It's a patch to bash that enables a syslog history feature. I don't know how much is built-in to bash and how much is custom (I just look at the outputs), but the following gist discovered through Google search appears to be pretty similar to what we're doing: https://gist.github.com/dalevizo/3656019
On Thursday, August 18, 2016 at 12:52:45 PM UTC-7, Jesus Linares wrote: > > Hi Michael, > > Nice, it works ;). > > Please, could you tell me how are you sending the commands to syslog?. > > Regards. > > On Thursday, August 18, 2016 at 8:34:57 PM UTC+2, Michael P. wrote: >> >> Thank you both for your help. I used a slightly-tweaked version of the >> the most recent approach and it is working now. >> >> On Thursday, August 18, 2016 at 3:59:00 AM UTC-7, Jesus Linares wrote: >>> >>> Hi Dan, >>> >>> you are right, it would be like this: >>> <decoder name="bash"> >>> <program_name>bash</program_name> >>> </decoder> >>> >>> <decoder name="bash-fields"> >>> <parent>bash</parent> >>> <prematch offset="after_parent">^HISTORY: PID=\d+ </prematch> >>> <regex offset="after_prematch">^UID=\d+\((\S+)\) (\S+)</regex> >>> <order>user,extra_data</order> >>> </decoder> >>> >>> <decoder name="bash-fields"> >>> <parent>bash</parent> >>> <regex offset="after_regex"> (\S+) (\d+)</regex> >>> <order>dstip,dstport</order> >>> </decoder> >>> >>> Both approaches are valid, it depends on whether you want to do specific >>> decoders for some commands. >>> >>> Regards. >>> >>> On Thursday, August 18, 2016 at 12:22:38 PM UTC+2, dan (ddpbsd) wrote: >>>> >>>> On Wed, Aug 17, 2016 at 4:40 PM, dan (ddp) <ddp...@gmail.com> wrote: >>>> > On Aug 17, 2016 4:37 PM, "Michael P." <haple...@gmail.com> wrote: >>>> >> >>>> >> I am experiencing an issue where the presence of a child decoder >>>> prevents >>>> >> the fields in the parent decoder from being decoded. >>>> >> >>>> >> We log all bash commands made by users on our systems. The format of >>>> these >>>> >> log messages look like this: >>>> >> Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami >>>> >> Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet >>>> >> jupiter2 1337 >>>> >> >>>> >> My goal is to extract the user ids 0(vader) and 42(chuck) from the >>>> header >>>> >> common to both messages. For the telnet message, I want to decode >>>> the dst ip >>>> >> and port (jupiter2 and 1337). >>>> >> >>>> >> I have the following decoders defined: >>>> >> <decoder name="bash-stalker"> >>>> >> <program_name>bash</program_name> >>>> >> <prematch>^HISTORY: PID=\d+ </prematch> >>>> >> <regex offset="after_prematch">^UID=(\S*) </regex> >>>> >> <order>user</order> >>>> >> </decoder> >>>> >> >>>> >> >>>> >> <decoder name="telnet-request"> >>>> >> <parent>bash-stalker</parent> >>>> >> <prematch offset="after_parent">telnet </prematch> >>>> >> <regex offset="after_prematch">^(\S+) (\d+)</regex> >>>> >> <order>dstip,dstport</order> >>>> >> </decoder> >>>> >> >>>> >> When telnet-request is present, user is not decoded for any log >>>> message, >>>> >> telnet or not. dstip and dstport are decoded correctly. If I comment >>>> >> telnet-request out, then user is decoded properly for all log >>>> messages. I >>>> >> want all three fields when they're available. >>>> >> >>>> >> Am I missing a subtlety of parent decoders? Could someone point me >>>> in the >>>> >> right direction? >>>> >> >>>> > >>>> > I think that's just the way it is. You can name thw second decoder >>>> the same >>>> > thing though and decode extra fields. I can't remember