Building Collector Plugins 1.1 - AlienVault

Building Collector Plugins - Admin Guide
date={normalize_date($1)}
plugin_sid=1
username={$username}
dst_ip={resolv($host)}
userdata1={$tty}
userdata2={md5sum($logline)}
userdata3={$logline}
userdata4={$logged_event}
[Rule 02 - Console Session Closed]
# Jul 14 20:35:46 dmz01 LOGON_EXAMPLE: > root tty1 Wed Jul 14 20:18 - 20:35 (00:17)
event_type=event
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:
>\s+(?P[^\s]+)\s+(?Ptty\d+)\s+(?P.*))$"
sensor=\_CFG(plugin-defaults,sensor)
date={normalize_date($1)}
plugin_sid=2
username={$username}
dst_ip={resolv($host)}
userdata1={$tty}
userdata2={md5sum($logline)}
userdata3={$logline}
userdata4={$logged_event}
[Rule 03 - New User Session - IP]
# Jul 14 20:21:49 dmz01 LOGON_EXAMPLE: > root pts/1 172.22.22.10 Wed Jul 14 20:21 still logged in
event_type=event
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:
>\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P\IPV4)\s+(?P.*still logged in.*))$"
sensor=\_CFG(plugin-defaults,sensor)
date={normalize_date($1)}
plugin_sid=3
username={$username}
src_ip={$source}
dst_ip={resolv($host)}
userdata1={$tty}
userdata2={md5sum($logline)}
userdata3={$logline}
userdata4={$logged_event}
[Rule 04 - New User Session - hostname]
# Jul 14 19:23:28 dmz01 LOGON_EXAMPLE: > dbadmin pts/3 localhost Wed Jul 14 19:23 still logged in
event_type=event
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:
>\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?Plocalhost)\s+(?P.*still logged in.*))$"
sensor=\_CFG(plugin-defaults,sensor)
date={normalize_date($1)}
plugin_sid=3
username={$username}
src_ip=127.0.0.1
dst_ip={resolv($host)}
userdata1={$tty}
userdata2={md5sum($logline)}
userdata3={$logline}
userdata4={$logged_event}
Page 27 Copyright © Alienvault 2010