-
Notifications
You must be signed in to change notification settings - Fork 112
Ossec Integration
ghantoos edited this page Oct 8, 2014
·
1 revision
Notify system administrastors if users enter something wrong in lshell's prompt.
- Ossec is installed and running well on your system
- Lshell sends logs to syslog, with 'lshell' as '''syslogname'''. For example, in '''/etc/lshell.conf''' you must use
[global]
loglevel : 2
logfilename : syslog
syslogname : lshell
Add the following lines in your local_decoder.xml
#!xml
<decoder name="lshell">
<program_name>^lshell</program_name>
</decoder>
<decoder name="lshell-status">
<parent>lshell</parent>
<prematch>^\w+: \w+: </prematch>
<regex>^(\w+): (\w+): </regex>
<order>user,status</order>
</decoder>
<decoder name="lshell-user-status">
<parent>lshell</parent>
<prematch>^\w+: \W+ \w+</prematch>
<regex>^\w+: \W+ (\w+)</regex>
<order>status</order>
</decoder>
Add the following lines in your '''local_rules.xml'''. You may update the rule id and the level to fit in your purpose.
<!------------------------------------------------------------------->
<!-- Lshell monitoring -->
<!------------------------------------------------------------------->
<rule id="100040" level="0">
<decoded_as>lshell</decoded_as>
<description>lshell messages grouped</description>
</rule>
<rule id="100041" level="3">
<if_sid>100040</if_sid>
<match>Exited|Logged in</match>
<description>lshell user logged in/out.</description>
</rule>
<rule id="100042" level="4">
<if_sid>100040</if_sid>
<status>^WARN</status>
<description>lshell warning message.</description>
</rule>
<rule id="100042" level="7">
<if_sid>100040</if_sid>
<status>^ERROR</status>
<description>lshell error message.</description>
</rule>
<rule id="100043" level="7">
<if_sid>100040</if_sid>
<status>forbidden</status>
<description>User tried a forbidden command/syntax.</description>
</rule>
Mar 1 08:33:18 staging-app-2 lshell[9750]: trung: Logged in
Mar 1 08:33:53 staging-app-2 lshell[9750]: trung: WARN: couldn't write history to file /log/trung.lshell_history
Mar 1 08:33:57 staging-app-2 lshell[9750]: trung: WARN: couldn't write history to file /log/trung.lshell_history
Mar 1 08:33:58 staging-app-2 lshell[9750]: trung: *** forbidden command -> "sleep 10"
Mar 1 08:34:22 staging-app-2 lshell[9750]: trung: Exited
Mar 1 08:34:22 staging-app-2 lshell[9750]: trung: WARN: couldn't write history to file /log/trung.lshell_history
Mar 1 08:34:25 staging-app-2 lshell[9768]: trung: Logged in
Mar 1 08:34:32 staging-app-2 lshell[9768]: trung: *** forbidden syntax -> "lpath"
Mar 1 08:34:36 staging-app-2 lshell[9768]: trung: *** forbidden syntax -> "history"
Mar 1 09:18:34 staging-app-2 lshell[10155]: trung: Exited
Mar 1 09:18:41 staging-app-2 lshell[11225]: trung: Logged in
Mar 1 09:20:16 staging-app-2 lshell[11225]: trung: Exited
Mar 1 09:20:16 staging-app-2 lshell[11225]: trung: ERROR: Missing parameter
Please use the program ossec-logtest in the Ossec installation. After you invoking the program, it will wait for your input. Just copy and paste any line the previous section into window of ossec-logtest and enjoy the new rules.
The original issue that fires this document is https://github.com/ghantoos/lshell/issues/2. This document is first written by Anh K. Huynh (https://github.com/icy). For more details about Ossec please visit its homepage http://ossec.net/.