Hi Rob, yes, this was a typo. ls -l /var/ossec/etc/local_decoder.xml -rw-r--r-- 1 root root 223 Jul 7 14:26 /var/ossec/etc/local_decoder.xml
Permissions should be OK - OSSEC complains about missing decoders if the file is absent Dominik Am Donnerstag, 7. Juli 2016 15:25:21 UTC+2 schrieb [email protected]: > > Hi Dominik, not sure if it was a typo up there or not, but the local > decoder file should be /var/ossec/etc/local_decoder.xml. Also, watch the > permissions and ownership! > Cheers, > Rob > > On Thursday, July 7, 2016 at 8:19:12 AM UTC-5, Dominik wrote: >> >> Hi there, >> I've been using ossec for about half a year now and I'm very happy about >> it. Thanks for this great tool. >> >> I have a linux client on which I need to monitor all activities >> performed as root. My thought is to watch */root/*.bash_history and create >> alerts on changes in the file. >> >> So I created a configuration to watch this file in the clients ossec.conf: >> <localfile> >> <log_format>syslog</log_format> >> <location>/root/.bash_history</location> >> </localfile> >> >> >> >> This works well and creates entries in the log archives of the >> ossec-sever e.g.: >> >> 2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history top >> >> >> >> I also want to generate alerts. >> >> If I understand correctly, the next steps will be to create a decoder >> and a rule. I tried with the following decoder in >> etc/decoder_local.xml >> >> <decoder name="bash_history"> >> <program_name>.bash_history</program_name> >> </decoder> >> >> >> and a rule in >> rules/local_rules.xml >> >> <rule id="105412" level="8"> >> <decoded_as>bash_history</decoded_as> >> <description>Command run as root extracted from >> bash_history</description> >> </rule> >> >> >> >> This does not create allerts. Thus I used ossec-logtest to see if things go >> alright: >> >> >> bin/ossec-logtest -v >> 2016/07/07 14:40:56 ossec-testrule: INFO: Reading local decoder file. >> 2016/07/07 14:40:56 ossec-testrule: INFO: Started (pid: 4092). >> ossec-testrule: Type one log per line. >> >> 2016 Jul 07 11:06:28 (TheClient) xx.xx.71.109->/root/.bash_history top >> >> **Phase 1: Completed pre-decoding. >> full event: '2016 Jul 07 11:06:28 (TheClient) >> xx.xx.71.109->/root/.bash_history top' >> hostname: 'ossec-server' >> program_name: '(null)' >> log: '2016 Jul 07 11:06:28 (TheClient) >> xx.xx.71.109->/root/.bash_history top' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> **Rule debugging: >> Trying rule: 1 - Generic template for all syslog rules. >> *Rule 1 matched. >> *Trying child rules. >> Trying rule: 5500 - Grouping of the pam_unix rules. >> <and so on...> >> >> >> Obviously, the decoder I'm using is not working. Also pre-decoding does >> not extract information from this log entry. >> >> How do I advance to get alerts from the root activities extracted from >> bash_history? >> >> According to the log-archive, OSSEC knows the origin of the message >> (*/root/*.bash_history). Is this available to the decoder or to a rule? >> >> Im also not sure, this is the best approach to observe activities of the >> root user. Hints are welcome. >> >> Greetings >> Dominik >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
