Thanks something like this, with the logtest I take it: cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-logtest -a | grep -A 3 -B 3 "level 5"
On Thursday, 9 June 2016 17:30:19 UTC+1, dan (ddpbsd) wrote: > > On Thu, Jun 9, 2016 at 12:11 PM, Tahir Hafiz <[email protected] > <javascript:>> wrote: > > Thanks for that Dan - very useful. > > > > What about output from the following stanza to be whitelisted, what > > <if_group> should be used here in the local_rules.xml, is the group to > be > > whitelisted called syslog,access_control or authentication_failed??: > > > > I think you can use either, but authentication_failed is probably more > precise. You should be able to test the theory with ossec-logtest > though. > > > <group name="syslog,access_control,"> > > <rule id="2501" level="5"> > > <match>FAILED LOGIN |authentication failure|</match> > > <match>Authentication failed for|invalid password for|</match> > > <match>LOGIN FAILURE|auth failure: |authentication error|</match> > > <match>authinternal failed|Failed to authorize|</match> > > <match>Wrong password given for|login failed|Auth: Login > > incorrect</match> > > <group>authentication_failed,</group> > > <description>User authentication failure.</description> > > </rule> > > > > > > > > > > > > On Thursday, 9 June 2016 15:46:21 UTC+1, dan (ddpbsd) wrote: > >> > >> On Thu, Jun 9, 2016 at 10:22 AM, Tahir Hafiz <[email protected]> > wrote: > >> > Dear All, > >> > > >> > I currently have a few rules which are very similar, how can I have > >> > multiple > >> > matches with the same rule: > >> > > >> > <!-- Ignore System Audit of /tmp not being on it's own it's > partition--> > >> > <rule id="100007" level="0"> > >> > <if_sid>510</if_sid> > >> > <match>Robust partition scheme - /tmp is not on its own > partition. > >> > File: /etc/fstab.</match> > >> > <description>Ignore /tmp not being on it's own > >> > partition</description> > >> > <group>rootcheck,</group> > >> > </rule> > >> > > >> > > >> > <!-- Ignore System Audit of /opt not being on it's own it's > partition--> > >> > <rule id="100008" level="0"> > >> > <if_sid>510</if_sid> > >> > <match>Robust partition scheme - /opt is not on its own > >> > partition.</match> > >> > <description>Ignore /opt not being on it's own > >> > partition</description> > >> > <group>rootcheck,</group> > >> > </rule> > >> > > >> > > >> > > >> > <!-- Ignore System Audit of /var not being on it's own it's > partition--> > >> > <rule id="100009" level="0"> > >> > <if_sid>510</if_sid> > >> > <match>Robust partition scheme - /var is not on its own > >> > partition.</match> > >> > <description>Ignore /var not being on it's own > >> > partition</description> > >> > <group>rootcheck,</group> > >> > </rule> > >> > > >> > > >> > > >> > Is there a way to have multiple <match> lines ? > >> > Would something like this work: > >> > > >> > > >> > <rule id="100007" level="0"> > >> > <if_sid>510</if_sid> > >> > <regex>Robust partition scheme - \\\w\w\w is not on its own > >> > partition. > >> > </regex> > >> > <description>Ignore dirs on / not being on their own > >> > partition</description> > >> > <group>rootcheck,</group> > >> > </rule> > >> > > >> > Basically, can I use <regex> matching instead of exact <match> ? > >> > > >> > >> You can breakup matched with the "|" character. > >> <match>thing 1|thing2|thing3</match> > >> > >> > > >> > Thanks > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
