[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-dev] ossec-hids: decoder.xml (HEAD) [dcid]
Module name: ossec-hids
Changes by: dcid 06/08/28 14:32:40
Modified files:
decoder.xml
Log message:
Description: Adding ossec related rules and decoder. Adding extra decoder for pam also.
Reviewed by: dcid
Bug:
Index: decoder.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/decoder.xml,v
diff -u -r1.65 -r1.66
--- decoder.xml 24 Aug 2006 18:48:05 -0000 1.65
+++ decoder.xml 28 Aug 2006 17:32:39 -0000 1.66
@@ -41,6 +41,13 @@
<order>srcip, user</order>
</decoder>
+<decoder name="pam-host">
+ <parent>pam</parent>
+ <prematch offset="after_parent"> rhost</prematch>
+ <regex offset="after_prematch">^=(\S+) </regex>
+ <order>srcip</order>
+</decoder>
+
<decoder name="pam-user">
<parent>pam</parent>
<prematch offset="after_parent">^session opened </prematch>
@@ -838,6 +845,14 @@
<decoder name="ossec">
<prematch>^ossec: </prematch>
</decoder>
+
+<decoder name="ossec-agent">
+ <parent>ossec</parent>
+ <prematch offset="after_parent">^Agent started:</prematch>
+ <regex offset="after_prematch">^ '(\S+)'</regex>
+ <order>data</order>
+ <fts>name, location, data</fts>
+</decoder>
<!-- EOF -->
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.