AlientVault (OSSIM) filtre usuari AVAPI (OBSOLET)

Per tal que en la consola del SIEM no ens apareguin millions de missatges sobre el SSHD etc..

Crearem un filtre a “/etc/rsyslog.d/av-filter-avapi.conf”

if $fromhost == 'fqdn-alientvaultserver.domain.net' then -/dev/null
& ~
if $fromhost == 'x.x.x.x' then -/dev/null
& ~
if $programname == 'sshd' and $msg contains 'x.x.x.x' then -/dev/null
& ~
if $msg contains 'avapi' then -/dev/null
& ~
if $programname == 'sshd' and $msg contains 'Accepted publickey for avapi' then -/var/log/alienvault/api/avapisecure.log
& ~
if $programname == 'sshd' and $msg contains 'session opened for user avapi' then -/var/log/alienvault/api/avapisecure.log
& ~
if $programname == 'sshd' and $msg contains 'session closed for user avapi' then -/var/log/alienvault/api/avapisecure.log
& ~
if $programname == 'sudo' and $msg contains 'avapi' then -/var/log/alienvault/api/avapisecure.log
& ~
if $programname == 'sudo' and $msg contains 'www-data' then -/var/log/alienvault/ui/ui.log
& ~
if $programname == 'su' and $msg contains 'user daemon' then -/dev/null
& ~
print

One thought on “AlientVault (OSSIM) filtre usuari AVAPI (OBSOLET)

  1. Configuration
    Thread Intelligence
    Av Default policies
    Create/Modify
    AVAPI Filter
    Any-Any-Any-Any : DS-Groups: AVAPI Event Types ANY SIEM NO

Deixa un comentari

L'adreça electrònica no es publicarà. Els camps necessaris estan marcats amb *

13 − eleven =