Building Collector Plugins 1.1 - AlienVault

Building Collector Plugins - Admin Guide
[Rule 05 - User Session Closed - IP]
# Jul 14 19:26:25 dmz01 LOGON_EXAMPLE: > ossim pts/2 172.22.22.10 Wed Jul 14 19:26 - 19:26 (00:00)
event_type=event
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:
>\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?P\IPV4)\s+(?P.*))$"
sensor=\_CFG(plugin-defaults,sensor)
date={normalize_date($1)}
plugin_sid=4
username={$username}
src_ip={$source}
dst_ip={resolv($host)}
userdata1={$tty}
userdata2={md5sum($logline)}
userdata3={$logline}
userdata4={$logged_event}
[Rule 06 - User Session Closed - hostname]
# Jul 14 19:33:56 dmz01 LOGON_EXAMPLE: > root pts/2 localhost Wed Jul 14 19:33 - 19:33 (00:00)
event_type=event
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:
>\s+(?P[^\s]+)\s+(?P[^\s]+)\s+(?Plocalhost)\s+(?P.*))$"
sensor=\_CFG(plugin-defaults,sensor)
date={normalize_date($1)}
plugin_sid=4
username={$username}
src_ip=127.0.0.1
dst_ip={resolv($host)}
userdata1={$tty}
userdata2={md5sum($logline)}
userdata3={$logline}
userdata4={$logged_event}
[Rule 07 - Reboot Detected]
# Jul 14 20:15:09 dmz01 LOGON_EXAMPLE: > reboot system boot 2.6.31.6 Mon May 24 13:51 - 20:15 (51+06:23)
event_type=event
regexp="^(?P(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE: >reboot.*))$"
sensor=\_CFG(plugin-defaults,sensor)
date={normalize_date($1)}
plugin_sid=5
userdata1={md5sum($logline)}
userdata2={$logline}
userdata3={$generator}
userdata4={$logged_event}
[Rule 99 - Catch all]
# Whatever doesn't match the above rules
event_type=event
regexp="^(?P(?P\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P[^\s]+)\s+LOGON_EXAMPLE:.*))$"
sensor=\_CFG(plugin-defaults,sensor)
date={normalize_date($date)}
plugin_sid=99
userdata1={md5sum($logline)}
userdata2={$logline}
userdata3={$logged_event}
Page 28 Copyright © Alienvault 2010