Hi Dominik, not sure if it was a typo up there or not, but the local decoder file should be /var/ossec/etc/local_decoder.xml. Also, watch the permissions and ownership! Cheers, Rob
On Thursday, July 7, 2016 at 8:19:12 AM UTC-5, Dominik wrote: > > Hi there, > I've been using ossec for about half a year now and I'm very happy about > it. Thanks for this great tool. > > I have a linux client on which I need to monitor all activities > performed as root. My thought is to watch */root/*.bash_history and create > alerts on changes in the file. > > So I created a configuration to watch this file in the clients ossec.conf: > <localfile> > <log_format>syslog</log_format> > <location>/root/.bash_history</location> > </localfile> > > > > This works well and creates entries in the log archives of the > ossec-sever e.g.: > > 2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history top > > > > I also want to generate alerts. > > If I understand correctly, the next steps will be to create a decoder > and a rule. I tried with the following decoder in > etc/decoder_local.xml > > <decoder name="bash_history"> > <program_name>.bash_history</program_name> > </decoder> > > > and a rule in > rules/local_rules.xml > > <rule id="105412" level="8"> > <decoded_as>bash_history</decoded_as> > <description>Command run as root extracted from bash_history</description> > </rule> > > > > This does not create allerts. Thus I used ossec-logtest to see if things go > alright: > > > bin/ossec-logtest -v > 2016/07/07 14:40:56 ossec-testrule: INFO: Reading local decoder file. > 2016/07/07 14:40:56 ossec-testrule: INFO: Started (pid: 4092). > ossec-testrule: Type one log per line. > > 2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history top > > **Phase 1: Completed pre-decoding. > full event: '2016 Jul 07 11:06:28 (TheClient) > xx.xx.71.109->/root/.bash_history top' > hostname: 'ossec-server' > program_name: '(null)' > log: '2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history > top' > > **Phase 2: Completed decoding. > No decoder matched. > > **Rule debugging: > Trying rule: 1 - Generic template for all syslog rules. > *Rule 1 matched. > *Trying child rules. > Trying rule: 5500 - Grouping of the pam_unix rules. > <and so on...> > > > Obviously, the decoder I'm using is not working. Also pre-decoding does > not extract information from this log entry. > > How do I advance to get alerts from the root activities extracted from > bash_history? > > According to the log-archive, OSSEC knows the origin of the message > (*/root/*.bash_history). Is this available to the decoder or to a rule? > > Im also not sure, this is the best approach to observe activities of the > root user. Hints are welcome. > > Greetings > Dominik > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
