Skip to content

Instantly share code, notes, and snippets.

@jrossi

jrossi/gist:6481583

Created September 8, 2013 03:25
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jrossi/6481583 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jrossi/6481583 to your computer and use it in GitHub Desktop.
Download ZIP
NOt much but first variable decoder name works.
Raw
gistfile1.txt
dalek :: ossec-hids-main/src/analysisd % echo "Sep 7 23:19:59 dalek sudo: jrossi : TTY=pts/3 ; PWD=/home/jrossi/src/ossec-hids-main/src/analysisd ; USER=root ; COMMAND=/usr/bin/less /var/log/auth.log" | sudo ./ossec-logtest
2013/09/07 23:23:19 ossec-testrule: INFO: Reading local decoder file.
2013/09/07 23:23:19 ossec-testrule: INFO: Started (pid: 10105).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Sep 7 23:19:59 dalek sudo: jrossi : TTY=pts/3 ; PWD=/home/jrossi/src/ossec-hids-main/src/analysisd ; USER=root ; COMMAND=/usr/bin/less /var/log/auth.log'
hostname: 'dalek'
program_name: 'sudo'
log: ' jrossi : TTY=pts/3 ; PWD=/home/jrossi/src/ossec-hids-main/src/analysisd ; USER=root ; COMMAND=/usr/bin/less /var/log/auth.log'
**Phase 2: Completed decoding.
decoder: 'sudo'
dst.user: 'jrossi'
**Phase 3: Completed filtering (rules).
Rule id: '5403'
Level: '4'
Description: 'First time user executed sudo.'
**Alert to be generated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment