Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add aruba rules and decoders #212

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add aruba rules and decoders #212

wants to merge 2 commits into from

Conversation

frgv
Copy link
Contributor

@frgv frgv commented Oct 10, 2018

Added Aruba decoders. Aruba is the OS used by HP network devices, for example. Logs taken from HP 2920 switch via syslog:

{"timestamp":"2018-10-02T00:46:26.831+1000","agent":{"id":"000","name":"ip-10-160-16-14"},"manager":{"name":"somename"},"id":"1538405186.2295","cluster":{"name":"wazuh-cluster","node":"node01"},"full_log":" Oct 2 00:46:26 1.2.3.4 00435 ports: port 7 is Blocked by STP\n","decoder":{},"location":"1.1.1.1"}

Sep 27 10:55:32 1.1.1.1 00077 ports: port 3 is now off-line

**Phase 1: Completed pre-decoding.
       full event: ' Sep 27 10:55:32 1.1.1.1 00077 ports:  port 3 is now off-line'
       timestamp: '(null)'
       hostname: 'manager1'
       program_name: '(null)'
       log: ' Sep 27 10:55:32 1.1.1.1 00077 ports:  port 3 is now off-line'

**Phase 2: Completed decoding.
       decoder: 'aruba'
       srcip: '1.1.1.1'
       id: '00077'
       event_type: 'ports'
       srcport: '3'
       status: 'now off-line'

**Phase 3: Completed filtering (rules).
       Rule id: '700007'
       Level: '3'
       Description: 'Aruba ports log: Port now off-line.'
**Alert to be generated.

Sep 27 10:48:29 1.2.3.4 02631 SNTP: Server not found at 1.1.1.1.

**Phase 1: Completed pre-decoding.
       full event: ' Sep 27 10:48:29 10.150.112.4 02631 SNTP:  Server not found at 1.1.1.1.'
       timestamp: '(null)'
       hostname: 'manager1'
       program_name: '(null)'
       log: ' Sep 27 10:48:29 1.2.3.4 02631 SNTP:  Server not found at 1.1.1.1.'

**Phase 2: Completed decoding.
       decoder: 'aruba'
       srcip: '1.2.3.4'
       id: '02631'
       event_type: 'SNTP'
       action: '  Server not found at 1.1.1.1.'

**Phase 3: Completed filtering (rules).
       Rule id: '700003'
       Level: '3'
       Description: 'Aruba SNTP log: Server not found.'
**Alert to be generated.

@frgv frgv assigned SitoRBJ and frgv Oct 10, 2018
@jesuslinares jesuslinares assigned migruiz4 and unassigned SitoRBJ and frgv Oct 16, 2018
@okynos
Copy link

okynos commented Dec 26, 2018
edited

Hi @frgv @migruiz4 this PR is failling due to the following error on the ossec.log:

2018/12/24 17:41:38 ossec-analysisd: CRITICAL: rules_list: Signature ID '700000' not found. Invalid 'if_sid'.

It seems that installation fails at some point, We will appreciate if you can fix the error, thanks.
I let you some logging captured:

Ruleset installation log:

