can't see alert for message field from sudo.log file #13038
Replies: 1 comment 1 reply
-
|
Have you tried out Do you get any hits when you run |
Beta Was this translation helpful? Give feedback.
-
|
Hi, first of all thank you for the answer, yes i've tried but i figure out that the message field is of the match_only_text type so it doesn't match string, i resolved by ticking the option of save the raw log in event.original inside the System integration when i import my logs, and the event.original field is of the keyword type so it works. Another solution is to manually change the .yaml file in /opt/so/rules/elastalert/playbook changing the filter part from: to |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I've an Ubuntu 22.04 VM with an Apache HTTP Server installed, with Rsyslog i collect all the logs (sytem and Apache) of the VM and after with rsync i import the logs inside my SecurityOnion Server in this path: home/admin/testin1/, i can see in the dashboards and in Kibana all my logs, after this i craft some Sigma Rule for the Apache HTTP logs detecting a specific url.path and it's works, after i've tried to detect this string "sudo NOT in sudoers" inside the sudo.log file (i've insert the path inside System integration) but the Sigma Rule doesn't generate any alert, example of the full log:
2024-05-20T15:47:54.151541+02:00 user1 sudo: daemon : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/usr/bin/touch file.txtEXAMPLE of sigma rule:
I've tried literally everything, how i can detetect a string inside the message field with the SecurityOnion playbook?
Version: 2.4.60
Standalone
Security Onion ISO image
1 nodes manager
16GB, 4 CPU in VirtualBox
All services running
Grid --> Elasticsearch Status: Pending
Beta Was this translation helpful? Give feedback.
All reactions