This is the plugin for parsing HP iLO v. 4 login/logout events on AlienVault OSSIM
Last active
July 3, 2019 13:19
-
-
Save ESGuardian/0e780cc6e2553d472a24 to your computer and use it in GitHub Desktop.
OSSIM plugin for HP iLO
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Alienvault plugin | |
# Author: Eugene Sokolov at esguardian@outlook.com | |
# Plugin myILO id:90012 version: 0.0.1 | |
# Last modification: 2015-06-10 16:10 | |
# | |
# Accepted products: | |
# HP iLO v.4 | |
# | |
# /etc/rsyslog.d/ilo.conf | |
# if $rawmsg contains 'iLO 4' and ($rawmsg contains 'login' or $rawmsg contains 'logout') then -/var/log/ilo-access.log | |
# & ~ | |
# | |
[DEFAULT] | |
plugin_id=90012 | |
[config] | |
type=detector | |
enable=yes | |
source=log | |
# | |
location=/var/log/ilo-access.log | |
# create log file if it does not exists, | |
# otherwise stop processing this plugin | |
create_file=false | |
process= | |
start=yes ; launch plugin process when agent starts | |
stop=no ; shutdown plugin process when agent stops | |
# restart=yes ; restart plugin process after each interval | |
# restart_interval=180 | |
startup= | |
shutdown= | |
[ilo - user login IPMI] | |
event_type=event | |
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login\sby\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\(" | |
plugin_sid=1 | |
device={resolv($dst_ip)} | |
date={normalize_date($date + ' ' + $time)} | |
src_ip={$src_ip} | |
# src_port={""} | |
dst_ip={$dst_ip} | |
# dst_port={""} | |
# protocol={""} | |
username={$user} | |
userdata1={$host_proc} | |
userdata2={$unknown} | |
[ilo - user login Browser] | |
event_type=event | |
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login:\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\(" | |
plugin_sid=2 | |
device={resolv($dst_ip)} | |
date={normalize_date($date + ' ' + $time)} | |
src_ip={$src_ip} | |
# src_port={""} | |
dst_ip={$dst_ip} | |
# dst_port={""} | |
# protocol={""} | |
username={$user} | |
userdata1={$host_proc} | |
userdata2={$unknown} | |
[ilo - user logout] | |
event_type=event | |
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+logout:\s+(?P<user>\S+)\s+(?P<unknown>\S+)\s+(?P<src_ip>\S+)\(" | |
plugin_sid=3 | |
device={resolv($dst_ip)} | |
date={normalize_date($date + ' ' + $time)} | |
src_ip={$src_ip} | |
# src_port={""} | |
dst_ip={$dst_ip} | |
# dst_port={""} | |
# protocol={""} | |
username={$user} | |
userdata1={$host_proc} | |
userdata2={$unknown} | |
[ilo - user login failure] | |
event_type=event | |
regexp="(?P<time>\d{2}:\d{2}:\d{2})\s(?P<dst_ip>\S+)\s+(?P<app_name>\S+\s\S+)\s+(?P<date>\S+)\s+(?P<host_time>\S+)\s+(?P<host_proc>\S+)\s+login\sfailure\sfrom:\s+(?P<src_ip>\S+)\(" | |
plugin_sid=4 | |
device={resolv($dst_ip)} | |
date={normalize_date($date + ' ' + $time)} | |
src_ip={$src_ip} | |
# src_port={""} | |
dst_ip={$dst_ip} | |
# dst_port={""} | |
# protocol={""} | |
#username={$user} | |
userdata1={$host_proc} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- myILO | |
-- plugin_id: 90012 | |
DELETE FROM plugin WHERE id = "90012"; | |
DELETE FROM plugin_sid where plugin_id = "90012"; | |
INSERT IGNORE INTO plugin (id, type, name, description) VALUES (90012, 1, 'myILO', 'ILO access'); | |
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 1, NULL, NULL, 'ILO access IPMI',1, 3); | |
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 2, NULL, NULL, 'ILO access Browser',1, 3); | |
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 3, NULL, NULL, 'ILO logout',1, 3); | |
INSERT IGNORE INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (90012, 4, NULL, NULL, 'ILO access FAILURE',1, 3); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment