This is weird. I'm not a real experienced user, but I thought I was doing it right.
All I'm doing is running a few simple rules to pull "interesting" events out and post them. I have one machine receiving all logs and writing them to a named pipe and a file in parallel (for debugging). These are really simple rules, like: type=Single ptype=regexp pattern=(\d+\.\d+\.\d+\.\d+).+useradd.+new user: name=(.+?), desc=New account created: $2 action=shellcmd /usr/local/bin/newalert.pl -r $1 -c AccountAudit -m "%s" type=Single ptype=regexp pattern=([\w\.,]+).+useradd.+new group: name=(.+?), desc=New group created: $2 action=shellcmd /usr/local/bin/newalert.pl -r $1 -c AccountAudit -m "%s" type=Single ptype=regexp pattern=([\w\.,]+).+userdel.+delete user `(\w+)' desc=Account $2 deleted action=shellcmd /usr/local/bin/newalert.pl -r $1 -c AccountAudit -m "%s" type=Single ptype=regexp pattern=([\w\.,]+).+userdel.+removed group `(\w+)' desc=Group $2 deleted action=shellcmd /usr/local/bin/newalert.pl -r $1 -c AccountAudit -m "%s" When I do a test action on a workstation, the log entry shows up in the text file like this: Mar 9 14:56:23||seker||140.90.236.53||10,6||groupadd|| group added to /etc/group: name=tcpdump, GID=72 Mar 9 14:56:23||seker||140.90.236.53||10,6||groupadd|| group added to /etc/gshadow: name=tcpdump Mar 9 14:56:23||seker||140.90.236.53||10,6||groupadd|| new group: name=tcpdump, GID=72 Mar 9 14:56:23||seker||140.90.236.53||10,6||useradd|| new user: name=tcpdump, UID=72, GID=72, home=/, shell=/sbin/nologin Mar 9 14:56:23||seker||140.90.236.53||1,6||yum|| Installed: 14:tcpdump-4.9.2-4.el7_7.1.x86_64 Mar 9 14:56:41||seker||140.90.236.53||1,6||yum|| Erased: 14:tcpdump-4.9.2-4.el7_7.1.x86_64 Mar 9 14:56:57||seker||140.90.236.53||10,6||userdel|| delete user 'tcpdump' Mar 9 14:56:57||seker||140.90.236.53||10,6||userdel|| removed group 'tcpdump' owned by 'tcpdump' Mar 9 14:56:57||seker||140.90.236.53||10,6||userdel|| removed shadow group 'tcpdump' owned by 'tcpdump' But no action is taken by SEC -- the "newalert.pl" script is never run. Nothing shows up in the SEC log with debugging at maximum. Yet when I grep my text file with the regexp I'm using for, for example, adding a user it totally matches. And sometimes, at seemingly random, it does actually work -- but mostly not. Am I missing something obvious here? <MR> ----------------------------------- Michael Raugh, BCH, CI, VCP5, LPIC, ITILv2011 Foundation NOAA/NESDIS-HQ Sr. Systems Engineer NIIS - Team ActioNet - NESDIS Office: 301-713-0519 Contractor
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
