Risto, Huh! These rules were written years ago (this had been working for some time, but then the server had a disk corruption and I had to set it up again), but you're right about the backticks. I never noticed that. 'useradd' and 'new group' is actually okay, because it's looking for the group creation in conjunction with a new user. There should be (but isn't) another rule to look for groupadd.
So ... my command line looks like this: /usr/local/bin/sec --input=/var/log/sec --pid=/var/run/sec.pid --log=/var/log/sec.log --conf "/etc/sec/*.sec" --detach --debug=6 Since you found issues with my regexp, I decided to go through them all again. I don't think the syntax has changed since I first did these (in 2012), but maybe something in the interpreters did because they totally failed. They were coming up with a hostname of "Mar" for everything (from the date at the beginning), and for a while they matched everything, which was fun. Ultimately I found that I had to escape the '|' characters, which I didn't do on RHEL 7. But the new server is RHEL 8, and changing every "||" to "\|\|" made all the difference. Now the rules are working as intended. Thank you! <MR> ----------------------------------- Michael Raugh, BCH, CI, VCP5, LPIC, ITILv2011 Foundation NOAA/NESDIS-HQ Sr. Systems Engineer NIIS - Team ActioNet - NESDIS Office: 301-713-0519 Contractor On Mon, Mar 9, 2020 at 4:29 PM Risto Vaarandi <risto.vaara...@gmail.com <mailto:risto.vaara...@gmail.com>> wrote: hi Michael, let me provide my quick feedback below: This is weird. I'm not a real experienced user, but I thought I was doing it right. All I'm doing is running a few simple rules to pull "interesting" events out and post them. I have one machine receiving all logs and writing them to a named pipe and a file in parallel (for debugging). These are really simple rules, like: ... type=Single ptype=regexp pattern=([\w\.,]+).+useradd.+new group: name=(.+?), desc=New group created: $2 action=shellcmd /usr/local/bin/newalert.pl <http://newalert.pl> -r $1 -c AccountAudit -m "%s" This regular expression assumes that a new group is created with useradd program, but groupadd program appears in example events. My guess is that the program name probably needs changing in the regular expression. type=Single ptype=regexp pattern=([\w\.,]+).+userdel.+delete user `(\w+)' desc=Account $2 deleted action=shellcmd /usr/local/bin/newalert.pl <http://newalert.pl> -r $1 -c AccountAudit -m "%s" type=Single ptype=regexp pattern=([\w\.,]+).+userdel.+removed group `(\w+)' desc=Group $2 deleted action=shellcmd /usr/local/bin/newalert.pl <http://newalert.pl> -r $1 -c AccountAudit -m "%s" In the above rules, backtick symbol ` has been used in regular expressions before (\w+) capture group, but in actual events there is apostrophe symbol ' in that position. For making regular expressions to match the events, backticks need to be replaced with apostrophes. When I do a test action on a workstation, the log entry shows up in the text file like this: Mar 9 14:56:23||seker||140.90.236.53||10,6||groupadd|| group added to /etc/group: name=tcpdump, GID=72 Mar 9 14:56:23||seker||140.90.236.53||10,6||groupadd|| group added to /etc/gshadow: name=tcpdump Mar 9 14:56:23||seker||140.90.236.53||10,6||groupadd|| new group: name=tcpdump, GID=72 Mar 9 14:56:23||seker||140.90.236.53||10,6||useradd|| new user: name=tcpdump, UID=72, GID=72, home=/, shell=/sbin/nologin Mar 9 14:56:23||seker||140.90.236.53||1,6||yum|| Installed: 14:tcpdump-4.9.2-4.el7_7.1.x86_64 Mar 9 14:56:41||seker||140.90.236.53||1,6||yum|| Erased: 14:tcpdump-4.9.2-4.el7_7.1.x86_64 Mar 9 14:56:57||seker||140.90.236.53||10,6||userdel|| delete user 'tcpdump' Mar 9 14:56:57||seker||140.90.236.53||10,6||userdel|| removed group 'tcpdump' owned by 'tcpdump' Mar 9 14:56:57||seker||140.90.236.53||10,6||userdel|| removed shadow group 'tcpdump' owned by 'tcpdump' But no action is taken by SEC -- the "newalert.pl <http://newalert.pl>" script is never run. Nothing shows up in the SEC log with debugging at maximum. Yet when I grep my text file with the regexp I'm using for, for example, adding a user it totally matches. And sometimes, at seemingly random, it does actually work -- but mostly not. Am I missing something obvious here? From above events you have provided, the fourth one should actually match the first rule in the rule base. Do you see that particular match happening? (It worked for me when I tested the ruleset.) If there is no match, there is something else which needs fixing in the setup. In order to make troubleshooting easier, can you also provide the command line flags that have been provided to SEC? Also, when you send the USR1 signal to SEC process, does it report that it has the input file open and all rules loaded? kind regards, risto <MR> ----------------------------------- Michael Raugh, BCH, CI, VCP5, LPIC, ITILv2011 Foundation NOAA/NESDIS-HQ Sr. Systems Engineer NIIS - Team ActioNet - NESDIS Office: 301-713-0519 Contractor _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net <mailto:Simple-evcorr-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
