[ossec-list] Creating a rule to find SSH keys in authlog with VERBOSE turned on

[caplinux20]

Hello all,

I am trying to write a rule in OSSEC to look at /var/log/authlog and alert 
on lines that show a RSA key. In my environment we only use ssh keys to 
remote on and when somebody login via root i would like OSSEC to show the 
SSH key used. Right now i am using the analogi GUI with OSSEC 2.8.1. 

currently it shows the actual ssh key getting accepted:

2015-05-21T14:25:01-04:00 ###-ossecserver-001 sshd[71254]: [ID 800047 
auth.info] Accepted publickey for root from ###.###.###.### port 65221 ssh2

however i also want it to show this entry in the authlog:

2015-05-21T13:51:42-04:00 ###-ossecserver-001 sshd[43730]: [ID 800047 
auth.info] Found matching RSA key: 
FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF

_______________________________________________________________________________________________________________________________________________

I created a custom decoder in /ossec/etc/decoder.xml

<decoder name="ssh-key">
  <parent>sshd</parent>
  <prematch>^Found </prematch>
  <regex offset="after_prematch">^matching RSA key: (\S+)</regex>
  <order>srcip</order>
</decoder>

(Forgive any errors please as this is my first rule - still getting use to 
writing them)

then i created the rule in my local_rules.xml

<rule id="111000" level="0">
    <decoded_as>ssh-key</decoded_as>
    <description>Gives the ability to see the SSH keys in the 
authlog</description>
  </rule>

  <rule id="110001" level="5">
    <if_sid>111000</if_sid>
    <description>Shows the info in the gui</description>
  </rule>

and then i restarted the service but it does not pick up the SSH key line. 
I was wondering if somebody could help assist as I was reading this:  
http://www.madirish.net/293 on writing OSSEC rules and i also looked at the 
OSSEC documentation but still cant figure it out.

Thank you for any assistance you can give.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.