        "### Wazuh ruleset ###", 
        "", 
        "The following rules will be updated:", 
        "\t0010-rules_config.xml", 
        "\t0015-ossec_rules.xml", 
        "\t0016-wazuh_rules.xml", 
        "\t0020-syslog_rules.xml", 
        "\t0025-sendmail_rules.xml", 
        "\t0030-postfix_rules.xml", 
        "\t0035-spamd_rules.xml", 
        "\t0040-imapd_rules.xml", 
        "\t0045-mailscanner_rules.xml", 
        "\t0050-ms-exchange_rules.xml", 
        "\t0055-courier_rules.xml", 
        "\t0060-firewall_rules.xml", 
        "\t0065-pix_rules.xml", 
        "\t0070-netscreenfw_rules.xml", 
        "\t0075-cisco-ios_rules.xml", 
        "\t0080-sonicwall_rules.xml", 
        "\t0085-pam_rules.xml", 
        "\t0090-telnetd_rules.xml", 
        "\t0095-sshd_rules.xml", 
        "\t0100-solaris_bsm_rules.xml", 
        "\t0105-asterisk_rules.xml", 
        "\t0110-ms_dhcp_rules.xml", 
        "\t0115-arpwatch_rules.xml", 
        "\t0120-symantec-av_rules.xml", 
        "\t0125-symantec-ws_rules.xml", 
        "\t0130-trend-osce_rules.xml", 
        "\t0135-hordeimp_rules.xml", 
        "\t0140-roundcube_rules.xml", 
        "\t0145-wordpress_rules.xml", 
        "\t0150-cimserver_rules.xml", 
        "\t0155-dovecot_rules.xml", 
        "\t0160-vmpop3d_rules.xml", 
        "\t0165-vpopmail_rules.xml", 
        "\t0170-ftpd_rules.xml", 
        "\t0175-proftpd_rules.xml", 
        "\t0180-pure-ftpd_rules.xml", 
        "\t0185-vsftpd_rules.xml", 
        "\t0190-ms_ftpd_rules.xml", 
        "\t0195-named_rules.xml", 
        "\t0200-smbd_rules.xml", 
        "\t0205-racoon_rules.xml", 
        "\t0210-vpn_concentrator_rules.xml", 
        "\t0215-policy_rules.xml", 
        "\t0220-msauth_rules.xml", 
        "\t0225-mcafee_av_rules.xml", 
        "\t0230-ms-se_rules.xml", 
        "\t0235-vmware_rules.xml", 
        "\t0240-ids_rules.xml", 
        "\t0245-web_rules.xml", 
        "\t0250-apache_rules.xml", 
        "\t0255-zeus_rules.xml", 
        "\t0260-nginx_rules.xml", 
        "\t0265-php_rules.xml", 
        "\t0270-web_appsec_rules.xml", 
        "\t0275-squid_rules.xml", 
        "\t0280-attack_rules.xml", 
        "\t0285-systemd_rules.xml", 
        "\t0290-firewalld_rules.xml", 
        "\t0295-mysql_rules.xml", 
        "\t0300-postgresql_rules.xml", 
        "\t0305-dropbear_rules.xml", 
        "\t0310-openbsd_rules.xml", 
        "\t0315-apparmor_rules.xml", 
        "\t0320-clam_av_rules.xml", 
        "\t0325-opensmtpd_rules.xml", 
        "\t0330-sysmon_rules.xml", 
        "\t0335-unbound_rules.xml", 
        "\t0340-puppet_rules.xml", 
        "\t0345-netscaler_rules.xml", 
        "\t0350-amazon_rules.xml", 
        "\t0360-serv-u_rules.xml", 
        "\t0365-auditd_rules.xml", 
        "\t0375-usb_rules.xml", 
        "\t0380-redis_rules.xml", 
        "\t0385-oscap_rules.xml", 
        "\t0390-fortigate_rules.xml", 
        "\t0395-hp_rules.xml", 
        "\t0400-openvpn_rules.xml", 
        "\t0405-rsa-auth-manager_rules.xml", 
        "\t0410-imperva_rules.xml", 
