reyjrar

<!-- Decoder to enable extracting data from the crontab command

      Aug 30 17:13:02 server.example.com crontab[1347]: (root) LIST (root)
      Aug 30 17:13:38 server.example.com crontab[2852]: (root) BEGIN EDIT (root)
      Aug 30 17:13:41 server.example.com crontab[2852]: (root) REPLACE (root)
      Aug 30 17:13:41 server.example.com crontab[2852]: (root) END EDIT (root)
      Aug 30 17:14:01 server.example.com crond[1756]: (root) RELOAD (/var/spool/cron/root)
      Aug 30 17:14:01 server.example.com CROND[4018]: (root) CMD (/usr/lib64/sa/sa1 1 1)
      Aug 30 17:14:06 server.example.com crontab[4030]: (root) LIST (root)
      Aug 30 17:15:01 server.example.com CROND[5818]: (root) CMD (/usr/lib64/sa/sa1 1 1)

reyjrar

<!-- AXFR Logs

06-Mar-2013 09:16:37.228 xfer-out: client 10.1.1.5#37937: view internal: transfer of 'example.com/IN': IXFR started
06-Mar-2013 09:16:37.228 xfer-out: client 10.1.1.5#37937: view internal: transfer of 'example.com/IN': IXFR ended
06-Mar-2013 09:18:26.971 xfer-out: client 10.1.6.3#35733: view internal: transfer of 'test.example.com/IN': AXFR-style IXFR started
06-Mar-2013 09:18:26.974 xfer-out: client 10.1.6.3#35733: view internal: transfer of 'test.example.com/IN': AXFR-style IXFR ended

-->

<decoder name="bind-axfr-start">

reyjrar

commit 47f1803471ec4c8f9c69c42680019bc002ef304b
Author: Brad Lhotsky <[email protected]>
Date:   Tue May 28 17:59:21 2013 +0200

    Active response was not passing the filename in file events, ie,
    syscheck.  The Eventinfo struct only included file data for builds with
    Prelude integration.  This prevented the AR from handing filename off
    anyways.
    * Eventinfo now contains file data always
    * Added *expect* option for 'filename'

reyjrar

/* Escape a set of characters */
char *os_shell_escape(const char *src) {
    // Maximum Length of the String is 2xthe current length
    char shell_escapes[] = { '\\', '"', '\'', ' ', '\t', ';', '`', '>', '<', '|', '#',
                            '*', '[', ']', '{', '}', '&', '$', '!', ':', '(', ')' };

    char *escaped_string;
    int length = 0;
    int i = 0;

reyjrar

{
    "template": "logstash-*",
    "settings" : {
        "index.number_of_shards" : 3,
        "index.number_of_replicas" : 1,
        "index.query.default_field" : "@message",
        "index.routing.allocation.total_shards_per_node" : 2,
        "index.auto_expand_replicas": false
    },
    "mappings": {

reyjrar

##################################################################
# /etc/elasticsearch/elasticsearch.yml
#
# Base configuration for a write heavy cluster
#

# Cluster / Node Basics
cluster.name: logng

# Node can have abritrary attributes we can use for routing

reyjrar

diff --git a/etc/decoder.xml b/etc/decoder.xml
index a7846ad..1087918 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -1841,6 +1841,7 @@
 </decoder>
 
 <!-- decoder for active responses as logged by an OSSEC agent or server
+
 - Examples

reyjrar

select
    srv.id,
    srv.ip,
    r.opcode,
    r.status,
    count(1) as queries,
    sum(count(1)) OVER (PARTITION BY r.server_id) as total

from packet_response r
     inner join server srv on r.server_id = srv.id

reyjrar

select
     CAST(regexp_replace( CAST( ip | inet '0.0.0.255' as TEXT), '255/32$', '0') || '/24' as inet) as network,
     regexp_replace( CAST( ip | inet '0.0.0.255' as TEXT), '255/32$', '0') as network_addr,
     count(1) as clients,
     to_char(min(first_ts), 'YYYY-MM-DD HH24:MI') as first_ts,
     to_char(max(last_ts), 'YYYY-MM-DD HH24:MI') as last_ts,
     bool_or(is_local) as is_local
from client
     group by ip | inet '0.0.0.255'

reyjrar

# Rsyslog Defaults
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$WorkDirectory /var/run/rsyslog  # Default Location for Work Files

# Modules
$ModLoad immark
$ModLoad imklog
$ModLoad imuxsock

# Local Logging