# Copyright 2004 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # Linux log parser # # DESCRIPTION: # This library is used to process logs from Linux systems. # # LAST UPDATE: $Date: 2012/05/11 11:37:30 $ id=1300 name=This Linux system has had a new user added. match=ser match=user match=useradd[ match=]: new user: name= match=, home=/ match=, shell=/ log=event:Linux-User_Added type:system NEXT id=1301 name=This Linux system had a group added. match=ser match=useradd[ match=user match=]: new group: name= log=event:Linux-Group_Added type:system NEXT id=1306 name=This Linux system had a root login. match=lo match=log match= login[ match=OT match=]: ROOT LOGIN match=IN match=LO match=ROOT match=OOT regex=ROOT LOGIN.*(on|ON).*$ log=event:Linux-Root_Login type:login NEXT id=1307 name=This Linux system had a password change. match=ss match=ass match= passwd[ match=pass match=]: password for ` match=ser match=ed match=' changed by user ` match=an match=user regex=passwd\[.* (password for .* changed by user .*) log=event:Linux-Password_Change type:system NEXT id=1308 name=This Linux system had an invalid login attempt with a bad password. match=lo match=log match=login[ match=ss match=ass match=]: invalid password for ` match=pass regex=login\[.*(invalid password for .*)$ log=event:Linux-Failed_Login type:login-failure NEXT id=1309 name=This Linux system had failed login. match=lo match=log match=login match=: FAILED LOGIN match=IN match=LO match= FOR match=FO match=ail match=ailure match=ent match=ion match=, Authentication failure match=uthentication log=event:Linux-Failed_Login type:login-failure NEXT id=1310 name=This Linux system had software installed via the dpkg package manager. match=sta match=le match=ed match= status installed match=nstall match=status regex=^20[0-9][0-9]-[0-3][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] status installed log=event:Linux-DPKG_Software_Installed type:system NEXT id=1311 name=This Linux system had software removed via dpkg package manager. match=rem match= remove regex=^20[0-9][0-9]-[0-3][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] remove log=event:Linux-DPKG_Software_Removed type:system NEXT id=1312 name=This Linux system had an rpc.statd exploit attempt. match=AT match=Oct 27 13:27:54 igunda rpc.statd[353]: POSSIBLE SPOOF/ATTACK ATTEMPT! match= rpc.statd[ match=MP match=]: POSSIBLE SPOOF/ATTACK ATTEMPT! match=ATTACK log=event:Linux-rpc.statd_Exploit type:intrusion dstport:111 NEXT id=1313 name=This Linux system had a mountd export request. match=xport match=est match=request match=rom match=rpc.mountd: export request from regex=rpc\.mountd: export request from ([0-9]+(\.[0-9]+){3})$ log=event:Linux-rpc.mountd_Export_Request srcip:$1 type:connection NEXT id=1314 name=This system had an SU or SUDO authentication login failure. match=su match=pam_unix match=ent match=ail match=ion match= authentication failure; regex=(.*su\[[0-9]|su\(pam|sudo\:) log=event:Linux-Failed_SU_Login type:login-failure NEXT id=1315 name=This Linux system has refused a mount point. match=est match=request match=rom match=ed match=rpc.mountd: refused mount request from regex=rpc\.mountd: refused mount request from ([0-9]+(\.[0-9]+){3}) for log=event:Linux-Failed_NFS_Mount type:access-denied srcip:$1 NEXT id=1316 name=This Linux system had promiscuous mode enabled. This means a sniffer is now active. match=kernel match=rom match=romiscuous match=le match=ed match=: Promiscuous mode enabled. log=event:Linux-Promiscuous_Mode_Enabled type:system NEXT id=1317 name=This Linux system had promiscuous mode enabled. This means a sniffer is now active. match=kernel match=rom match=romiscuous match=ent match=ed match= entered promiscuous mode log=event:Linux-Promiscuous_Mode_Enabled type:system NEXT id=1318 name=This Linux system had a group account added. match=ser match=user match= useradd[ match=ed match=]: account added to group - account= match=acc log=event:Linux-Group_Added type:system NEXT id=1319 name=This Linux system had an account added which already existed. match=ser match=user match= useradd[ match=]: account already exists - account= match=acc log=event:Linux-User_Exists type:error NEXT id=1320 name=This Linux system had an account added. match=ser match=user match= useradd[ match=ed match=]: new account added - account= match=acc log=event:Linux-User_Added type:system NEXT