We need to have extra user data field on our security event. We need to know
- event occurred time
- Host Server IP
Editing particular event on ‘/etc/ossim/agent/plugins/ossec-single-line.cfg’. We can achieve it. We are interest on Web group and ID 0030. We added below line as our need.
userdata3={normalize_date($date)}userdata4={resolv($hostname)}
After Editing it will be as below
[0030 - Web - group - 31xxx]
event_type=event
#precheck="web"
regexp="^AV\s-\sAlert\s-\s\"(?P<date>\d+)\"\s-->\sRID:\s\"(?P<rule_id>31\d\d\d)\";\sRL:\s\"(?P<rule_level>\d+)\";\sRG:\s\"(?P<rule_group>web[^\"]*)\";\sRC:\s\"(?P<rule_comment>[^\"]+)\";\sUSER:\s\"(?P<username>\S+)\";\sSRCIP:\s\"(?P<srcip>[^\"]*)\";\sHOSTNAME:\s\"(?P<agent_name>\([^\)]*\)\s+)?(?:\S+@)?(?P<hostname>(?(agent_name)(?:\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})|(?:\S+)))(?:->\S+)?;\sLOCATION:\s\"(?P<location>[^\"]*)\";\sEVENT:\s\"\[INIT\](?P<request>.*)\[END\]\";"
date={normalize_date($date)}
plugin_id={translate($rule_id)}
plugin_sid={$rule_id}
device={resolv($hostname)}
src_ip={resolv($srcip)}
dst_ip={resolv($hostname)}
username={$username}
userdata1={$rule_comment}
userdata2={$request}
userdata3={normalize_date($date)}
userdata4={resolv($hostname)}
Then Trigger this with 404 web request. Here we see those custom user data field as below.
This user data field can improve you OSSIM directives and Rules.