forked from angolo40/WazuhMikrotik
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocal_rules.xml
46 lines (38 loc) · 1.74 KB
/
local_rules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<group name="mikrotik">
<rule id="100001" level="10">
<decoded_as>mikrotik_log</decoded_as>
<description>Mikrotik log: $(type) $(target) $(action) by $(username) from $(srcip): $(rule_details)</description>
</rule>
<rule id="100002" level="12">
<decoded_as>user_login</decoded_as>
<description>Mikrotik log: User $(username) logged $(action) from $(srcip) via $(access_method)</description>
</rule>
<rule id="100003" level="11">
<decoded_as>user_login_failure</decoded_as>
<description>Mikrotik log: Login failure for user $(username) from $(srcip) via $(access_method)</description>
</rule>
<rule id="100004" level="10">
<decoded_as>wireguard</decoded_as>
<description>Mikrotik log: Wireguard user $(username) logged $(action) from $(srcip)</description>
</rule>
<rule id="100005" level="10">
<decoded_as>vpn</decoded_as>
<description>Mikrotik log: $(action) logged, $(localip) from $(srcip)</description>
</rule>
<rule id="100009" level="12">
<decoded_as>vpn_login_failure</decoded_as>
<description>Mikrotik log: $(username) failed to authenticate from $(srcip)</description>
</rule>
<rule id="100006" level="12">
<decoded_as>filter_rule_change</decoded_as>
<description>Mikrotik log: Filter rule $(action) by $(username) from $(srcip): $(rule_details)</description>
</rule>
<rule id="100007" level="12">
<decoded_as>raw_rule_change</decoded_as>
<description>Mikrotik log: Raw rule $(action) by $(username) from $(srcip): $(rule_details)</description>
</rule>
<rule id="100008" level="12">
<decoded_as>user_change</decoded_as>
<description>Mikrotik log: User $(newuser) $(action) by $(username) from $(srcip): $(rule_details)</description>
</rule>
</group>