id=1321 name=This Linux system had an account removed from a group. match=rom match=ed match=]: account removed from group - account= match=acc match=rem match=, group= match=, gid= match=, by= log=event:Linux-User_Removed_From_Group type:system NEXT id=1322 name=This Linux system had an account deleted. match= shadow[ match=le match=ed match=]: account deleted match=acc match=- account= log=event:Linux-User_Deleted type:system NEXT id=1323 name=This Linux system had a user password changed. match=ss match=ass match= passwd[ match=pass match=ed match=]: password changed - account= match=acc match=an log=event:Linux-User_PW_Changed type:system NEXT id=1324 name=This Linux system had a password changed. match=ss match=ass match=passwd match=pass match=ed match=]: password changed for match=an log=event:Linux-User_PW_Changed type:system NEXT id=1325 name=This Linux system had a user deleted. match=!from group match=!removed group match=ser match=userdel[ match=user match=le match=]: delete user ` log=event:Linux-User_Deleted type:system NEXT id=1326 name=This Linux system had a user added. match=ser match= adduser[ match=]: new user: name= match=user log=event:Linux-User_Added type:system NEXT id=1327 name=This Linux system had a group added. match=ser match= adduser[ match=]: new group: name= match=user log=event:Linux-Group_Added type:system NEXT id=1328 name=This Linux system is running SE Linux and had an AVC access granted. match=tem match=ystem match= avc: match=kernel match=kernel: audit( match=ed match=: avc: granted { match=an log=event:SELinux-AVC_granted sensor:$1 type:system NEXT id=1329 name=This Linux system is running SE Linux and had an AVC access denied. match=kernel match=tem match=ystem match=kernel: audit( match= avc: match=ed match=: avc: denied { log=event:SELinux-AVC_denied sensor:$1 type:access-denied NEXT id=1332 name=This Linux system had a local named cache hit denied. match=ed match=named[ match=ent match=]: client match=client match=: query (cache) denied regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Named-Cache_Denied srcip:$1 type:access-denied NEXT id=1333 name=This Linux system had named configuration failure. match=ed match= named[ match=ail match=lo match=ion match=ing match=]: loading configuration: failure match=ailure log=event:Named-Configuration_Failure type:error NEXT id=1334 name=This Linux system is running SELinux and it has prevented a system process from accessing a resource. match=SE match=SELinux match=ent match=ing match=is preventing match=le match=. For complete log=event:SELinux-Action_Prevention type:access-denied NEXT id=1335 name=This Linux system is out of memory. match=kernel match=ce match=le match=ed match=ss match=kernel: Out of Memory: Killed process log=event:Linux-Out_Of_Memory type:error NEXT id=1336 name=This Linux system has logged an error with the CD-ROM drive. match=kernel match=rom match= cdrom_pc_intr: log=event:Linux-CDROM_Error type:error NEXT id=1337 name=This Linux server has logged a connection to a service being hosted by the xinetd daemon. match= xinetd[ match=RT match= START: match=ST match=rom match= from= match=from regex= from(=|=::ffff:)([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Linux-Xinetd_Connection type:connection srcip:$2 NEXT id=1338 name=The Yum application manager has installed a system package. match=yum: match=sta match=le match=ed match= Installed: match=nstall log=event:Linux-Yum_Installation type:system NEXT id=1339 name=This Linux operating system has recently rebooted. The matched syslog message indicating the kernel type is only displayed during the boot process. match=kernel match=ion match=kernel: Linux version 2. log=event:Linux-System_Start type:restart NEXT id=1340 name=The Yum application manager has installed updated a system package. match=yum: match=ate match=ed match= Updated: match=date log=event:Linux-Yum_Updated type:system NEXT id=1341 name=The Yum application manager has erased a system package match=yum: match=ed match= Erased: log=event:Linux-Yum_Erased type:system NEXT id=1342 name=The Up2date application successfully authenticated to an up2date server. This means that a Red Hat server was able to connect to a server to receive an update. match=ate match=] up2date match=date match=ent match=ion match=uthentication match=ce match=ed match=ss match= successfully retrieved authentication