        "\t0415-sophos_rules.xml", 
        "\t0420-freeipa_rules.xml", 
        "\t0425-cisco-estreamer_rules.xml", 
        "\t0430-ms_wdefender_rules.xml", 
        "\t0435-ms_logs_rules.xml", 
        "\t0440-ms_sqlserver_rules.xml", 
        "\t0445-identity_guard_rules.xml", 
        "\t0450-mongodb_rules.xml", 
        "\t0455-docker_rules.xml", 
        "\t0460-jenkins_rules.xml", 
        "\t0470-vshell_rules.xml", 
        "\t0475-suricata_rules.xml", 
        "\t0480-qualysguard_rules.xml", 
        "\t0485-cylance_rules.xml", 
        "\t0490-virustotal_rules.xml", 
        "\t0495-proxmox-ve_rules.xml", 
        "\t0500-owncloud_rules.xml", 
        "\t0505-vuls_rules.xml", 
        "\t0510-ciscat_rules.xml", 
        "\t0515-exim_rules.xml", 
        "\t0520-vulnerability-detector.xml", 
        "\t0525-openvas_rules.xml", 
        "\t0530-mysql_audit_rules.xml", 
        "\t0535-mariadb_rules.xml", 
        "\t0540-pfsense_rules.xml", 
        "\t0545-osquery_rules.xml", 
        "\t0550-kaspersky_rules.xml", 
        "\t0555-azure_rules.xml", 
        "\t0560-docker_integration_rules.xml", 
        "\t0565-aruba_rules.xml", 
        "", 
        "The following rootchecks will be updated:", 
        "\tcis_apache2224_rcl.txt", 
        "\tcis_debian_linux_rcl.txt", 
        "\tcis_mysql5-6_community_rcl.txt", 
        "\tcis_mysql5-6_enterprise_rcl.txt", 
        "\tcis_rhel5_linux_rcl.txt", 
        "\tcis_rhel6_linux_rcl.txt", 
        "\tcis_rhel7_linux_rcl.txt", 
        "\tcis_rhel_linux_rcl.txt", 
        "\tcis_sles11_linux_rcl.txt", 
        "\tcis_sles12_linux_rcl.txt", 
        "\tcis_win2012r2_domainL1_rcl.txt", 
        "\tcis_win2012r2_domainL2_rcl.txt", 
        "\tcis_win2012r2_memberL1_rcl.txt", 
        "\tcis_win2012r2_memberL2_rcl.txt", 
        "\trootkit_files.txt", 
        "\trootkit_trojans.txt", 
        "\tsystem_audit_rcl.txt", 
        "\tsystem_audit_ssh.txt", 
        "\twin_applications_rcl.txt", 
        "\twin_audit_rcl.txt", 
        "\twin_malware_rcl.txt", 
        "", 
        "The following decoders will be updated:", 
        "\t0005-wazuh_decoders.xml", 
        "\t0006-json_decoders.xml", 
        "\t0010-active-response_decoders.xml", 
        "\t0015-aix-ipsec_decoders.xml", 
        "\t0025-apache_decoders.xml", 
        "\t0030-arpwatch_decoders.xml", 
        "\t0035-asterisk_decoders.xml", 
        "\t0040-auditd_decoders.xml", 
        "\t0045-barracuda_decoders.xml", 
        "\t0050-checkpoint_decoders.xml", 
        "\t0055-cimserver_decoders.xml", 
        "\t0060-cisco-estreamer_decoders.xml", 
        "\t0065-cisco-ios_decoders.xml", 
        "\t0070-cisco-vpn_decoders.xml", 
        "\t0075-clamav_decoders.xml", 
        "\t0080-courier_decoders.xml", 
        "\t0085-dovecot_decoders.xml", 
        "\t0090-dragon-nids_decoders.xml", 
        "\t0095-dropbear_decoders.xml", 
        "\t0100-fortigate_decoders.xml", 
        "\t0105-freeipa_decoders.xml", 
        "\t0110-ftpd_decoders.xml", 
        "\t0115-grandstream_decoders.xml", 
