2 - Official VMWare ESX rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <!-- SonicWall Log messages -->
17 <group name="vmware,">
18 <rule id="19100" level="0">
19 <decoded_as>vmware</decoded_as>
20 <description>VMWare messages grouped.</description>
23 <rule id="19101" level="0">
24 <decoded_as>vmware-syslog</decoded_as>
25 <description>VMWare ESX syslog messages grouped.</description>
28 <rule id="19102" level="8">
29 <if_sid>19100</if_sid>
30 <status>^crit|^fatal</status>
31 <description>VMware ESX critical message.</description>
34 <rule id="19103" level="4">
35 <if_sid>19100</if_sid>
36 <status>^error</status>
37 <description>VMware ESX error message.</description>
40 <rule id="19104" level="3">
41 <if_sid>19100</if_sid>
42 <status>^warn</status>
43 <description>VMware ESX warning message.</description>
46 <rule id="19105" level="0">
47 <if_sid>19100</if_sid>
48 <status>^notice</status>
49 <description>VMware ESX notice message.</description>
52 <rule id="19106" level="0">
53 <if_sid>19100</if_sid>
54 <status>^info</status>
55 <description>VMware ESX informational message.</description>
58 <rule id="19107" level="0">
59 <if_sid>19100</if_sid>
60 <status>^verbose</status>
61 <description>VMware ESX verbose message.</description>
65 <!-- Authentication messages. -->
67 <rule id="19110" level="3">
68 <if_sid>19106</if_sid>
69 <match>logged in$</match>
70 <description>VMWare ESX authentication success.</description>
71 <group>authentication_success,</group>
74 <rule id="19111" level="5">
75 <if_sid>19106</if_sid>
76 <match>Failed login attempt for</match>
77 <description>VMWare ESX authentication failure.</description>
78 <group>authentication_failed,</group>
81 <rule id="19112" level="3">
82 <if_sid>19101</if_sid>
83 <program_name>vmware-hostd|vmware-authd</program_name>
84 <match>Accepted password for|login from</match>
85 <description>VMWare ESX user login.</description>
86 <group>authentication_success,</group>
89 <rule id="19113" level="3">
90 <if_sid>19101</if_sid>
91 <program_name>vmware-hostd|vmware-authd</program_name>
92 <match>Rejected password for</match>
93 <description>VMWare ESX user authentication failure.</description>
94 <group>authentication_failed,</group>
98 <!-- Guest OS messages. -->
99 <rule id="19120" level="8">
100 <if_sid>19106</if_sid>
101 <match>-> VM_STATE_OFF</match>
102 <description>Virtual machine state changed to OFF.</description>
103 <group>service_availability,</group>
106 <rule id="19121" level="3">
107 <if_sid>19106</if_sid>
108 <match>-> VM_STATE_POWERING_ON</match>
109 <description>Virtual machine being turned ON.</description>
112 <rule id="19122" level="3">
113 <if_sid>19106</if_sid>
114 <match>-> VM_STATE_ON</match>
115 <description>Virtual machine state changed to ON.</description>
116 <options>alert_by_email</options>
119 <rule id="19123" level="5">
120 <if_sid>19106</if_sid>
121 <match>-> VM_STATE_RECONFIGURING</match>
122 <description>Virtual machine being reconfigured.</description>
123 <group>config_changed,</group>
124 <options>alert_by_email</options>
128 <!-- Composite rules. -->
130 <rule id="19150" level="10" frequency="6" timeframe="120" ignore="60">
131 <if_matched_sid>19104</if_matched_sid>
132 <description>Multiple VMWare ESX warning messages.</description>
133 <group>service_availability,</group>
136 <rule id="19151" level="10" frequency="6" timeframe="120" ignore="60">
137 <if_matched_sid>19103</if_matched_sid>
138 <description>Multiple VMWare ESX error messages.</description>
139 <group>service_availability,</group>
142 <rule id="19152" level="10" frequency="6" timeframe="120">
143 <if_matched_sid>19111</if_matched_sid>
144 <description>Multiple VMWare ESX authentication failures.</description>
145 <group>authentication_failures,</group>
148 <rule id="19153" level="10" frequency="6" timeframe="120">
149 <if_matched_sid>19113</if_matched_sid>
150 <description>Multiple VMWare ESX user authentication failures.</description>
151 <group>authentication_failures,</group>
154 </group> <!-- VMware ESX -->