token log=event:Linux-Up2date_Authenticated type:system NEXT id=1343 name=The Up2date application failed to connect to an up2date server. This could mean that the Red Hat server is not configured correctly, or has network connectivity issues. match=ate match=] up2date match=date match=ser match=rr match=ing match= Error communicating with server log=event:Linux-Up2date_Connection_Failure type:error NEXT id=1344 name=The Up2date application registered the system. This is part of the process of receiving system updates from Red Hat. match=ate match=] up2date match=date match=tem match=ed match= Registered system. match=ystem log=event:Linux-Up2date_Registered_System type:system NEXT id=1345 name=The Up2date application added packages to the package profile. Software was added to the Red Hat server. match=ate match=] up2date match=date match=ack match=ing match=le match= Adding packages to package profile log=event:Linux-Up2date_Package_Additions type:system NEXT id=1346 name=The Up2date application removed packages from the package profile. Software was removed from the Red Hat server. match=ate match=] up2date match=date match=rom match=ack match=ing match=le match= Removing packages from package profile log=event:Linux-Up2date_Package_Deletions type:system NEXT id=1347 name=The Up2date application was unable to activate installation. This could mean that the Red Hat server is not configured correctly, or has network connectivity issues. match=ate match=] up2date match=date match=sta match=rr match=ion match=ing match=le match= There was an error while activating the installation match=an match=nstall log=event:Linux-Up2date_Activation_Failure type:error NEXT id=1348 name=The Up2date application passed invalid credentials. This could mean that a Red Hat server's maintenance has expired. # Please note, no initial up2date token in this up2date log record match=rr match=ss match=ass match=Error Class Info match=ent match=tem match=ed match=Invalid System Credentials match=ystem log=event:Linux-Up2date_Invalid_Credentials type:error NEXT id=1349 name=The network time protocol has synchronized to a network time source. match=tp match=ntpd[ match=ntp match=ed match= synchronized to match= stratum match=! LOCAL regex=synchronized to ([0-9]+(\.[0-9]+){3}), log=event:Linux-Network_Time_Update type:system dstip:$1 NEXT id=1350 name=This Linux system had promiscuous mode disabled. This means a sniffer is now deactivated. match=kernel match=rom match=romiscuous match=le match= left promiscuous mode log=event:Linux-Promiscuous_Mode_Disabled type:system NEXT id=1351 name=This Linux system had a user removed from a group. match=!removed group match=rom match=from group match=ser match=userdel[ match=user match=le match=]: delete ` log=event:Linux-User_Removed_From_Group type:system NEXT id=1352 name=This Linux system had a group removed. match=ser match=userdel[ match=user match=ed match=]: removed group match=rem match=owned by log=event:Linux-Group_Removed type:system NEXT id=1353 name=This Linux system had a system administrator run the gpasswd command to perform a bulk change of users. match=ss match=ass match=pass match=gpasswd[ log=event:Linux-Group_Passwd_Change type:system NEXT id=1354 name=The ntpd is shutting down. match=tp match=ntp match=ntpd[ match=ing match=ntpd exiting on signal 15 match=signal log=event:Linux-Network_Time_Daemon_Shutdown type:process NEXT id=1355 name=The ntpd is starting up. match=tp match=ntp match=ntpd[ match= ntpd regex=ntpd\[([0-9]+)\]\: ntpd [0-9]\.[0-9].*20[0-9][0-9] log=event:Linux-Network_Time_Daemon_Version type:system NEXT id=1356 name=This Linux system has logged a segfault from a running process. match=kernel match=segfault at log=event:Linux-Segfault_Detected type:process NEXT id=1357 name=The ntp daemon cannot open the temporary drift file. match=tp match=ntp match=ntpd[ match=ion match=ed match=ss match=can't open /etc/ntp/drift.TEMP: Permission denied match=an match=MP log=event:Linux-Network_Time_Permission_Denied type:error NEXT id=1358 name=This Linux system had promiscuous mode enabled. This means a sniffer is now active. match=ce match= device match=ent match=rom match=ed match= entered promiscuous mode log=event:Linux-Promiscuous_Mode_Enabled type:system NEXT id=1359 name=This Linux system had promiscuous mode disabled. This means a sniffer is now deactivated. match=ce