        "\t0120-horde_decoders.xml", 
        "\t0125-hp_decoders.xml", 
        "\t0130-imapd_decoossec-analysisd: Configuration error. Exiting", 
        "ders.xml", 
        "\t0135-imperva_decoders.xml", 
        "\t0140-kernel_decoders.xml", 
        "\t0145-mailscanner_decoders.xml", 
        "\t0150-mysql_decoders.xml", 
        "\t0155-named_decoders.xml", 
        "\t0160-netscaler_decoders.xml", 
        "\t0165-netscreen_decoders.xml", 
        "\t0170-nginx_decoders.xml", 
        "\t0175-ntpd_decoders.xml", 
        "\t0180-openbsd_decoders.xml", 
        "\t0185-openldap_decoders.xml", 
        "\t0190-openvpn_decoders.xml", 
        "\t0195-oscap_decoders.xml", 
        "\t0200-ossec_decoders.xml", 
        "\t0205-pam_decoders.xml", 
        "\t0210-pix_decoders.xml", 
        "\t0215-portsentry_decoders.xml", 
        "\t0220-postfix_decoders.xml", 
        "\t0225-postgresql_decoders.xml", 
        "\t0230-proftpd_decoders.xml", 
        "\t0235-puppet_decoders.xml", 
        "\t0240-pure-ftpd_decoders.xml", 
        "\t0245-racoon_decoders.xml", 
        "\t0250-redis_decoders.xml", 
        "\t0255-roundcube_decoders.xml", 
        "\t0260-rsa-auth-manager_decoders.xml", 
        "\t0265-rshd_decoders.xml", 
        "\t0270-samba_decoders.xml", 
        "\t0275-sendmail_decoders.xml", 
        "\t0280-serv-u_decoders.xml", 
        "\t0285-snort_decoders.xml", 
        "\t0290-solaris_decoders.xml", 
        "\t0295-sonicwall_decoders.xml", 
        "\t0300-sophos_decoders.xml", 
        "\t0305-squid_decoders.xml", 
        "\t0310-ssh_decoders.xml", 
        "\t0315-su_decoders.xml", 
        "\t0320-sudo_decoders.xml", 
        "\t0325-suhosin_decoders.xml", 
        "\t0330-symantec_decoders.xml", 
        "\t0335-telnet_decoders.xml", 
        "\t0340-trend-osce_decoders.xml", 
        "\t0345-unbound_decoders.xml", 
        "\t0350-unix_decoders.xml", 
        "\t0355-vm-pop3_decoders.xml", 
        "\t0360-vmware_decoders.xml", 
        "\t0365-vpopmail_decoders.xml", 
        "\t0370-vsftpd_decoders.xml", 
        "\t0375-web-accesslog_decoders.xml", 
        "\t0378-mariadb_decoders.xml", 
        "\t0379-dpkg_decoders.xml", 
        "\t0380-windows_decoders.xml", 
        "\t0385-wordpress_decoders.xml", 
        "\t0390-zeus_decoders.xml", 
        "\t0395-sqlserver_decoders.xml", 
        "\t0400-identity_guard_decoders.xml", 
        "\t0405-mongodb_decoders.xml", 
        "\t0410-docker_decoders.xml", 
        "\t0415-jenkins_decoders.xml", 
        "\t0420-vshell_decoders.xml", 
        "\t0425-qualysguard_decoders.xml", 
        "\t0430-cylance_decoders.xml", 
        "\t0435-owncloud_decoders.xml", 
        "\t0440-proxmox-ve_decoders.xml", 
        "\t0445-exim_decoders.xml", 
        "\t0450-openvas_decoders.xml", 
        "\t0455-pfsense_decoders.xml", 
        "\t0460-kaspersky_decoders.xml", 
        "\t0465-azure_decoders.xml", 
        "\t0470-aruba_decoders.xml", 
        "", 
        "OSSEC requires a restart to apply changes.", 
        "ERROR: OSSEC restart failed"

