Using the default syslog_rules.xml, if you uninstall a Debian package, you'll get a notification that it was installed right before you get one indicating it was uninstalled. E.g. on an Ubuntu Focal (20.04) system, running apt remove ufw -y triggers:
Rule: 2902 fired (level 7) -> "New dpkg (Debian Package) installed."
Portion of the log(s):
[timestamp] status installed ufw:all 0.36-6ubuntu1.1
--END OF NOTIFICATION
Rule: 2903 fired (level 7) -> "Dpkg (Debian Package) removed."
Portion of the log(s):
[timestamp] remove ufw:all 0.36-6ubuntu1.1
--END OF NOTIFICATION
Rule: 2903 fired (level 7) -> "Dpkg (Debian Package) removed."
Portion of the log(s):
[timestamp] purge ufw:all 0.36-6ubuntu1.1
Here are the relevant dpkg logs from the operation:
2024-12-18 17:49:01 startup packages remove
2024-12-18 17:49:01 status installed ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 remove ufw:all 0.36-6ubuntu1.1 <none>
2024-12-18 17:49:01 status half-configured ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 status half-installed ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 status config-files ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 startup packages configure
2024-12-18 17:49:01 startup packages purge
2024-12-18 17:49:01 purge ufw:all 0.36-6ubuntu1.1 <none>
2024-12-18 17:49:01 status config-files ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 status triggers-pending rsyslog:amd64 8.2001.0-1ubuntu1.3
2024-12-18 17:49:02 status not-installed ufw:all <none>
2024-12-18 17:49:02 startup packages configure
2024-12-18 17:49:02 trigproc rsyslog:amd64 8.2001.0-1ubuntu1.3 <none>
2024-12-18 17:49:02 status half-configured rsyslog:amd64 8.2001.0-1ubuntu1.3
2024-12-18 17:49:02 status installed rsyslog:amd64 8.2001.0-1ubuntu1.3
So the second line ("installed ufw:all") matches
|
<rule id="2902" level="7"> |
|
<if_sid>2900</if_sid> |
|
<pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} status installed</pcre2> |
|
<description>New dpkg (Debian Package) installed.</description> |
|
<group>config_changed,</group> |
|
</rule> |
, incorrectly triggering the new package installed notification (it's not new) and then sending out the correct package removal notification
Using the default syslog_rules.xml, if you uninstall a Debian package, you'll get a notification that it was installed right before you get one indicating it was uninstalled. E.g. on an Ubuntu Focal (20.04) system, running
apt remove ufw -ytriggers:Here are the relevant dpkg logs from the operation:
So the second line ("installed ufw:all") matches
ossec-hids/etc/rules/syslog_rules.xml
Lines 606 to 611 in 39a9313