match= device match=rom match=romiscuous match=le match= left promiscuous mode log=event:Linux-Promiscuous_Mode_Disabled type:system NEXT id=1360 name=This system had multiple SUDO login attempts. match=sudo: match=tem match=rr match=ss match=ass match=pt match=incorrect password attempts match=ect match=pass match=USER match=SE match=ER match=; USER= match=; PWD= match=; COMMAND= log=event:Linux-Mulitple_SUDO_Failures type:login-failure NEXT id=1361 name=The network time protocol has synchronized to a local network time source. match=tp match=ntp match=AL match=ntpd[ match=ed match= synchronized to match= stratum match= LOCAL match=LO log=event:Linux-Network_Time_Local_Update type:system NEXT id=1362 name=This Linux system had a user removed. match=ser match=userdel[ match=user match=le match=ed match=]: account deleted - account= match=acc log=event:Linux-User_Account_Removed type:system NEXT id=1363 name=This Linux system is running SELinux and it has been disabled. match= avc: match=ce match=ed match= received setenforce notice match=ing match= (enforcing=0) log=event:SELinux-Disabled type:system NEXT id=1364 name=This Linux system is running SELinux and it has been enabled. match= avc: match=ce match=ed match= received setenforce notice match=ing match= (enforcing=1) log=event:SELinux-Enabled type:system NEXT id=1365 name=This Linux system is running the xinetd service. match= xinetd[ match=ion match= xinetd Version match=sta match=ar match=ed match= started with match=start log=event:Linux-Xinetd type:restart NEXT id=1366 name=This Linux server has finished a connection to a service being hosted by the xinetd daemon. match= xinetd[ match= EXIT: match=sta match= status= match=status match= pid= match=ion match= duration= log=event:Linux-Xinetd_Connection_Finished type:connection NEXT id=1367 name=This Linux server had a command issued by root. match=ser match=User 'root' match=User match=an match=ecu match=ed match= executed command match=!parent process match=ce match=ss match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, match=ommand log=event:Linux-Command_Issued_By_Root type:process NEXT id=1368 name=This Linux server had commands issued by a superuser not named root. match=!User 'root' match=ecu match=ed match= executed command match=ommand match=an match=!parent process match=ce match=ss match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, match=ser match=le match= Superuser priveleges were used. log=event:Linux-Command_Issued_By_SuperUser type:process NEXT id=1369 name=This Linux server had commands issued by a non-root user. match=!User 'root' match=ecu match=ed match= executed command match=ommand match=an match=!parent process match=!Superuser priveleges were used. match=ce match=ss match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, log=event:Linux-User_Issued_Command type:process NEXT id=1370 name=This Linux system had software configured via the dpkg package manager. match=sta match=status match=le match= status config-files regex=^20[0-9][0-9]-[0-3][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] status config-files log=event:Linux-DPKG_Software_Configured type:system NEXT id=1371 name=The network time protocol has synchronized to a network time source. match=tp match=ntp match=ntpd[ match=: time reset log=event:Linux-Network_Time_Reset type:system NEXT id=1372 name=This Linux server had a Small Footprint CIM Broker error accepting an SSL connection. match=SSL match=ion match=onnection match=onnect match=ect match=sfcb[ match=rr match=ing match=ce match=pt match= Error accepting SSL match=acc match=connection -- exiting log=event:Linux-SFCB_SSL_Connection_Error type:error NEXT id=1373 name=This Linux server had commands issued by a superuser not named root. match=!User 'root' match=ecu match=ed match= executed command match=ommand match=an match=ent match=ar match=ce match=ss match= parent process match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, match=ser match=le match= Superuser priveleges were used. log=event:Linux-Command_Issued_By_SuperUser_With_ParentID type:process NEXT id=1374 name=This Linux server had commands issued by a non-root user. match=!User 'root' match=ecu match=ed match= executed command match=ommand match=an match=ent match=ar match=ce match=ss match= parent process match=!Superuser priveleges were