Just a couple of quick ones. I took 3 of the logs you provided, and
used `ossec-logtest` to see how they were decoded.
**Phase 1: Completed pre-decoding.
full event: 'Aug 9 06:00:00 server2 systemd:
pam_unix(systemd-user:session): session opened for user dzoni by ($'
hostname: 'server2'
program_name: 'systemd'
log: 'pam_unix(systemd-user:session): session opened for user
dzoni by ($'
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '5501'
Level: '3'
Description: 'Login session opened.'
**Alert to be generated.
So the above log will create an alert of id 5501. It's only a level 3,
so it probably doesn't make it to your email.
You can either lower the email alert level in the ossec.conf, or
modify the rule to always alert (add <options>alert_by_email</options>
to the rule).
Something like this in `/var/ossec/rules/local_rules.xml` (totally untested):
<rule id="5501" level="3" overwrite="yes">
<if_sid>5500</if_sid>
<match>session opened for user </match>
<options>alert_by_email</options>
<description>Login session opened.</description>
<group>authentication_success,</group>
</rule>
**Phase 1: Completed pre-decoding.
full event: 'Aug 9 06:00:00 server2 systemd-logind[735]: New
session 1 of user dzoni'
hostname: 'server2'
program_name: 'systemd-logind'
log: 'New session 1 of user dzoni'
**Phase 2: Completed decoding.
No decoder matched.
For this one, nothing matched. A decoder would have to be written,
then a rule. Quick and dirty decoder (in
/var/ossec/etc/local_decoder.xml):
<decoder name="systemd-logind">
<program_name>^systemd-logind$</program_name>
<regex> of user (\S+)</regex>
<order>user</order>
</decoder>
Now we get:
**Phase 1: Completed pre-decoding.
full event: 'Aug 9 06:00:00 server2 systemd-logind[735]: New
session 1 of user dzoni'
hostname: 'server2'
program_name: 'systemd-logind'
log: 'New session 1 of user dzoni'
**Phase 2: Completed decoding.
decoder: 'systemd-logind'
dstuser: 'dzoni'
Still need a rule though. In /var/ossec/rules/local_rules.xml:
<rule id="333333" level="3">
<decoded_as>systemd-logind</decoded_as>
<match>^New session </match>
<description>New session started for a user.</description>
<group>authentication</group>
</rule>
Gives us:
**Phase 1: Completed pre-decoding.
full event: 'Aug 9 06:00:00 server2 systemd-logind[735]: New
session 1 of user dzoni'
hostname: 'server2'
program_name: 'systemd-logind'
log: 'New session 1 of user dzoni'
**Phase 2: Completed decoding.
decoder: 'systemd-logind'
dstuser: 'dzoni'
**Phase 3: Completed filtering (rules).
Rule id: '333333'
Level: '3'
Description: 'New session started for a user.'
**Alert to be generated.
This probably isn't a high enough level to get an email, but adjust to taste.
**Phase 1: Completed pre-decoding.
full event: 'Aug 9 06:00:00 server2 login[818]:
pam_unix(login:session): session opened for user dzoni by LOGIN$'
hostname: 'server2'
program_name: 'login'
log: 'pam_unix(login:session): session opened for user dzoni by LOGIN$'
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '5501'
Level: '3'
Description: 'Login session opened.'
**Alert to be generated.
Level 3 again, use the above advise to adjust.
On Thu, Aug 9, 2018 at 9:58 AM, Dzenis Aslani <dzenis.asl...@gmail.com> wrote:
> O thank you, you are really helpful :) lol. How it doesnt matter where you
> see information.I told you i cant copy the text from VM(Ubuntu Server) to
> Pc(Win10), this was the only way to get data.
>
> On Thursday, August 9, 2018 at 3:49:29 PM UTC+2, dan (ddpbsd) wrote:
>>
>> On Thu, Aug 9, 2018 at 9:40 AM, Dzenis Aslani <dzenis...@gmail.com> wrote:
>> > I couldnt copy from Virtualmachine but i did make a picture.I hope that
>> > it
>> > make it help
>> >
>> > https://drive.google.com/file/d/11na75k4lPAXUAPowmIjugjpEvQXzqw5n/view?usp=sharing
>> > https://drive.google.com/open?id=11na75k4lPAXUAPowmIjugjpEvQXzqw5n
>> > https://drive.google.com/open?id=1PaG4-TNLjxtrnbjyFxw-xEpYuoNnDMeM
>> > https://drive.google.com/open?id=1zGzEZesuN_CWkW3NRn1wWIqbYFxDiHIp
>> > https://drive.google.com/open?id=1UhyhOpUsG2WgL0Eie9N8DtArNh-6knJQ
>> >
>>
>> OSSEC doesn't process images, so it might take a while to type out the
>> interesting ones.
>>
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
