1 <!-- @(#) $Id: ./etc/rules/vmware_rules.xml, 2011/09/08 dcid Exp $
3 - Official VMWare ESX rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <!-- SonicWall Log messages -->
18 <group name="vmware,">
19 <rule id="19100" level="0">
20 <decoded_as>vmware</decoded_as>
21 <description>VMWare messages grouped.</description>
24 <rule id="19101" level="0">
25 <decoded_as>vmware-syslog</decoded_as>
26 <description>VMWare ESX syslog messages grouped.</description>
29 <rule id="19102" level="8">
30 <if_sid>19100</if_sid>
31 <status>^crit|^fatal</status>
32 <description>VMware ESX critical message.</description>
35 <rule id="19103" level="4">
36 <if_sid>19100</if_sid>
37 <status>^error</status>
38 <description>VMware ESX error message.</description>
41 <rule id="19104" level="3">
42 <if_sid>19100</if_sid>
43 <status>^warn</status>
44 <description>VMware ESX warning message.</description>
47 <rule id="19105" level="0">
48 <if_sid>19100</if_sid>
49 <status>^notice</status>
50 <description>VMware ESX notice message.</description>
53 <rule id="19106" level="0">
54 <if_sid>19100</if_sid>
55 <status>^info</status>
56 <description>VMware ESX informational message.</description>
59 <rule id="19107" level="0">
60 <if_sid>19100</if_sid>
61 <status>^verbose</status>
62 <description>VMware ESX verbose message.</description>
66 <!-- Authentication messages. -->
68 <rule id="19110" level="3">
69 <if_sid>19106</if_sid>
70 <match>logged in$</match>
71 <description>VMWare ESX authentication success.</description>
72 <group>authentication_success,</group>
75 <rule id="19111" level="5">
76 <if_sid>19106</if_sid>
77 <match>Failed login attempt for</match>
78 <description>VMWare ESX authentication failure.</description>
79 <group>authentication_failed,</group>
82 <rule id="19112" level="3">
83 <if_sid>19101</if_sid>
84 <program_name>vmware-hostd|vmware-authd</program_name>
85 <match>Accepted password for|login from</match>
86 <description>VMWare ESX user login.</description>
87 <group>authentication_success,</group>
90 <rule id="19113" level="3">
91 <if_sid>19101</if_sid>
92 <program_name>vmware-hostd|vmware-authd</program_name>
93 <match>Rejected password for</match>
94 <description>VMWare ESX user authentication failure.</description>
95 <group>authentication_failed,</group>
99 <!-- Guest OS messages. -->
100 <rule id="19120" level="8">
101 <if_sid>19106</if_sid>
102 <match>-> VM_STATE_OFF</match>
103 <description>Virtual machine state changed to OFF.</description>
104 <group>service_availability,</group>
107 <rule id="19121" level="3">
108 <if_sid>19106</if_sid>
109 <match>-> VM_STATE_POWERING_ON</match>
110 <description>Virtual machine being turned ON.</description>
113 <rule id="19122" level="3">
114 <if_sid>19106</if_sid>
115 <match>-> VM_STATE_ON</match>
116 <description>Virtual machine state changed to ON.</description>
117 <options>alert_by_email</options>
120 <rule id="19123" level="5">
121 <if_sid>19106</if_sid>
122 <match>-> VM_STATE_RECONFIGURING</match>
123 <description>Virtual machine being reconfigured.</description>
124 <group>config_changed,</group>
125 <options>alert_by_email</options>
129 <!-- Composite rules. -->
131 <rule id="19150" level="10" frequency="6" timeframe="120" ignore="60">
132 <if_matched_sid>19104</if_matched_sid>
133 <description>Multiple VMWare ESX warning messages.</description>
134 <group>service_availability,</group>
137 <rule id="19151" level="10" frequency="6" timeframe="120" ignore="60">
138 <if_matched_sid>19103</if_matched_sid>
139 <description>Multiple VMWare ESX error messages.</description>
140 <group>service_availability,</group>
143 <rule id="19152" level="10" frequency="6" timeframe="120">
144 <if_matched_sid>19111</if_matched_sid>
145 <description>Multiple VMWare ESX authentication failures.</description>
146 <group>authentication_failures,</group>
149 <rule id="19153" level="10" frequency="6" timeframe="120">
150 <if_matched_sid>19113</if_matched_sid>
151 <description>Multiple VMWare ESX user authentication failures.</description>
152 <group>authentication_failures,</group>
155 </group> <!-- VMware ESX -->