used. match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, log=event:Linux-User_Issued_Command_With_ParentID type:process NEXT id=1375 name=This Linux server had a command issued by root. match=ser match=User 'root' match=User match=ecu match=ed match= executed command match=ommand match=an match=ent match=ar match=ce match=ss match= parent process match= The process executed for match=ing match= during which an average of match= of memory was used. match= minor page faults, match= major page faults, log=event:Linux-Command_Issued_By_Root_With_ParentID type:process NEXT id=1376 name=A process exited abnormally. match=exited abnormally match= ALER match=ER match=: match= [ match=RT match=ed match=ALERT match=AL log=event:Linux-Command_Exited_Abnormally type:process NEXT id=1377 name=A user attempted to authenticate but the account was unknown to the local system. match=pam_succeed_if match=ssh match=in match=error retrieving information about user match=nformation match= user match=user match=ser match=rr match=ce match=error match=sshd[ match=]: log=event:Linux-SSH_Unknown_User type:login-failure NEXT id=1378 name=This Linux system had a user su to root. match=: match=session opened for user match=user match= user match=su match=ser match=ss match=ed match=pam_unix match=ion match=su: pam_unix(su-l:session): regex=session opened for user root by ([^\ ]{2,25})\( log=event:Linux-SU_Session_Opened type:login user:$1 NEXT id=1379 name=This Linux system had a root session close. match=su: pam_unix(su-l:session): match=: match=user match= user match=su match=lo match=session closed for user root match=ser match=ss match=ed match=pam_unix match=ion regex=session closed for user ([^\ ]{2,25}) log=event:Linux-SU_Session_Closed type:logout user:$1 NEXT id=1380 name=This Linux system had a user fail su authentication. match=ent match=: match= authentication failure; match=uthentication match=user match=ailure match=su: pam_unix(su-l:auth): match=authentication failure match= user match=su match=lo match=ail match=ser match=log match=pam_unix match=ion regex= authentication failure\; logname=.* ruser=([^\ ]{2,25}) rhost= log=event:Linux-SU_Authentication_Failure type:login-failure user:$1 NEXT id=1381 name=This Linux system has a session opened for root by a uid. match=ss match=ses match=en match=use match=oo match=root match=by match=: session opened for user root by log=event:Linux-Session_Opened_For_Root type:login NEXT id=1382 name=This Linux system has a session started for argus. match=argus[ match=gu match=argus match=ar match=st match=started log=event:Linux-Argus_Started type:process NEXT id=1383 name=This Linux system has issued an argus interface status. match=argus[ match=gu match=argus match=ar match=Ar match=Get match=te match=fa match=St match=at match=ArgusGetInterfaceStatus: log=event:Linux-Argus_Interface_Status type:process NEXT id=1384 name=This Linux system has issued a cron command. match=!audit match=CRON[ match=CRON match=CR match=CMD log=event:Linux-CRON_CMD type:system NEXT id=1385 name=This Linux system had a user fail authentication. match=!SU match=!su match= authentication failure; match=uthentication match=user match=ailure match=authentication failure match=ail match=ser match=log match=pam_unix match=ion regex= authentication failure\; logname=.* ruser= rhost=.*user=([^\ ]{2,25}) log=event:Linux-Authentication_Failure type:login-failure user:$1 NEXT id=1386 name=This Linux system had a user fail authentication. match=uthentication match=user match=ail match=ser match=pam_krb match=ion regex=authentication fails for \'username\' \(([^\ ]{2,25})\)\: log=event:Linux-Authentication_Failure type:login-failure user:$1 NEXT id=1387 name=This Linux system had a user authenticate. match=uthentication match=user match=ser match=pam_krb match=ion regex=authentication succeeds for \'username\' \(([^\ ]{2,25})\) log=event:Linux-Authentication_Succeeds type:login user:$1 NEXT id=1388 name=This Linux system had an error reading keytab. match=error match=or match=rr match=rror match=ing match=pam_krb match=error reading keytab log=event:Linux-Error_Reading_Keytab type:error NEXT id=1389 name=This Linux system had a session close. match=user match= user match=lo match=session closed for user match=ser match=ss match=ed match=pam_unix match=ion regex=session closed for user ([^\ ]{2,25}) log=event:Linux-Session_Closed type:logout user:$1