From c098ee86fa28d0ab665924fa14dcfcbec58bb69d Mon Sep 17 00:00:00 2001 From: Christian Beer Date: Wed, 4 Feb 2015 17:24:37 +0100 Subject: [PATCH] update the ossec plugin - harmonize the coding style of the three scripts - harmonize the label names and file names with other popular plugins - fix active_response script to use correct date format --- plugins/ossec/ossec-active-response | 79 ----------------------------- plugins/ossec/ossec-agents | 31 ----------- plugins/ossec/ossec-alerts | 46 ----------------- plugins/ossec/ossec_active_response | 45 ++++++++++++++++ plugins/ossec/ossec_agents | 32 ++++++++++++ plugins/ossec/ossec_alerts | 49 ++++++++++++++++++ 6 files changed, 126 insertions(+), 156 deletions(-) delete mode 100755 plugins/ossec/ossec-active-response delete mode 100755 plugins/ossec/ossec-agents delete mode 100755 plugins/ossec/ossec-alerts create mode 100755 plugins/ossec/ossec_active_response create mode 100755 plugins/ossec/ossec_agents create mode 100755 plugins/ossec/ossec_alerts diff --git a/plugins/ossec/ossec-active-response b/plugins/ossec/ossec-active-response deleted file mode 100755 index 7dfd9ffd..00000000 --- a/plugins/ossec/ossec-active-response +++ /dev/null @@ -1,79 +0,0 @@ - -# /bin/ sh -# -if [ "$1" = "autoconf" ] ; then - - echo "yes" -# -exit 0 -# -fi -# -# -logdir="/var/ossec/logs/" -if [ "$1" = "config" ] ; then -# -echo "graph_title Active Response" -# -echo "graph_args --base 1000 -l 0 " -# -echo "graph_vlabel Number of active response" -# -echo "graph_category Ossec" -# -echo "graph_scale no" -# -echo "c_add_actions.label Number of Rules added" -# -echo "c_add_actions.draw LINE2" -# -echo 'c_add_actions.min 0' -# -echo "c_del_actions.label Number of Rules deleted" -# -echo "c_del_actions.draw LINE2" -# -echo 'c_del_actions.min 0' -# -exit 0 -# -fi -# -# - - -####Deleting the temporary logs files ########## -rm -fr /tmp/ossecactive* - - -###For Loop for grepping the last 5 mins logs and moving it to the /tmp - -month="$(date "+%b")"; time="$(date "+%d")";year="$(date "+%Y")"; -if [ "$time" -le "9" ]; then -search1="$month $time" -else -search1="$month $time" -fi - -#search1="$month $time" -#echo "$search1" -for (( i = 5; i>=0; i-- )) ; do grep $(date "+%R" -d "-$i min") /var/ossec/logs/active-responses.log | grep "$search1" | grep "$year" >> /tmp/ossecactive.log;done - - -#############Fore Loop Ends########## - -####Grepping the Hosts Blocked in last 5 mins########### -NB_ADD=`cat /tmp/ossecactive.log| grep add | wc -l` - -###########Grepping the Hosts Removed from the blocked list in last 5 mins############ - -NB_DEL=`cat /tmp/ossecactive.log | grep del | wc -l` -# -# - -############Displaying the VALUES############# -echo "c_add_actions.value ${NB_ADD}" -# -echo "c_del_actions.value ${NB_DEL}" # -# -exit 0 diff --git a/plugins/ossec/ossec-agents b/plugins/ossec/ossec-agents deleted file mode 100755 index 6c5c2fb8..00000000 --- a/plugins/ossec/ossec-agents +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -if [ "$1" = "autoconf" ]; then -echo "yes" -exit 0 -fi - -if [ "$1" = "config" ]; then -echo "graph_title Ossec Agents Status" -echo "graph_args --base 1000 -l 0" -echo "graph_vlabel Number of Ossec Agents" -echo "graph_category Ossec" -echo "graph_scale no" -echo "active.label ACTIVE" -echo "active.draw LINE2" -echo 'active.min 0' -echo "inactive.label INACTIVE" -echo "inactive.draw LINE2" -echo 'inactive.min 0' -exit 0 -fi - - - - -ACTIVE=`/var/ossec/bin/list_agents -c | grep -wv "** No agent available" | wc -l` -INACTIVE=`/var/ossec/bin/list_agents -n | grep -wv "** No agent available" | wc -l` - -echo "active.value ${ACTIVE}" -echo "inactive.value ${INACTIVE}" -exit 0 diff --git a/plugins/ossec/ossec-alerts b/plugins/ossec/ossec-alerts deleted file mode 100755 index 76eb5583..00000000 --- a/plugins/ossec/ossec-alerts +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -if [ "$1" = "autoconf" ]; then -echo "yes" -exit 0 -fi - -if [ "$1" = "config" ]; then -echo "graph_title Ossec Alerts per service" -echo "graph_args --base 1000 -l 0" -echo "graph_vlabel Number of Alerts per service" -echo "graph_category Ossec" -echo "graph_scale no" -echo "apache.label APACHE" -echo "apache.draw LINE2" -echo 'apache.min 0' -echo "ssh.label SSH" -echo "ssh.draw LINE2" -echo 'ssh.min 0' -echo "sudo.label SUDO" -echo "sudo.draw LINE2" -echo 'sudo.min 0' -echo "total.label TOTAL" -echo "total.draw LINE2" -echo 'total.min 0' -exit 0 -fi - -rm -fr /tmp/ossecalerts* -logdir="/var/ossec/logs/alerts" - -###For Loop for grepping the last 5 mins logs -for (( i = 5; i >=0; i-- )) ; do - grep $(date +%R -d "-$i min") $logdir/alerts.log >> /tmp/ossecalerts.log -done - -APACHE=`cat /tmp/ossecalerts.log | grep -i 'apache\|http' | wc -l` -SSH=`cat /tmp/ossecalerts.log | grep ssh | wc -l` -SUDO=`cat /tmp/ossecalerts.log | grep sudo | wc -l` -TOTAL=`cat /tmp/ossecalerts.log | grep -v ">"| wc -l` - -echo "apache.value ${APACHE}" -echo "ssh.value ${SSH}" -echo "sudo.value ${SUDO}" -echo "total.value ${TOTAL}" -exit 0 diff --git a/plugins/ossec/ossec_active_response b/plugins/ossec/ossec_active_response new file mode 100755 index 00000000..b9730da7 --- /dev/null +++ b/plugins/ossec/ossec_active_response @@ -0,0 +1,45 @@ +#!/bin/bash + +if [ "$1" = "autoconf" ]; then + echo "yes" + exit 0 +fi + +if [ "$1" = "config" ]; then + echo "graph_title OSSEC Active Response" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel Number of responses" + echo "graph_category ossec" + echo "graph_scale no" + echo "c_add_actions.label rules added" + echo "c_add_actions.draw LINE2" + echo 'c_add_actions.min 0' + echo "c_del_actions.label rules deleted" + echo "c_del_actions.draw LINE2" + echo 'c_del_actions.min 0' + exit 0 +fi + +### Deleting temporary log files from last run +rm -f /tmp/ossecactive.log +logdir="/var/ossec/logs" + + +### day of moth needs to be space padded +month="$(date "+%b")"; day="$(date "+%e")";year="$(date "+%Y")"; +search1="$month $day" + +### for loop for grepping the last 5 min of logs and copy it to /tmp +for (( i = 5; i >=0; i-- )) ; do + grep $(date "+%R" -d "-$i min") $logdir/active-responses.log | grep "$search1" | grep "$year" >> /tmp/ossecactive.log +done +### End for loop + +### count the lines for each action in the temporary log file +NB_ADD=`cat /tmp/ossecactive.log | grep add | wc -l` +NB_DEL=`cat /tmp/ossecactive.log | grep del | wc -l` + +echo "c_add_actions.value ${NB_ADD}" +echo "c_del_actions.value ${NB_DEL}" + +exit 0 diff --git a/plugins/ossec/ossec_agents b/plugins/ossec/ossec_agents new file mode 100755 index 00000000..3f40f5f7 --- /dev/null +++ b/plugins/ossec/ossec_agents @@ -0,0 +1,32 @@ +#!/bin/bash + +if [ "$1" = "autoconf" ]; then + echo "yes" + exit 0 +fi + +if [ "$1" = "config" ]; then + echo "graph_title Ossec agents status" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel Number of ossec agents" + echo "graph_category ossec" + echo "graph_scale no" + echo "active.label active" + echo "active.draw LINE2" + echo 'active.min 0' + echo "inactive.label inactive" + echo "inactive.draw LINE2" + echo 'inactive.min 0' + exit 0 +fi + +### where to find the ossec tools +ossecdir="/var/ossec/bin" + +### count the lines from the output of the list_agents tool +ACTIVE=`$ossecdir/list_agents -c | grep -wv "** No agent available" | wc -l` +INACTIVE=`$ossecdir/list_agents -n | grep -wv "** No agent available" | wc -l` + +echo "active.value ${ACTIVE}" +echo "inactive.value ${INACTIVE}" +exit 0 diff --git a/plugins/ossec/ossec_alerts b/plugins/ossec/ossec_alerts new file mode 100755 index 00000000..812d072f --- /dev/null +++ b/plugins/ossec/ossec_alerts @@ -0,0 +1,49 @@ +#!/bin/bash + +if [ "$1" = "autoconf" ]; then + echo "yes" + exit 0 +fi + +if [ "$1" = "config" ]; then + echo "graph_title Ossec alerts per service" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel Number of alerts per service" + echo "graph_category ossec" + echo "graph_scale no" + echo "apache.label httpd" + echo "apache.draw LINE2" + echo 'apache.min 0' + echo "ssh.label ssh" + echo "ssh.draw LINE2" + echo 'ssh.min 0' + echo "sudo.label sudo" + echo "sudo.draw LINE2" + echo 'sudo.min 0' + echo "total.label total" + echo "total.draw LINE2" + echo 'total.min 0' + exit 0 +fi + +### Deleting temporary log files from last run +rm -f /tmp/ossecalerts.log +logdir="/var/ossec/logs/alerts" + +###For Loop for grepping the last 5 mins logs +for (( i = 5; i >=0; i-- )) ; do + grep $(date +%R -d "-$i min") $logdir/alerts.log >> /tmp/ossecalerts.log +done +### End for loop + +### count the lines for each service in the temporary log file +APACHE=`cat /tmp/ossecalerts.log | grep -i 'apache\|http' | wc -l` +SSH=`cat /tmp/ossecalerts.log | grep ssh | wc -l` +SUDO=`cat /tmp/ossecalerts.log | grep sudo | wc -l` +TOTAL=`cat /tmp/ossecalerts.log | grep -v ">"| wc -l` + +echo "apache.value ${APACHE}" +echo "ssh.value ${SSH}" +echo "sudo.value ${SUDO}" +echo "total.value ${TOTAL}" +exit 0