This plug-in to monitor user registration in controlled systems. It collects data saved in alienvault-siem database from cisco-asa and ossec plugins. Controlled events are Windows logon success (both domain and local), pam unix logon, cisco remote access (AnyConnect) ip to user assined.
The plugin uses my own Python script user-logon-monitor that creates two work files /var/cache/logon-monitor/logon-history.list and /var/cache/logon-monitor/logon-<today_date>.list and also write in /var/log/user-logon-monitor.log 5 types of evants:
1 - Hello! If a user is logged the first time today and is already registered in the past 5 days
2 - Wellcome back! If a user is logged the first time today and has last recorded more than 5 but less than 20 days ago