OSSEC Rule Writing
Chris O'Connell
omegahalo-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed Oct 6 08:59:33 EDT 2010
Greetings Everyone,
I've just recently installed OSSEC on my main Linux server and agents on my
Windows servers. I want to be alerted whenever ANY administrator account
logs into our servers.
So... I've edited the local_rules.xml and tried to add these entries:
<group name="syslog,fts,">
<rule id="100003" level="3">
<options>alert_by_email</options>
<group>authentication_success</group>
<description>Administrative Login! </description>
<match>administrator</match>
</rule>
</group>
<group name="syslog,fts,">
<rule id="100004" level="3">
<options>alert_by_email</options>
<group>authentication_success</group>
<description>Administrative Login! </description>
<user>everon</user>
</rule>
</group>
<group name="local,">
<rule id="100005" level="3">
<group>authentication_success,</group>
<if_sid>18104</if_sid>
<id>^528|^540|^672|^673|^4624|^4769</id>
<description>Windows Logon Success.</description>
<options>alert_by_email</options>
<user>root</user>
</rule>
</group>
For some reason none of these seem to work correctly. I'm not sure I
understand what I'm doing, but am open to some ideas on what to do...
-chris-
More information about the Discuss
mailing list