New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jupyterhub support #540
base: master
Are you sure you want to change the base?
Jupyterhub support #540
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution @banditopazzo ! The decoders and rules are ok. It's really cool that you also wrote the related tests.
Could you add a decoder for the user field extraction? This way its value could be used as a filter in the rules side. I think something as the example below should do the trick:
<decoder name="jupyterhub">
<parent>jupyterhub</parent>
<regex>User logged out: (\S+)|User logged in: (\S+)|Failed login for: (\S+)</regex>
<order>user</order>
</decoder>
It would be great if you also add the user value in your rules description as in the example below:
<description>JupyterHub successful logout $(user) account</description>
Let me know if I can provide further guidance. Greetings,
JP Sáez
Hi @Zenidd , I tried your suggestion but if I insert the new decoder for the user field extraction it doesn't extract the already extracted field (date, time) anymore. I don't know how to write a single regex that match every case and above all I don't it it's the best way of doing it |
Hello again @banditopazzo, I forgot to mention that you should segregate your decoder in two parts. First the prematch stage and then continue with regex sections in each child decoder as in the example below. Let me know if it works for you. <decoder name="jupyterhub">
<program_name>^python3</program_name>
<prematch>JupyterHub</prematch>
</decoder>
<decoder name="jupyterhub-add">
<parent>jupyterhub</parent>
<regex>(\d\d\d\d-\d\d-\d\d) (\d\d:\d\d:\d\d)</regex>
<order>date,time</order>
</decoder>
<decoder name="jupyterhub-add">
<parent>jupyterhub</parent>
<regex offset="after_regex">User logged out: (\S+)|User logged in: (\S+)|Failed login for (\S+)</regex>
<order>user</order>
</decoder> ossec-logtest example
Let me know how it goes. Greetings, |
Hi @Zenidd , thank you for helping to understand how the decoders work. I have updated the files like you said, except I had to use regards |
added basic rules for JupyterHub