Building Collector Plugins 1.1 - AlienVault

More documents

Recommendations

Info

Building Collector Plugins - Admin Guide 5.2.5 Restart “rsyslog” opensourcesim:~# /etc/init.d/rsyslogd restart 5.2.6 Check whether the new entries are written in the new log file opensourcesim:/etc/ossim/agent/plugins# tail -f /var/log/last_logon.log Jul 14 19:38:49 dmz01 LOGON_EXAMPLE: > root pts/2 localhost Wed Jul 14 19:38 still logged in Jul 14 19:38:54 dmz01 LOGON_EXAMPLE: > root pts/2 localhost Wed Jul 14 19:38 - 19:38 (00:00) Jul 14 19:38:59 dmz01 LOGON_EXAMPLE: > ossim pts/2 localhost Wed Jul 14 19:38 still logged in Jul 14 19:40:51 dmz01 LOGON_EXAMPLE: > ossim pts/2 localhost Wed Jul 14 19:38 - 19:40 (00:01) Jul 14 20:15:09 dmz01 LOGON_EXAMPLE: > reboot system boot 2.6.31.6 Wed Jul 14 17:39 - 20:15 (02:35) 5.2.7 Create a plugin file Copy an existing plugin to build the new one on the existing structure opensourcesim:/etc/ossim/agent/plugins# cp syslog.cfg example.cfg Set the new plugin specific parameters ;; Building Plugins Example ;; plugin_id: 9001 ;; type: detector [DEFAULT] plugin_id=9001 [config] type=detector enable=yes source=log # Enable syslog to log everything to one file. Add it to log rotation also. # echo "*.* /var/log/all.log" >> /etc/syslog.conf; killall -HUP syslogd #location=/var/log/all.log location=/var/log/last_logon.log # create log file if it does not exists, # otherwise stop processing this plugin create_file=true process= start=no stop=no startup= shutdown= ## rules [Rule 01 - Console Session Open] # Jul 14 20:36:47 dmz01 LOGON_EXAMPLE: > root tty1 Wed Jul 14 20:36 still logged in event_type=event regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE: >\s+(?P[^\s]+)\s+(?Ptty\d+)\s+(?P.*still logged in.*))$" sensor=\_CFG(plugin-defaults,sensor) Page 26 Copyright © Alienvault 2010
Building Collector Plugins - Admin Guide date={normalize_date($1)} plugin_sid=1 username={$username} dst_ip={resolv($host)} userdata1={$tty} userdata2={md5sum($logline)} userdata3={$logline} userdata4={$logged_event} [Rule 02 - Console Session Closed] # Jul 14 20:35:46 dmz01 LOGON_EXAMPLE: > root tty1 Wed Jul 14 20:18 - 20:35 (00:17) event_type=event regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE: >\s+(?P[^\s]+)\s+(?Ptty\d+)\s+(?P.*))$" sensor=\_CFG(plugin-defaults,sensor) date={normalize_date($1)} plugin_sid=2 username={$username} dst_ip={resolv($host)} userdata1={$tty} userdata2={md5sum($logline)} userdata3={$logline} userdata4={$logged_event} [Rule 03 - New User Session - IP] # Jul 14 20:21:49 dmz01 LOGON_EXAMPLE: > root pts/1 172.22.22.10 Wed Jul 14 20:21 still logged in event_type=event regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE: >\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P\IPV4)\s+(?P.*still logged in.*))$" sensor=\_CFG(plugin-defaults,sensor) date={normalize_date($1)} plugin_sid=3 username={$username} src_ip={$source} dst_ip={resolv($host)} userdata1={$tty} userdata2={md5sum($logline)} userdata3={$logline} userdata4={$logged_event} [Rule 04 - New User Session - hostname] # Jul 14 19:23:28 dmz01 LOGON_EXAMPLE: > dbadmin pts/3 localhost Wed Jul 14 19:23 still logged in event_type=event regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE: >\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?Plocalhost)\s+(?P.*still logged in.*))$" sensor=\_CFG(plugin-defaults,sensor) date={normalize_date($1)} plugin_sid=3 username={$username} src_ip=127.0.0.1 dst_ip={resolv($host)} userdata1={$tty} userdata2={md5sum($logline)} userdata3={$logline} userdata4={$logged_event} Page 27 Copyright © Alienvault 2010
Page 1 and 2: Building Collector Plugins Admin Gu
Page 3 and 4: Building Collector Plugins - Admin
Page 25: Building Collector Plugins - Admin
Page 31 and 32: 5.2.10 Check whether the plugin was

Building Collector Plugins 1.1 - AlienVault

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?