store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Feb 28, 2020 11:25 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Custom decoder not capturing parameter
Unread postPosted: Wed Dec 18, 2019 11:05 am 
Offline
New Forum User
New Forum User

Joined: Thu Nov 29, 2012 6:01 am
Posts: 4
Location: Italy
Hi everybody,

I was trying to create a custom decoder for logs generated by the audispd daemon.

Since those are very similar to the ones from auditd daemon, with addition of a "node" element at the beginning, I started by copying the existing decoder for auditd, and then I changed it from:

Code:
<decoder name="auditd">
  <prematch>^type=</prematch>
</decoder>


to:

Code:
<decoder name="audispd">
  <program_name>audispd</program_name>
  <prematch>^node=</prematch>
  <regex offset="after_prematch">^(\S+) type=</regex>
  <order>audit.node</order>
</decoder>


that is, I added an explicit program name reference, and tried to capture some parameter right in the first decoder definition.

The log test shows the decoder is recognized and correctly applied:

Code:
[root@ossec decoders.d]# /var/ossec/bin/ossec-logtest
2019/12/18 16:01:29 ossec-testrule: INFO: Started (pid: 9622).
ossec-testrule: Type one log per line.

Dec 18 12:34:17 ossec audispd: node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed'


**Phase 1: Completed pre-decoding.
       full event: 'Dec 18 12:34:17 ossec audispd: node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed''
       timestamp: 'Dec 18 12:34:17'
       hostname: 'ossec'
       program_name: 'audispd'
       log: 'node=ossec.626suite-online.it type=USER_LOGIN msg=audit(1576668857.459:7026663): pid=14030 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=222.186.175.181 terminal=ssh res=failed''

**Phase 2: Completed decoding.
       decoder: 'audispd'
       audit.pid: '14030'
       audit.auid: '4294967295'
       audit.uid: '0'
       audit.session: '4294967295'
       audit.exe: '/usr/sbin/sshd'
       audit.srcip: '222.186.175.181'
       audit.res: 'failed''

**Phase 3: Completed filtering (rules).
       Rule id: '626001'
       Level: '0'
       Description: 'audispd: SSH authorization failed - ignored'


However, the audit.node parameter does not seem to be present at the end of phase 2... am I missing something?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group