Linux command log
183 views
Skip to first unread message
TUKARAM GAONKAR
Jul 16, 2021, 1:08:36 PM7/16/21
to Wazuh mailing list
Dear Team,
I have integrated a Linux machine with the WAZUH. I want to create a ruleset, If anyone fires the" rm", "cd " command on Linux.
I tested by firing " rm" , "cd" commands on OS . But no log was generated on wazuh .
Is there any configuration required on agent ossec.conf file.
Warm Regards,
Tukaram
Christian Borla
Jul 16, 2021, 5:09:13 PM7/16/21
to TUKARAM GAONKAR, Wazuh mailing list
Hi Tukaram,
I hope you are doing fine!
First you have to check if commands on Linux are logged in some file.
I found this link which shows how to configure it. https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html
Ones you can see command event in a linux file, as example mentioned into /var/log/syslog or /var/log/cmdline, it's time to set your agent to collect events from one of those files.
Into agent side /var/ossec/etc/ossec.conf:
<!-- Log analysis -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
or/and
<localfile>
<log_format>syslog</log_format>
<location>/var/log/cmdline</location>
</localfile>
Next steps is restart the agent, generate some events and look for some events in the manager raw file. /var/ossec/logs/archive/archives.log
To enable this logs configure /var/ossec/etc/ossec.conf into manager side.
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
</global>
if some events are found, it confirms the collection method through agent to manager.
Next step is create a decoder and rules for those type of events
Add into /var/ossec/etc/decoders/local_decoder.xml into manager side following custom decoder:
<decoder name="linux_command">
<program_name>bash</program_name>
</decoder>
<decoder name="linux_command_cd">
<parent>linux_command</parent>
<regex type="pcre2">\]:\s+(\w+):\s*.*?cd\s+</regex>
<order>user</order>
</decoder>
<decoder name="linux_command_rm">
<parent>linux_command</parent>
<regex type="pcre2">\]:\s+(\w+):\s*.*?rm\s+</regex>
<order>user</order>
</decoder>
After decoder it's necessary to create a rule for it.
Add into /var/ossec/etc/rules/local_rules.xml into manager side following custom decoder:
<rule id="100002" level="5">
<decoded_as>linux_command</decoded_as>
<description>linux command</description>
</rule>
Let me know how it goes,
Regards!
I hope you are doing fine!
First you have to check if commands on Linux are logged in some file.
I found this link which shows how to configure it. https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html
Ones you can see command event in a linux file, as example mentioned into /var/log/syslog or /var/log/cmdline, it's time to set your agent to collect events from one of those files.
Into agent side /var/ossec/etc/ossec.conf:
<!-- Log analysis -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
or/and
<localfile>
<log_format>syslog</log_format>
<location>/var/log/cmdline</location>
</localfile>
Next steps is restart the agent, generate some events and look for some events in the manager raw file. /var/ossec/logs/archive/archives.log
To enable this logs configure /var/ossec/etc/ossec.conf into manager side.
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
</global>
if some events are found, it confirms the collection method through agent to manager.
Next step is create a decoder and rules for those type of events
Add into /var/ossec/etc/decoders/local_decoder.xml into manager side following custom decoder:
<decoder name="linux_command">
<program_name>bash</program_name>
</decoder>
<decoder name="linux_command_cd">
<parent>linux_command</parent>
<regex type="pcre2">\]:\s+(\w+):\s*.*?cd\s+</regex>
<order>user</order>
</decoder>
<decoder name="linux_command_rm">
<parent>linux_command</parent>
<regex type="pcre2">\]:\s+(\w+):\s*.*?rm\s+</regex>
<order>user</order>
</decoder>
After decoder it's necessary to create a rule for it.
Add into /var/ossec/etc/rules/local_rules.xml into manager side following custom decoder:
<rule id="100002" level="5">
<decoded_as>linux_command</decoded_as>
<description>linux command</description>
</rule>
Let me know how it goes,
Regards!
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAKK7VjrWBNQj74mjVC9%2BJ2wqa0-BGNXmhTRMyAqESrRqBVH3cQ%40mail.gmail.com.
Christian Borla
Jul 22, 2021, 10:59:21 AM7/22/21
to Wazuh mailing list
Hi Tukaram,
I hope you are doing fine!
I created 2 new decoders following log samples you sent, let me know if that is what you need.
case: Jul 21 10:57:01 YYY01 Ab1wc: xyxy [3456]: vmstat 1 3 | awk '{for (i=90;i++) }'|tail -80 [1]
<decoder name="linux_command_vmstat_awk_tail">
<parent>linux_command</parent>
<regex type="pcre2">\]:\s+vmstat.*?\|.*?awk.*?\|tail.*</regex>
<order>user</order>
</decoder>
case: Jul 21 04:54:35 XXX03 ABCD: yxyx [56788]: /bin/df | awk | awk '{print $6,$8}' [0]
<decoder name="linux_command_df_awk_awk">
<parent>linux_command</parent>
<regex type="pcre2">\]:.*?\/?df \|.*?awk.*?\|.*?awk.*</regex>
<order>user</order>
</decoder>
Are concatenate commands, by pipe '|', and the decoder will need that sequence to trigger.
Let me know how it goes.
Regards.
Reply all
Reply to author
Forward
0 new messages