opened.'
Feb 19 13:25:52 LinMV sshd[1237]: pam_unix(sshd:session): session opened for
user root by (uid=0)
** Alert 1455888359.7841: - pam,syslog,pci_dss_10.2.5,
2016 Feb 19 13:25:59 LinMV->/var/log/auth.log
Rule: 5502 (level 3) -> 'Login session closed.'
Feb 19 13:25:59 LinMV sshd[1235]: pam_unix(sshd:session): session closed for
user root
If you are using "ELK
<http://wazuh-documentation.readthedocs.org/en/latest/ossec_elk.html>"
probably you can create a query to get the time.
I don't know how to do it exactly, but here you have some ideas ;).
Regards.
Jesus Linares.
On Friday, February 19, 2016 at 10:09:03 AM UTC+1, Maxim Surdu wrote:
>
> Hi Jesus Linares
>
> i have Linux like centos, ubuntu, and Windows Server
>
> if it is possible to alert me with all types of login
>
> joi, 18 februarie 2016, 13:04:15 UTC+2, Jesus Linares a scris:
>>
>> Hi Maxim,
>>
>> what is the OS of your agents?.
>>
>> What kind of login you want to alert?. ssh, ftp, normal login?
>>
>> Regards.
>>
>> On Thursday, February 18, 2016 at 10:14:32 AM UTC+1, Maxim Surdu wrote:
>>>
>>> Hi dear community,
>>>
>>> i install and configure about 10 agents, and of course i have a lot of
>>> users, i have logs when they are login and logout can i create a rule to
>>> show me the length of time the user logged in and when they logout rule
>>> send me mail.
>>>
>>> i appreciate your help and a lot of respect for developers and community!
>>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
