Created
June 26, 2013 15:46
-
-
Save reyjrar/5868559 to your computer and use it in GitHub Desktop.
OSSEC Decoder for crontab manipulation.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- Decoder to enable extracting data from the crontab command | |
| Aug 30 17:13:02 server.example.com crontab[1347]: (root) LIST (root) | |
| Aug 30 17:13:38 server.example.com crontab[2852]: (root) BEGIN EDIT (root) | |
| Aug 30 17:13:41 server.example.com crontab[2852]: (root) REPLACE (root) | |
| Aug 30 17:13:41 server.example.com crontab[2852]: (root) END EDIT (root) | |
| Aug 30 17:14:01 server.example.com crond[1756]: (root) RELOAD (/var/spool/cron/root) | |
| Aug 30 17:14:01 server.example.com CROND[4018]: (root) CMD (/usr/lib64/sa/sa1 1 1) | |
| Aug 30 17:14:06 server.example.com crontab[4030]: (root) LIST (root) | |
| Aug 30 17:15:01 server.example.com CROND[5818]: (root) CMD (/usr/lib64/sa/sa1 1 1) | |
| Aug 30 17:16:01 server.example.com CROND[6515]: (root) CMD (/usr/lib64/sa/sa1 1 1) | |
| --> | |
| <decoder name="crontab"> | |
| <program_name>crontab</program_name> | |
| </decoder> | |
| <decoder name="crontab-user"> | |
| <parent>crontab</parent> | |
| <regex>^\((\S+)\) </regex> | |
| <order>user</order> | |
| </decoder> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment