hi Michael, let me provide my quick feedback below:
This is weird. I'm not a real experienced user, but I thought I was doing > it right. > > All I'm doing is running a few simple rules to pull "interesting" events > out and post them. I have one machine receiving all logs and writing them > to a named pipe and a file in parallel (for debugging). These are really > simple rules, like: > > ... type=Single > ptype=regexp > pattern=([\w\.,]+).+useradd.+new group: name=(.+?), > desc=New group created: $2 > action=shellcmd /usr/local/bin/newalert.pl -r $1 -c AccountAudit -m "%s" > This regular expression assumes that a new group is created with useradd program, but groupadd program appears in example events. My guess is that the program name probably needs changing in the regular expression. > > type=Single > ptype=regexp > pattern=([\w\.,]+).+userdel.+delete user `(\w+)' > desc=Account $2 deleted > action=shellcmd /usr/local/bin/newalert.pl -r $1 -c AccountAudit -m "%s" > > type=Single > ptype=regexp > pattern=([\w\.,]+).+userdel.+removed group `(\w+)' > desc=Group $2 deleted > action=shellcmd /usr/local/bin/newalert.pl -r $1 -c AccountAudit -m "%s" > In the above rules, backtick symbol ` has been used in regular expressions before (\w+) capture group, but in actual events there is apostrophe symbol ' in that position. For making regular expressions to match the events, backticks need to be replaced with apostrophes. > When I do a test action on a workstation, the log entry shows up in the > text file like this: > Mar 9 14:56:23||seker||140.90.236.53||10,6||groupadd|| group added to > /etc/group: name=tcpdump, GID=72 > Mar 9 14:56:23||seker||140.90.236.53||10,6||groupadd|| group added to > /etc/gshadow: name=tcpdump > Mar 9 14:56:23||seker||140.90.236.53||10,6||groupadd|| new group: > name=tcpdump, GID=72 > Mar 9 14:56:23||seker||140.90.236.53||10,6||useradd|| new user: > name=tcpdump, UID=72, GID=72, home=/, shell=/sbin/nologin > Mar 9 14:56:23||seker||140.90.236.53||1,6||yum|| Installed: > 14:tcpdump-4.9.2-4.el7_7.1.x86_64 > Mar 9 14:56:41||seker||140.90.236.53||1,6||yum|| Erased: > 14:tcpdump-4.9.2-4.el7_7.1.x86_64 > Mar 9 14:56:57||seker||140.90.236.53||10,6||userdel|| delete user > 'tcpdump' > Mar 9 14:56:57||seker||140.90.236.53||10,6||userdel|| removed group > 'tcpdump' owned by 'tcpdump' > Mar 9 14:56:57||seker||140.90.236.53||10,6||userdel|| removed shadow > group 'tcpdump' owned by 'tcpdump' > > But no action is taken by SEC -- the "newalert.pl" script is never run. > Nothing shows up in the SEC log with debugging at maximum. Yet when I grep > my text file with the regexp I'm using for, for example, adding a user it > totally matches. And sometimes, at seemingly random, it does actually work > -- but mostly not. Am I missing something obvious here? > >From above events you have provided, the fourth one should actually match the first rule in the rule base. Do you see that particular match happening? (It worked for me when I tested the ruleset.) If there is no match, there is something else which needs fixing in the setup. In order to make troubleshooting easier, can you also provide the command line flags that have been provided to SEC? Also, when you send the USR1 signal to SEC process, does it report that it has the input file open and all rules loaded? kind regards, risto > <MR> > ----------------------------------- > Michael Raugh, BCH, CI, VCP5, LPIC, ITILv2011 Foundation > NOAA/NESDIS-HQ Sr. Systems Engineer > NIIS - Team ActioNet - NESDIS > Office: 301-713-0519 > Contractor > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