Ossec.log

        "2018/12/24 17:40:49 ossec-testrule: INFO: Started (pid: 1092).", 
        "2018/12/24 17:40:50 wazuh-db: INFO: Started (pid: 1136).", 
        "2018/12/24 17:40:50 ossec-execd: INFO: Started (pid: 1150).", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0005-wazuh_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0006-json_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0010-active-response_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0015-aix-ipsec_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0025-apache_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0030-arpwatch_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0035-asterisk_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0040-auditd_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0045-barracuda_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0050-checkpoint_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0055-cimserver_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0060-cisco-estreamer_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0065-cisco-ios_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0070-cisco-vpn_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0075-clamav_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0080-courier_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0085-dovecot_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0090-dragon-nids_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0095-dropbear_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0100-fortigate_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0105-freeipa_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0110-ftpd_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0115-grandstream_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0120-horde_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0125-hp_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0130-imapd_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0135-imperva_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0140-kernel_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0145-mailscanner_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0150-mysql_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0155-named_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0160-netscaler_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0165-netscreen_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0170-nginx_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0175-ntpd_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0180-openbsd_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0185-openldap_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0190-openvpn_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0195-oscap_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-remoted: INFO: Started (pid: 1167).", 
        "2018/12/24 17:40:50 ossec-remoted: INFO: Started (pid: 1168).", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0200-ossec_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0205-pam_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0210-pix_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0215-portsentry_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0220-postfix_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0225-postgresql_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0230-proftpd_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0235-puppet_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0240-pure-ftpd_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0245-racoon_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0250-redis_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0255-roundcube_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0260-rsa-auth-manager_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0265-rshd_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0270-samba_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0275-sendmail_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0280-serv-u_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0285-snort_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0290-solaris_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0295-sonicwall_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0300-sophos_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0305-squid_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0310-ssh_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0315-su_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0320-sudo_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0325-suhosin_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0330-symantec_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0335-telnet_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0340-trend-osce_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0345-unbound_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0350-unix_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0355-vm-pop3_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0360-vmware_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0365-vpopmail_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0370-vsftpd_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0375-web-accesslog_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0378-mariadb_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0379-dpkg_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-monitord: INFO: Started (pid: 1190).", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0380-windows_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0385-wordpress_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0390-zeus_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0395-sqlserver_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0400-identity_guard_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0405-mongodb_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0410-docker_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0415-jenkins_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0420-vshell_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0425-qualysguard_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0430-cylance_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0435-owncloud_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0440-proxmox-ve_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0445-exim_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0450-openvas_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0455-pfsense_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0460-kaspersky_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file ruleset/decoders/0465-azure_decoders.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading decoder file etc/decoders/local_decoder.xml.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading loading the lists file: 'etc/lists/audit-keys'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading loading the lists file: 'etc/lists/amazon/aws-sources'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading loading the lists file: 'etc/lists/amazon/aws-eventnames'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0010-rules_config.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0015-ossec_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0016-wazuh_rules.xml'", 
        "2018/12/24 17:40:50 wazuh-modulesd: INFO: Process started.", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0020-syslog_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0025-sendmail_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0030-postfix_rules.xml'", 
        "2018/12/24 17:40:50 wazuh-modulesd:oscap: INFO: Module disabled. Exiting...", 
        "2018/12/24 17:40:50 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...", 
        "2018/12/24 17:40:50 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...", 
        "2018/12/24 17:40:50 wazuh-modulesd:database: INFO: Module started.", 
        "2018/12/24 17:40:50 wazuh-modulesd:download: INFO: Module started", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0035-spamd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0040-imapd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0045-mailscanner_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0050-ms-exchange_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0055-courier_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0060-firewall_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0065-pix_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0070-netscreenfw_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0075-cisco-ios_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0080-sonicwall_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0085-pam_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0090-telnetd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0095-sshd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0100-solaris_bsm_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0105-asterisk_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0110-ms_dhcp_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0115-arpwatch_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0120-symantec-av_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0125-symantec-ws_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0130-trend-osce_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0135-hordeimp_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0140-roundcube_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0145-wordpress_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0150-cimserver_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0155-dovecot_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0160-vmpop3d_