if there's an >>>> example >>>> > in decoders or not, but it isn't too hard (i'm on my phone or I'd >>>> provide an >>>> > example). >>>> > >>>> >>>> pam-ruser is an example of what I was talking about: >>>> <decoder name="pam-ruser"> >>>> <parent>pam</parent> >>>> <prematch> ruser</prematch> >>>> <regex offset="after_prematch">^=(\S+) </regex> >>>> <order>user</order> >>>> </decoder> >>>> >>>> <decoder name="pam-ruser"> >>>> <parent>pam</parent> >>>> <regex> rhost=(\S+)$</regex> >>>> <order>srcip</order> >>>> </decoder> >>>> >>>> It will allow both user and srcip to be decoded, even though the >>>> fields don't share the same child decoder. >>>> >>>> >> >>>> >> >>>> >> Extra information, if it helps - here is the output of logtest in >>>> both >>>> >> cases: >>>> >> >>>> >> telnet-request is present: >>>> >> Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami >>>> >> >>>> >> >>>> >> **Phase 1: Completed pre-decoding. >>>> >> full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 >>>> >> UID=0(vader) whoami' >>>> >> hostname: 'mars31' >>>> >> program_name: 'bash' >>>> >> log: 'HISTORY: PID=45234 UID=0(vader) whoami' >>>> >> >>>> >> >>>> >> **Phase 2: Completed decoding. >>>> >> decoder: 'bash-stalker' >>>> >> >>>> >> >>>> >> Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet >>>> >> jupiter2 1337 >>>> >> >>>> >> >>>> >> **Phase 1: Completed pre-decoding. >>>> >> full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 >>>> >> UID=42(chuck) telnet jupiter2 1337' >>>> >> hostname: 'mars31' >>>> >> program_name: 'bash' >>>> >> log: 'HISTORY: PID=56234 UID=42(chuck) telnet jupiter2 1337' >>>> >> >>>> >> >>>> >> **Phase 2: Completed decoding. >>>> >> decoder: 'bash-stalker' >>>> >> dstip: 'jupiter2' >>>> >> dstport: '1337' >>>> >> >>>> >> >>>> >> >>>> >> telnet-request is commented out: >>>> >> Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 UID=0(vader) whoami >>>> >> >>>> >> >>>> >> **Phase 1: Completed pre-decoding. >>>> >> full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=45234 >>>> >> UID=0(vader) whoami' >>>> >> hostname: 'mars31' >>>> >> program_name: 'bash' >>>> >> log: 'HISTORY: PID=45234 UID=0(vader) whoami' >>>> >> >>>> >> >>>> >> **Phase 2: Completed decoding. >>>> >> decoder: 'bash-stalker' >>>> >> dstuser: '0(vader)' >>>> >> >>>> >> >>>> >> **Phase 3: Completed filtering (rules). >>>> >> Rule id: '100002' >>>> >> Level: '6' >>>> >> Description: 'command as root' >>>> >> >>>> >> >>>> >> Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 UID=42(chuck) telnet >>>> >> jupiter2 1337 >>>> >> >>>> >> >>>> >> **Phase 1: Completed pre-decoding. >>>> >> full event: 'Aug 17 12:41:22 mars31 bash: HISTORY: PID=56234 >>>> >> UID=42(chuck) telnet jupiter2 1337' >>>> >> hostname: 'mars31' >>>> >> program_name: 'bash' >>>> >> log: 'HISTORY: PID=56234 UID=42(chuck) telnet jupiter2 1337' >>>> >> >>>> >> >>>> >> **Phase 2: Completed decoding. >>>> >> decoder: 'bash-stalker' >>>> >> dstuser: '42(chuck)' >>>> >> >>>> >> >>>> >> **Phase 3: Completed filtering (rules). >>>> >> Rule id: '100003' >>>> >> Level: '3' >>>> >> Description: 'telnet connection' >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> >>>> >> --- >>>> >> You received this message because you are subscribed to the Google >>>> Groups >>>> >> "ossec-list" group. >>>> >> To unsubscribe from this group and stop receiving emails from it, >>>> send an >>>> >> email to ossec-list+...@googlegroups.com. >>>> >> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.