Building Collector Plugins 1.1 - AlienVault
20.06.2015 Views
Share Embed Flag

Building Collector Plugins 1.1 - AlienVault

Building Collector Plugins 1.1 - AlienVault

Building Collector Plugins 1.1 - AlienVault

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
alienvault.com

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>Building</strong> <strong>Collector</strong> <strong>Plugins</strong> - Admin Guide<br />

5.2 Configuration Example<br />

5.2.1 Scenario<br />

In order to detect user logons on a Unix system, the “last” command output will be used. The “last”<br />

command displays the content of the /var/log/wtmp file, where closed and opened terminal sessions<br />

as well as system restarts are logged.<br />

To just create events on status updates, the last output will be collected periodically and compared<br />

to the similar information saved with the previous loop.<br />

The status updates will be sent by syslog, with the help of the “logger” command.<br />

5.2.2 Write a script to monitor the “last” status<br />

#!/bin/sh<br />

# create the file if does not exist<br />

touch /var/log/last.prev<br />

while true<br />

do<br />

# get last entries<br />

last > /var/log/last.new<br />

# send new entries to syslog<br />

diff /var/log/last.prev /var/log/last.new | grep '^>' | logger -t LOGON_EXAMPLE -p local2.info<br />

# move .new to .prev<br />

mv /var/log/last.new /var/log/last.prev<br />

sleep 5<br />

done<br />

5.2.3 Log sample<br />

dmz01:~# tail -f /var/log/messages<br />

Jul 14 19:21:32 dmz01 LOGON_EXAMPLE: > root pts/3 localhost Wed Jul 14 18:49 - 19:21 (00:31)<br />

Jul 14 19:23:28 dmz01 LOGON_EXAMPLE: > dbadmin pts/3 localhost Wed Jul 14 19:23 still logged in<br />

Jul 14 19:23:59 dmz01 LOGON_EXAMPLE: > root pts/4 localhost Wed Jul 14 19:23 still logged in<br />

Jul 14 19:24:09 dmz01 LOGON_EXAMPLE: > root pts/4 localhost Wed Jul 14 19:23 - 19:24 (00:00)<br />

Jul 14 19:24:09 dmz01 LOGON_EXAMPLE: > dbadmin pts/3 localhost Wed Jul 14 19:23 - 19:24 (00:00)<br />

Jul 14 19:24:09 dmz01 LOGON_EXAMPLE: > root pts/2 172.22.22.10 Wed Jul 14 18:38 - 19:24 (00:45)<br />

Jul 14 19:24:54 dmz01 LOGON_EXAMPLE: > root pts/2 172.22.22.10 Wed Jul 14 19:24 still logged in<br />

Jul 14 19:26:15 dmz01 LOGON_EXAMPLE: > root pts/2 172.22.22.10 Wed Jul 14 19:24 - 19:26 (00:01)<br />

Jul 14 19:26:20 dmz01 LOGON_EXAMPLE: > ossim pts/2 172.22.22.10 Wed Jul 14 19:26 still logged in<br />

Jul 14 19:26:25 dmz01 LOGON_EXAMPLE: > ossim pts/2 172.22.22.10 Wed Jul 14 19:26 - 19:26 (00:00)<br />

5.2.4 Collect the logs in a new log file<br />

Add the following to the rsyslog.conf on the system running the OSSIM Agent:<br />

#<br />

# LOGON_EXAMPLE<br />

#<br />

local2.info<br />

/var/log/last_logon.log<br />

Page 25 Copyright © Alienvault 2010

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!