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0165-vpopmail_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0170-ftpd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0175-proftpd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0180-pure-ftpd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0185-vsftpd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0190-ms_ftpd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0195-named_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0200-smbd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0205-racoon_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0210-vpn_concentrator_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0220-msauth_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0225-mcafee_av_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0230-ms-se_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0235-vmware_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0240-ids_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0245-web_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0250-apache_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0255-zeus_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0260-nginx_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0265-php_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0270-web_appsec_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0275-squid_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0280-attack_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0285-systemd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0290-firewalld_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0295-mysql_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0300-postgresql_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0305-dropbear_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0310-openbsd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0315-apparmor_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0320-clam_av_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0325-opensmtpd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0330-sysmon_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0335-unbound_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0340-puppet_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0345-netscaler_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0350-amazon_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0360-serv-u_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0365-auditd_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0375-usb_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0380-redis_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0385-oscap_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0390-fortigate_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0395-hp_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0400-openvpn_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0405-rsa-auth-manager_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0410-imperva_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0415-sophos_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0420-freeipa_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0425-cisco-estreamer_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0430-ms_wdefender_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0435-ms_logs_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0440-ms_sqlserver_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0445-identity_guard_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0450-mongodb_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0455-docker_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0460-jenkins_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0470-vshell_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0475-suricata_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0480-qualysguard_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0485-cylance_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0490-virustotal_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0495-proxmox-ve_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0500-owncloud_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0505-vuls_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0510-ciscat_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0515-exim_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0520-vulnerability-detector.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0525-openvas_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0530-mysql_audit_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0535-mariadb_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0540-pfsense_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0545-osquery_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0550-kaspersky_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0555-azure_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'ruleset/rules/0560-docker_integration_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Reading rules file: 'etc/rules/local_rules.xml'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Total rules enabled: '2353'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/random.seed'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/sys/kernel/security'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Ignoring file: '/sys/kernel/debug'", 
        "2018/12/24 17:40:50 ossec-analysisd: INFO: Started (pid: 1156).", 
        "2018/12/24 17:40:51 ossec-logcollector: INFO: Monitoring output of command(360): df -P", 
        "2018/12/24 17:40:51 ossec-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d", 
        "2018/12/24 17:40:51 ossec-logcollector: INFO: Monitoring full output of command(360): last -n 20", 
        "2018/12/24 17:40:51 ossec-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.", 
        "2018/12/24 17:40:51 ossec-logcollector: INFO: Started (pid: 1172).", 
        "2018/12/24 17:40:51 ossec-remoted: INFO: (4111): Maximum number of agents allowed: '14000'.", 
        "2018/12/24 17:40:51 ossec-remoted: INFO: (1410): Reading authentication keys file.", 
        "2018/12/24 17:40:51 wazuh-modulesd:syscollector: INFO: Module started.", 
        "2018/12/24 17:40:52 wazuh-modulesd:syscollector: INFO: Starting evaluation.", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Started (pid: 1162).", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Monitoring directory: '/etc', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode.", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode.", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode.", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Monitoring directory: '/bin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode.", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Monitoring directory: '/sbin', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode.", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Monitoring directory: '/boot', with options perm | size | owner | group | md5sum | sha1sum | sha256sum | mtime | inode.", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/mtab'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/hosts.deny'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/mail/statistics'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/random-seed'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/random.seed'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/adjtime'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/httpd/logs'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/utmpx'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/wtmpx'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/cups/certs'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/dumpdates'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/etc/svc/volatile'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/sys/kernel/security'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: Ignoring: '/sys/kernel/debug'", 
        "2018/12/24 17:40:54 ossec-syscheckd: INFO: No diff for file: '/etc/ssl/private.key'", 
        "2018/12/24 17:40:54 rootcheck: INFO: Started (pid: 1162).", 
        "2018/12/24 17:40:55 wazuh-modulesd:syscollector: INFO: Evaluation finished.", 
        "2018/12/24 17:41:09 ossec-syscheckd: INFO: Syscheck scan frequency: 43200 seconds", 
        "2018/12/24 17:41:09 ossec-syscheckd: INFO: Starting syscheck scan.", 
        "2018/12/24 17:41:09 rootcheck: INFO: Starting rootcheck scan.", 
        "2018/12/24 17:41:09 ossec-authd: INFO: Started (pid: 1412).", 
        "2018/12/24 17:41:09 ossec-authd: INFO: Accepting connections on port 1515. No password required.", 
        "2018/12/24 17:41:09 ossec-authd: INFO: Setting network timeout to 1.000000 sec.", 
        "2018/12/24 17:41:14 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).", 
        "2018/12/24 17:41:24 rootcheck: INFO: Ending rootcheck scan.", 
        "2018/12/24 17:41:38 ossec-analysisd: CRITICAL: rules_list: Signature ID '700000' not found. Invalid 'if_sid'.", 
        "2018/12/24 17:41:38 ossec-syscheckd: WARNING: Cannot open '/boot': No such file or directory ", 
        "2018/12/24 17:41:38 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed)."

Regards.

@K-Embee K-Embee mentioned this pull request Mar 16, 2020
Closed
@vikman90 vikman90 changed the base branch from 3.7 to develop July 31, 2020 12:11
@vikman90 vikman90 changed the base branch from develop to master September 25, 2020 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

@migruiz4 migruiz4 Awaiting requested review from migruiz4

At least 1 approving review is required to merge this pull request.

Assignees

@migruiz4 migruiz4

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@frgv @okynos @SitoRBJ @migruiz4